AnyConnect 4.7.00136 and Cisco IOS router

Tenere · ‎02-15-2019

Hello,

after updating from AnyConnect 4.6. 03049 to 4.7.00136 on a clients Cisco 881router (IOS 15.4(3)M9) we noticed the following strange behaviour:

if connected to the VPN and open a webpage (e.g. NAS config page, camera config page, ... with any browser: Firefox, Chrome, Edge) in the LAN connected to the VPN the tunnel stops working. AnyConnect client still shows "connected" but there is no traffic any more
RDP sessions, SSH sessions, Samba sessions and SMTP/IMAP is still working

This behaviour can be reproduced.

In the Release Notes I found

MTU Adjustment on Group Policy May Be Required for IKEv2

AnyConnect sometimes receives and drops packet fragments with some routers, resulting in a failure of some web traffic to pass.

To avoid this, lower the value of the MTU. We recommend 1200. The following example shows how to do this using CLI:

hostname# config t
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200

But there was no hint on reducing MTU size in IOS routers.

Any help on this issue is highly appreciated!

Best regards,

Joerg

Tenere · ‎02-18-2019

Is there really no one who can give me a hint or share some ideas?

I do not find any hints in the log file. It just stops working...

Rob Ingram · ‎02-21-2019

Hi,
Are you still experiencing this issue?
Can you provide your configuration (sanitised) and a packet capture from a client?

There is the command "crypto ikev2 fragmentation <value>" you could try.