04-24-2013 11:58 PM - edited 02-21-2020 06:51 PM
AnyConnect client reconnects after 1 minute; WHY
version 3.1.02026
ASA:asa911-k8.bin
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
Solved! Go to Solution.
07-13-2013 10:12 AM
the log is not sufficient
get more log from asa
Sent from Cisco Technical Support iPad App
07-13-2013 03:03 PM
I’ve been having this for a while now. But other problems kept me from further investigating this issue. It a nagging problem, but after the reconnect everything is ok. So because of that, this one was not so high in my list of issue’s to solve. I suspected this to be a client thing. I’ve seen the same problem on windows7 and windows8 clients. I don’t know exactly when this problem started, but after installing the latest client 3.1.0459 the problem was not fixed. By now I would assume that Cisco would have fixed this bug, so I now started to suspect the firmware or VPN configuration of our ASA. Which was running 9.1 software. I started by doing a:
# debug webvpn anyconnect 255
After looking at the logs something caught my eye
Group
What the??? What is this? After using google, I found this document.
Error:− %ASA−6−722036: Group client−group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)
The %ASA−6−722036: Group < client−group > User < xxxx > IP < x.x.x.x>
Transmitting large packet 1220 (threshold 1206) error message appears in the logs of
the ASA. What does this log mean and how is this resolved?
Solution:
This log message states that a large packet was sent to the client. The source of the packet is not aware of the
MTU of the client. This can also be due to compression of non−compressible data. The workaround is to turn
off the SVC compression with the svc compression none command. This resolves the issue.
After applying these rules to the group policy configuration my problem was gone
webvpn
anyconnect mtu 1331
anyconnect ssl compression none
02-28-2014 01:32 PM
Hello Michael,
The problem here is because we cannot succesfully establish a DTLS tunnel. This could happen because:
- DTLS is blocked somewhere in the path
- A non-default DTLS port is being used
If DTLS is blocked in the middle the issue is because as of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.
As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).
In order to eliminate this visible transition of DTLS > TLS, you can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).
1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.
group-policy ac_users_group attributes
webvpn
anyconnect mtu 1300
This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.
2. The second option is to allow fragmentation.
group-policy ac_users_group attributes
webvpn
anyconnect ssl df-bit-ignore enable
With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.
3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:
sysopt conn tcpmss 1460
In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.
If DTLS is not blocked in the middle another potential cause for the DTLS failure that DTLS is configured on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.
The workaround for this problem is:
Regards,
-Gustavo Medina
07-13-2013 02:28 AM
Installed the latest Client 3.1.04059 but the problem is still there. I see the same issue on w7 and w8 clients. I'm suspecting the ASA firmware now.
08-01-2013 11:59 AM
This fixed me using ASA 9.1.1
no compression anyconnect-ssl http-comp
group-policy DfltGrpPolicy attributes
webvpn
anyconnect mtu 1200
07-13-2013 10:12 AM
the log is not sufficient
get more log from asa
Sent from Cisco Technical Support iPad App
07-13-2013 03:03 PM
I’ve been having this for a while now. But other problems kept me from further investigating this issue. It a nagging problem, but after the reconnect everything is ok. So because of that, this one was not so high in my list of issue’s to solve. I suspected this to be a client thing. I’ve seen the same problem on windows7 and windows8 clients. I don’t know exactly when this problem started, but after installing the latest client 3.1.0459 the problem was not fixed. By now I would assume that Cisco would have fixed this bug, so I now started to suspect the firmware or VPN configuration of our ASA. Which was running 9.1 software. I started by doing a:
# debug webvpn anyconnect 255
After looking at the logs something caught my eye
Group
What the??? What is this? After using google, I found this document.
Error:− %ASA−6−722036: Group client−group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)
The %ASA−6−722036: Group < client−group > User < xxxx > IP < x.x.x.x>
Transmitting large packet 1220 (threshold 1206) error message appears in the logs of
the ASA. What does this log mean and how is this resolved?
Solution:
This log message states that a large packet was sent to the client. The source of the packet is not aware of the
MTU of the client. This can also be due to compression of non−compressible data. The workaround is to turn
off the SVC compression with the svc compression none command. This resolves the issue.
After applying these rules to the group policy configuration my problem was gone
webvpn
anyconnect mtu 1331
anyconnect ssl compression none
07-14-2013 02:01 AM
lowering the MTU size was indeed the solution.
thx
12-23-2013 03:20 PM
I updated my ASA to 9.1.4 and the AnyConnect client to 3.1.05152 and I am no longer having reconnect issues.
02-28-2014 01:32 PM
Hello Michael,
The problem here is because we cannot succesfully establish a DTLS tunnel. This could happen because:
- DTLS is blocked somewhere in the path
- A non-default DTLS port is being used
If DTLS is blocked in the middle the issue is because as of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.
As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).
In order to eliminate this visible transition of DTLS > TLS, you can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).
1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.
group-policy ac_users_group attributes
webvpn
anyconnect mtu 1300
This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.
2. The second option is to allow fragmentation.
group-policy ac_users_group attributes
webvpn
anyconnect ssl df-bit-ignore enable
With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.
3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:
sysopt conn tcpmss 1460
In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.
If DTLS is not blocked in the middle another potential cause for the DTLS failure that DTLS is configured on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.
The workaround for this problem is:
Regards,
-Gustavo Medina
09-26-2018 11:21 AM
Hello,
We have an issue where clients connecting and shortly getting disconnected after around 1 minute however this is for users on protocol tslv1.2, anyone that is connected using DTLS works fine. I am not sure what else i can try?
we the command on our group policy "svc DTLS none" , not sure if this has anything to do with it? i have spent hours on this hoping someone can help solve! we are using anyconnect client version 4.4.04030, also we 8.0 ASA version.
here is DART log error.
Description : Function: CSocketTransport::callbackHandler
File: IPC\SocketTransport.cpp
Line: 1830
Invoked Function: ::WSARecv/::WSARecvFrom
Return Code: 10058 (0x0000274A)
Description: A request to send or receive data was disallowed because the socket had already been shut down in that direction with a previous shutdown call.
Zero bytes transferred
thanks
09-26-2018 09:47 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide