I am implementing AnyConnect ver 4.5 on a ASA running 9.4 code, using IKEv2, I turned off SSL. It works well except at a co-workers home. She uses a new Linksys router (waiting on the model number). The connection fails because the ASA does not see the 2nd IKE_AUTH packet which is a fragment of the 1st IKE_AUTH packet. See attached - laptop_Connected_To_Linksys & in_front_of_asa for Wireshark captures.
The laptop can tether to 2 different Cell phones & carriers and Guest wireless at the office and AnyConnect works perfectly.
This laptop is running Win 7 64-bit and the old Cisco VPN Client IKEv1 work perfectly behind this same Linksys router.
I have changed ASA the so Anyconnect uses SSL and the this laptop works when connected to the Linksys router.
We have connected the laptop to the Linksys router both wireless and wired with the same results, works with Anyconnect SSL and old VPN client IKE1, just not with the IKEv2 protocol.
I thought about increasing the MTU size on the client since the IKE_Auth message length is 622 and the Fragmented packet length is 194.
I could switch to SSL but I think IKEv2 is more robust.
Solved! Go to Solution.
The VPN passthrough option is on. Cisco's old VPN client IKEv1 works fine with this router.
Working with Linksys to see if their latest F/W 220.127.116.1120, released July 6, 2017 was made available to the routers and if there were any changes to VPN passthru for IKEv2.
We updated to AnyConnect ver. 4.5.01.044 last week and AC with IKEv2 worked, downgraded back to Anyconnect ver. 4.5.00058 and it also worked. I did not make any changes on the ASA and I am currently running 9.6.3-1 on the ASA.
There are 2 ICMP packets from the Linksys WAN (public IP) to the private IP address.
both are Destination unreachable messages. These messages are not being generated by the ASA.