AnyConnect connection failure - OS problem?

Mi1anovic · ‎04-08-2024

Hello,

I have a problem with Cisco AnyConnect VPN but it's related to a single computer only. Everything is working just fine as long as I am doing regular things. However when I increase network load (copying files through RDP, browsing through google maps on RDP, checking massive docker logs on Ubuntu) I am disconnected from VPN with connection failure error (image of the error below).

This is not happening on other computers using the same VPN account, OS version, AnyConnect version.

I tried to reinstall Cisco AnyConnect VPN, I installed newest OS updates and drivers. I am using Win11 as the OS from which I am realizing the connection. I ran sfc /scannow but it seems to be ok.
It seems like something is wrong with my OS but I really really don't want to reinstall the whole OS because that's work for at least 2 days.

Any ideas someone please? I would be thankful.

MHM Cisco World · ‎04-08-2024

can you share the XML profile in effect PC

MHM

Mi1anovic · ‎04-09-2024

Well... I would like to share it but I think I shouldn't. Maybe I can share some parts which are safe to share?

MHM Cisco World · ‎04-09-2024

Sure remove public IP and fqdn for your GW and any password.

Security first

MHM

Mi1anovic · ‎04-10-2024

Thanks. Here is the XML profile:

<?xml version="1.0" encoding="UTF-8"?>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>IgnoreProxy</ProxySettings>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="false">false

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

<HostName>XXXXXXXXXXXXXX</HostName>

<HostAddress>XXXXXXXXXXXXXX</HostAddress>

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>true

<AuthMethodDuringIKENegotiation>EAP-MSCHAPv2</AuthMethodDuringIKENegotiation>

<IKEIdentity>anyconnect</IKEIdentity>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

</ServerList>

</AnyConnectProfile>

MHM Cisco World · ‎04-10-2024

DisconnectOnSuspend

Reconnect behave can be the issue'

Can you disable suspend mode in effect Device

MHM

Mi1anovic · ‎04-10-2024

You mean remove this line from XML config? I am not sure what you mean by disabling suspend mode in effect Device.

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

MHM Cisco World · ‎04-10-2024

Suspend mode of energy of PC and or hibernate mode.

MHM

Mi1anovic · ‎04-12-2024

I had maximum power plan mode. I disabled saving mode on ethernet adapters. Hibernate mode is disabled. Power mode is best performance.
The error still persists.

tvotna · ‎04-08-2024

What kind of secure gateway is this which doesn't support reconnections?

Also, can you share AnyConnect client messages when the client looses connection, to begin with? Copy them off from the client Message History box.

Mi1anovic · ‎04-09-2024

I don't know what type of secure gateway it is.
However I raised a support ticket to the provider of the VPN connection. They told me that the problem is within my computer and that's basically it. I really don't want to reinstall whole OS because of this. Reinstallation of the OS it's really the last choice I want to take (it's really problematic and I would need to spend many hours to recover everything).

Here is the log of the AnyConnect client from first connection until the error:

9:51:47 Ready to connect.

9:51:50 Contacting *******************

9:52:17 User credentials entered.

9:52:17 Establishing VPN session...

9:52:17 Establishing VPN - Examining system...

9:52:17 Establishing VPN - Activating VPN adapter...

9:52:17 Establishing VPN session...

9:52:17 Establishing VPN - Configuring system...

9:52:17 Establishing VPN...

9:52:18 Connected to *******************

9:55:38 Reconnecting to *******************

9:55:38 Disconnect in progress, please wait...

9:55:41 Ready to connect.

tvotna · ‎04-09-2024

I guess the gateway is a router and you're connecting to it via IKEv2. You can verify this on the client in the Transport Information section of the Statistics tab when connected. And it looks like this router is not configured for IKEv2 reconnects:

crypto ikev2 profile <name>
 reconnect

So, at some point AnyConnect client looses connectivity to the headend and tries to reconnect. The headend declines reconnect attempt and the client disconnects. The question why the client looses connectivity to the headend is open. Typically in both DTLS and IPSec cases client sends Dead Peer Detection (DPD) probes to check liveliness of the headend. In case of IKEv2 they're built into the protocol and are regular IKEv2 (UDP/4500 or UDP/500) messages (INFORMATIONAL Exchange). They are not blocked in your case, since reconnect attempt reaches headend just fine. Also, the DPD probes should be sent in on-demand mode by default, if I'm not mistaken, i.e. the client doesn't need to send them periodically if traffic arrives from the router (the traffic itself is a proof of liveliness). When you download something over the tunnel, do you see that download gets stuck at some point and only after that couple of minutes later the client disconnects? When traffic from the headend doesn't arrive, the interval between probes should be 30 seconds by default (I believe it's unconfigurable in case of IOS headend) and client makes few retries before giving up and initiating reconnect.

So, it's very hard to say what's going on here. You can try to collect diagnostics bundle on the client (Diagnostics button on the client screen) and check what's happening at the time of disconnect and 2-3 minutes before it. Wireshark sniffer collected on the physical adapter at the same time can also help. In the diagnostics .zip the AnyConnect.txt is very verbose. Search for "DPD", "reconn" and "Reconn" there.

If your provider enables auto-reconnect feature on the headend, this may or may not help you, since the root cause of the issue in unclear.

Reinstalling OS and the client may also not help.

Mi1anovic · ‎04-10-2024

Thank you a lot for your answer.
Yes I am using IKEv2. I see this in the Transport Information section:

Protocol: IKEv2/IPsec NAT-T

Yes when the issue occurs at first I experience freeze of RDP or SSH sessions for a few seconds and then I get the error message.
I don't have DART tool within my AnyConnect not even in Program Files. I don't know where I can get one. However I can try to use Wireshark and check packets.

Yes I am afraid that OS reinstall won't help But I would at least know if the problems is in the OS or not.

Mi1anovic · ‎04-10-2024

I was able to get DART. I have bundle created with some files. I would like to keep sensitive information private. Can you tell me what files from the bundle do you need so I can remove sensitive info?

tvotna · ‎04-10-2024

I only need AnyConnect.txt and time of the disconnect. Replace public IP addresses with x.x.x.x in the file.

One other thing you can check is Internet connectivity at the time of VPN disconnect and before the disconnect. E.g. ping -t 8.8.8.8 or something like that. If ping works, but VPN gets suddenly disconnected, the problem is with VPN.