12-15-2018 06:34 AM - edited 12-15-2018 06:42 AM
There is a fairly major bug in AnyConnect 4.7.00136 regarding the tunnel MTU. If DTLS is enabled, it will send packets that are too big and many applications break. Ignoring the df-bit and/or specifying a low MTU doesn't workaround the issue. Disabling DTLS is the only workaround.
Syslog may show a flood of errors like this, where the packet is most often 16 bytes larger than the threshold.:
14 Dec 08 2018 20:06:33 722035 Group <ar-6> User <IC005654> IP <198.18.3.45> Received large packet 1276 (threshold 1260).
Your DART logs may show things like this:
acvpnagent Warning
Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
File: TunnelProtocolDpdMgr.cpp
Line: 498
Failed to validate the tunnel MTU via DPD handshake (DTLS/CDTP)
acvpnagent Error
Function: CTunnelProtocolDpdMgr::OnTimerExpired
File: TunnelProtocolDpdMgr.cpp
Line: 312
Invoked Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
Return Code: -25952247 (0xFE740009)
Description: TUNNELPROTOCOLDPDMGR_ERROR_UNEXPECTED
DTLS/CDTP
With no configuration changes, AnyConnect 4.6 works just fine.
You can disable DTLS with this:
group-policy XXXX attributes
webvpn
anyconnect ssl dtls none
01-08-2019 09:37 AM - edited 01-08-2019 09:38 AM
Is there a TAC case for this. If so, has TAC filed a defect?
01-08-2019 09:38 AM
Yes. It's been escalated and they have developers involved, but I don't have a filed bug ID yet.
01-08-2019 09:39 AM
04-06-2019 04:57 PM
06-18-2019 02:48 PM
I wonder if this is an issue with FTD code as well? We're on 6.3.0.3 which underlying LINA is 9.10(1)18. Fix shows it is in 9.10(1)19.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide