Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
5
Helpful
2
Replies

AnyConnect 4.7.00136 and Cisco IOS router

Tenere
Level 1
Level 1

‎02-15-2019 04:44 AM - edited ‎02-21-2020 09:34 PM

Hello,

 

after updating from AnyConnect 4.6. 03049 to 4.7.00136 on a clients Cisco 881router (IOS 15.4(3)M9) we noticed the following strange behaviour:

  • if connected to the VPN and open a webpage (e.g. NAS config page, camera config page, ... with any browser: Firefox, Chrome, Edge) in the LAN connected to the VPN the tunnel stops working. AnyConnect client still shows "connected" but there is no traffic any more
  • RDP sessions, SSH sessions, Samba sessions and SMTP/IMAP is still working

This behaviour can be reproduced.

In the Release Notes I found

MTU Adjustment on Group Policy May Be Required for IKEv2

AnyConnect sometimes receives and drops packet fragments with some routers, resulting in a failure of some web traffic to pass.

To avoid this, lower the value of the MTU. We recommend 1200. The following example shows how to do this using CLI:

hostname# config t
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200

 

But there was no hint on reducing MTU size in IOS routers.

Any help on this issue is highly appreciated!

 

Best regards,

 

Joerg

 

 

 

Labels:
0 Helpful
2 Replies 2

Tenere
Level 1
Level 1

‎02-18-2019 04:33 AM

Is there really no one who can give me a hint or share some ideas?

 

I do not find any hints in the log file. It just stops working...

0 Helpful

Rob Ingram
VIP
VIP
In response to Tenere

‎02-21-2019 11:00 AM

Hi,
Are you still experiencing this issue?
Can you provide your configuration (sanitised) and a packet capture from a client?

There is the command "crypto ikev2 fragmentation <value>" you could try.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents