Hi All,

I have a project that uses older (5.1.1) single purpose Android devices and VPN with certificate authentication. When the service switches from LTE to 3G, or if the phones lose service, they get stuck in reconnecting.  They never actually reconnect.  If I manually disconnect and reconnect, the connection works fine.  I need them to reconnect to the VPN without user interaction when they're back in LTE service.

I've configured the VPN to use both IPsec and SSL with TLS only and DLTS.

The AnyConnect logs show "connection paused" "reconnecting"

Below is the relevant config.  It's using IPsec now.  Any ideas what to look for?

sysopt connection tcpmss 1100
crypto ipsec df-bit clear-df outside
crypto ipsec security-association lifetime seconds 259200
!
group-policy PHONE_CERT_GP internal
group-policy PHONE_CERT_GP attributes
dns-server value 192.168.1.10
vpn-simultaneous-logins 3
vpn-idle-timeout 1440
vpn-session-timeout none
vpn-tunnel-protocol ikev2 ssl-client
default-domain value taas.mil
periodic-authentication certificate none
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect profiles value oc-phone type user
always-on-vpn disable
!
tunnel-group PHONE_LTE_TG-FULL type remote-access
tunnel-group PHONE_LTE_TG-FULL general-attributes
address-pool PHONE_VPN_POOL
default-group-policy PHONE_CERT_GP
tunnel-group PHONE_LTE_TG-FULL webvpn-attributes
authentication certificate
group-alias PHONE_LTE_TG-FULL enable
!
tunnel-group-map enable rules
tunnel-group-map default-group PHONE_LTE_TG
tunnel-group-map PHONE-CERT-MAP 10 PHONE_LTE_TG-FULL
!
webvpn
enable outside
hsts
no enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect profiles oc-phone disk0:/oc-phone.xml
anyconnect enable
tunnel-group-list enable
cache
disable
certificate-group-map PHONE-CERT-MAP 10 PHONE_LTE_TG-FULL
certificate-group-map PHONE-CERT-MAP 20 PHONE_LTE_TG
error-recovery disable