Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
43631
Views
0
Helpful
9
Replies

AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)

Peter Davis
Cisco Employee
Cisco Employee

‎11-07-2013 04:36 PM - edited ‎02-21-2020 07:18 PM

Due to a bug in Android 4.4 (KitKat) reported to Google under Issue #61948, AnyConnect users will experience High Packet Loss over their VPN connection (users will experience timeouts when attempting to access certain network resources). In the ASA logs, a syslog message will appear with text similar to "Transmitting large packet 1420 (threshold 1405)."

This has been reported to Google under Issue #61948

Android 4.4 TCP advertises incorrect MSS over VPN (using VpnService)

https://code.google.com/p/android/issues/detail?id=61948

End users may log in with their Google ID and flag the importance of the request as well as enter comments at the link above.

Conditions:

Android 4.4 (KitKat) including the Google Nexus 5

AnyConnect ICS+

Workaround:

Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the ASA with the configuration command "sysopt connection tcpmss <mss size>". The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365. Reducing this value will negatively impact performance for connected VPN users where large packets are transmitted.

1 person had this problem
Labels:
0 Helpful
9 Replies 9

patoberli
VIP Alumni
VIP Alumni

‎11-14-2013 07:04 AM

Hi Peter

Your code.google.com Link actually is a Facebook link which then redirects to google. Could you maybe fix that?

Thanks

0 Helpful

Peter Davis
Cisco Employee
Cisco Employee
In response to patoberli

‎11-14-2013 07:09 AM

Thanks, I didn't realize the link was wrong. This is now corrected.

0 Helpful

Peter Davis
Cisco Employee
Cisco Employee

‎12-08-2013 05:17 AM

We are pleased to report that Android 4.4 (KitKat) bug Google Issue #61948 (AnyConnect users will experience High Packet Loss over their VPN connection /users will experience timeouts) has been resolved in Google's release of Android 4.4.1 which Google has begun distributing to some devices via Software Update.

0 Helpful

danhopkins
Level 1
Level 1

‎12-30-2013 09:50 AM

Critical issue with DNS resolution on KitKat (4.4.2).

AnyConnect Version 3.0.09242

on Nexus 4

running KitKat (4.4.2).

Firewall config has split-tunnel.

When connected, we CAN reach internal resources but when connected we CANNOT reach external resources.
Ran sniffer to find that DNS requests are having internal DNS search domain appended.

When executing on device:
     $ ping google.com
     ping: unknown host google.com

The sniffer shows:
a faulty DNS lookup for "google.com.example.com" which seems to be appending our search domains to all DNS lookups.


     11:53:45.892635 IP 192.168.124.101.62994 > 192.168.170.133.53: 43772+ A? google.com.example.com.

This problem DOES NOT happen when using KitKat (4.4.2) native IPSec VPN with the same firewall group policy and split-tunnel configuration.

This problem DOES NOT happen for 4.3 (Samsung Galaxy S3) using the same AnyConnect client.

0 Helpful

mmilella
Level 1
Level 1
In response to danhopkins

‎01-28-2014 02:12 PM

I am also seeing the same issue as Dan with 4.4.2 on a Nexus 4 and a 7.  Did the bug only get fixed in 4.4.1?  If so is there a target to get it fixed in 4.4.3 or what ever the next update is.  Anyone else having this issue?

0 Helpful

Peter Davis
Cisco Employee
Cisco Employee
In response to mmilella

‎01-28-2014 02:27 PM

This is a different Android bug noted in our release notes which has not been fixed by Google as of yet.

•Due to a known issue in Android 4.4 (Issue #64819) Split DNS will not work on Android 4.4. There is no workaround for this issue, a fix from Google is required. The above number is a code.google.com ID.

0 Helpful

mmilella
Level 1
Level 1
In response to Peter Davis

‎01-28-2014 03:24 PM

Any clue if this is targeted for an Android release?  I looked up the issue and there is not much to go on.  Also has Cisco esclated this?  Seem like the last issue had tons of pressure for a fix, and it came quickly.  Maybe our configuration is not as universal so less people may be effected??

https://code.google.com/p/android/issues/detail?can=2&start=0&num=100&q=vpn&colspec=ID%20Type%20Status%20Owner%20Summary%20Stars&groupby=&sort=&id=64819

0 Helpful

Peter Davis
Cisco Employee
Cisco Employee
In response to mmilella

‎01-28-2014 08:24 PM

We have no insight as to when Google will fix the bug.  The bug was opened by Cisco and we provided sufficient information for Google to reproduce the issue and we have also directly escalated it to their attention.  You are correct that not everyone is using split tunneling / split DNS, so while this does impact anyone with this configuration, that's obviously fewer customers than everyone using VPN

0 Helpful

mmilella
Level 1
Level 1
In response to Peter Davis

‎01-29-2014 07:25 AM

Thanks for your help and a prompt response.  I will cross my fingers for a fix in a KitKat release shortly!!

0 Helpful
Customers Also Viewed These Support Documents