Hello,

My AnyConnect VPN Connection can't pass the exchange authent phase 1 when I'm trying via 3G/4G.

The connection on same device is OK via WiFi.

I'm using Android 7.0 and AnyConnect 4.0.09039.

I've capture some debug IKEv2 outputs following :

058991: Sep 15 17:32:09.226 CET: IKEv2:(SESSION ID = 226,SA ID = 1):Auth exchange failed

058992: Sep 15 17:32:09.227 CET: IKEv2-ERROR:(SESSION ID = 226,SA ID = 1):: Auth exchange failed

058993: Sep 15 17:32:09.227 CET: IKEv2:(SESSION ID = 226,SA ID = 1):Abort exchange

058994: Sep 15 17:32:09.227 CET: IKEv2:(SESSION ID = 226,SA ID = 1):Deleting SA

058995: Sep 15 17:32:09.227 CET: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session

058996: Sep 15 17:32:09.227 CET: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

058997: Sep 15 17:33:19.190 CET: IKEv2-ERROR:(SESSION ID = 227,SA ID = 2):: Failed to receive the AUTH msg before the timer expired

058998: Sep 15 17:33:19.190 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Verification of peer's authentication data FAILED

058999: Sep 15 17:33:19.190 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Sending authentication failure notify

059000: Sep 15 17:33:19.191 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Building packet for encryption.

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8

    Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

058966: Sep 15 17:31:34.845 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Starting timer (90 sec) to wait for auth message

058967: Sep 15 17:31:36.860 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Retransmitting packet

058968: Sep 15 17:31:36.860 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Sending Packet [To 77.136.X.X:55359/From 46.218.X.X:4500/VRF i0:f0]

Initiator SPI : 26E3506ABFD3C60D - Responder SPI : DBB53F6DC3BBD980 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

058969: Sep 15 17:31:36.860 CET: IKEv2-PAK:(SESSION ID = 227,SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 1756

Payload contents:

ENCR  Next payload: VID, reserved: 0x0, length: 1728

I see packet retransmission error causing timeout :

058970: Sep 15 17:31:36.860 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Restarting timer for 90 seconds to wait for auth message

058971: Sep 15 17:31:36.863 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Packet is a retransmission

058972: Sep 15 17:31:36.864 CET: IKEv2-ERROR:: Packet is a retransmission

058973: Sep 15 17:31:40.851 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Retransmitting packet

058974: Sep 15 17:31:40.851 CET: IKEv2:(SESSION ID = 227,SA ID = 2):Sending Packet [To 77.136.X.X:55359/From 46.218.X.X:4500/VRF i0:f0]

Initiator SPI : 26E3506ABFD3C60D - Responder SPI : DBB53F6DC3BBD980 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

058975: Sep 15 17:31:40.851 CET: IKEv2-PAK:(SESSION ID = 227,SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 1756

Payload contents:

ENCR  Next payload: VID, reserved: 0x0, length: 1728

I try with :

• forced 2G/3G connection
• 4G connection
• 3 Mobile ISP

and I've got the same results.

I've also tested it on iOS and get the same behaviour.

Someone already experience this issue ?