Re: AnyConnect 4.7.00136 - Significant MTU bug

javentre · ‎12-15-2018

There is a fairly major bug in AnyConnect 4.7.00136 regarding the tunnel MTU. If DTLS is enabled, it will send packets that are too big and many applications break. Ignoring the df-bit and/or specifying a low MTU doesn't workaround the issue. Disabling DTLS is the only workaround.

Syslog may show a flood of errors like this, where the packet is most often 16 bytes larger than the threshold.:

14 Dec 08 2018 20:06:33 722035 Group <ar-6> User <IC005654> IP <198.18.3.45> Received large packet 1276 (threshold 1260).

Your DART logs may show things like this:

acvpnagent Warning
Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
File: TunnelProtocolDpdMgr.cpp
Line: 498
Failed to validate the tunnel MTU via DPD handshake (DTLS/CDTP)

acvpnagent Error
Function: CTunnelProtocolDpdMgr::OnTimerExpired
File: TunnelProtocolDpdMgr.cpp
Line: 312
Invoked Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
Return Code: -25952247 (0xFE740009)
Description: TUNNELPROTOCOLDPDMGR_ERROR_UNEXPECTED
DTLS/CDTP

With no configuration changes, AnyConnect 4.6 works just fine.

You can disable DTLS with this:

group-policy XXXX attributes
webvpn
anyconnect ssl dtls none

ccubeman · ‎01-08-2019

Is there a TAC case for this. If so, has TAC filed a defect?

javentre · ‎01-08-2019

Yes. It's been escalated and they have developers involved, but I don't have a filed bug ID yet.

ccubeman · ‎01-08-2019

Alrighty, thanks for the quick reply.

javentre · ‎04-06-2019

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07143

Isaac Smith · ‎06-18-2019

I wonder if this is an issue with FTD code as well? We're on 6.3.0.3 which underlying LINA is 9.10(1)18. Fix shows it is in 9.10(1)19.