Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
2
Helpful
8
Replies

AnyConnect 4.5.03040 - DTLS Protocol is not available

DTLS Protocol
Level 1
Level 1

‎05-26-2023 03:48 AM

Hello everybody,

We have the following problem on one PC: the protocol available in Cisco AnyConnect is TLS and the download speed is 200Kb.

On the second pc the protocol is DTLS and the download speed is highly faster- 25Mb.

Both PC's have the same network configuration, on both PC's was installed the same Cisco Any Connect Version, the Cisco Profile is the same. //ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

- Cisco AnyConnect Version 4.5.03040

The PC's have no Firewall or Antivirus activ.

In the Eventlogs we found this Cisco errors:

Function: CTlsTunnelMgr::OnTunnelInitiateComplete
File: TlsTunnelMgr.cpp
Line: 1088
Invoked Function: CTlsTunnelMgr::OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
callback

Function: CCdtpProtocol::OnTunnelInitiateComplete
File: CdtpProtocol.cpp
Line: 538
Invoked Function: OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
callback

 

Do you have any ideea, what could be the problem? Is there any way to change the protocol to DTLS? The settings in AnyConnect are the same.

Thanking in advance.

BR,

Alex

Labels:
8 Replies 8

MHM Cisco World
VIP
VIP

‎05-26-2023 03:53 AM

DTLS cipher support 
and the DTLS port 
these two point may prevent anyconnect to select DTLS and continuous  use TLS 

0 Helpful

DTLS Protocol
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 04:22 AM

Thank you for the feedback.

What we need to do next? Should we request  another certificate for the encryption? AnyConnect is used to connect to a certain company. We need a new certificate from them?

 

MHM Cisco World
VIP
VIP
In response to DTLS Protocol

‎05-29-2023 04:27 AM

NO need Certificate, the Anyconnect using tls to connect to ASA and it success, then it try using DTLS, Here the issue 
check the OS of anyconnect pc it allow udp 
check the cipher of  DTLS 

0 Helpful

Sheraz.Salim
VIP
VIP

‎05-29-2023 04:32 AM - edited ‎05-29-2023 04:40 AM

Cisco AnyConnect tries to negotiate the most secure protocol between the client and the VPN Headend (Firewall). In some cases, it may prioritize the TLS protocol over DTLS. DTLS is typically preferred for its improved performance in real-time applications, such as streaming or downloading large files. You can try forcing the DTLS protocol to see if it improves the download speed. To do this, add the following line to your AnyConnect profile (.xml) configuration file:

<DTLSOverride>Enable</DTLSOverride>

Place this line within the <ClientPreferences> section of the profile file. Remember to restart the Cisco AnyConnect service after making the change.

Check the Firewall. The Firewall VPN configuration can also play a role in the protocol selection. Check the Firewall VPN settings to ensure that it is configured to support DTLS. Consult with your Firewall adminstrator

(Note:You already mentioned The other machine do DTLS and another doing TLS). Try to change/modfied the Anyconnect prfile(.xml) and test it.

please do not forget to rate.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-29-2023 10:18 AM

DTLS requires the client to be able to contact the VPN headend over udp/443. This is sometimes blocked by local firewalls or other middleware devices.

Updating the profile locally wouldn't help since the headend checks the profile during connection and re-syncs it with what's on the ASA (or FTD) if any changes are detected. (It checks the file hash to detect any changes.)

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎05-29-2023 12:54 PM

@Marvin Rhoads as always on the spot. Yes make sense profile wont help. Nice one.

please do not forget to rate.
0 Helpful

DTLS Protocol
Level 1
Level 1
In response to Sheraz.Salim

‎06-08-2023 01:59 AM

Hello Guys,

Thank you for your answers.

It's still not working, we changed(copied) the profile from the 2nd PC (DTLS showing) to the 1st PC(TLS showing), there is no improvement.

The line <DTLSOverride>Enable</DTLSOverride> was added in the AnyConnect Profile, no result, still 200Kb download speed.

We verified the Firewall and there is no firewall activ on the affected PC and according to the administrator, there are no firewall rules.

Very important, we've tested with another user account on the same PC and now the speed is 10 MB, even if the protocol in Cisco AnyConnect is also TLS.

Can this be to UserProfile or some different AnyConnect Settings?

Thanking in advance.

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to DTLS Protocol

‎06-08-2023 06:44 AM

can you try the new version of anyconnect and test it. also do not forget to change the anyconnect headend on Firewall too.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents