Solved: AnyConnect Disconnect and Reconnect Issue

Serpens66 · ‎02-27-2019

We have an issue where the client gets stuck in a disconnect/reconnect loop and the Internet will remain blocked and as of such will never reconnect but keep trying. I've recently begun to suspect some of the set up we have (as I wasn't aware of an issue till recent). The public FQDN of the VPN resolves to a public IP when connected to an external network, but when connected to an internal network it resolves to private IP using the same FQDN. I've sanitized, so any naming inconsistencies should be chalked up to that, but I think I was pretty thorough.

Our split tunnel only allows a local network called using the this ACL for printing and sends all other traffic down the tunnel:

access-list Local_SplitV2 standard permit host 0.0.0.0

A snippet of the webvpn cli:

webvpn
enable inside
enable outside
hostscan image disk0:/hostscan_4.6.03051-k9.pkg
hostscan enable
anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg

Here's an example group-policy:

group-policy GENERAL_GP internal
group-policy GENERAL_GP attributes
wins-server none
dns-server value 10.10.10.10
vpn-access-hours none
vpn-simultaneous-logins 7500
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval none
vpn-filter none
vpn-tunnel-protocol ssl-client
group-lock value Computer_Conn-Prof
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value Local_SplitV2
default-domain value corp.domain
split-dns none
split-tunnel-all-dns enable
gateway-fqdn value anyconnect.fqdn
msie-proxy method no-modify
vlan none
address-pools value Computer_IP_Pool
smartcard-removal-disconnect enable
security-group-tag none
periodic-authentication certificate 4
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private value GENERAL_Filter
anyconnect keep-installer installed
anyconnect ssl rekey time none
anyconnect dtls compression lzs
anyconnect modules value dart,umbrella,posture
anyconnect profiles value Computer_Prof type user
anyconnect profiles value Computer_Umbrella type umbrella
anyconnect ask none default anyconnect
always-on-vpn profile-setting

Anyone else attempt a set up like this, or see a glaring flaw in this design?

Serpens66 · ‎03-29-2019

We seem to be at a more stable state now, we upgraded to 4.7 for the client and found that disabling the power save function on the LAN port when plugged in helps out some of users.

The users affected in our environment were a much smaller subset than initially reported to my team, but implementing those fixes pretty much narrowed it down further to users with issues now limited to only PC issues and/or ISP problems.

View solution in original post

Serpens66 · ‎02-27-2019

I have submitted a TAC case for this, I will update this with their solution. Please don't hesitate to throw in your ideas though.

Serpens66 · ‎03-29-2019

We seem to be at a more stable state now, we upgraded to 4.7 for the client and found that disabling the power save function on the LAN port when plugged in helps out some of users.

The users affected in our environment were a much smaller subset than initially reported to my team, but implementing those fixes pretty much narrowed it down further to users with issues now limited to only PC issues and/or ISP problems.

Mohammed al Baqari · ‎02-27-2019

Try to disable dtls, ie the command tls-only under webvpn and see if it
works

Serpens66 · ‎02-28-2019

Thanks for the suggestion, I have seen this. We do use softphones over the VPN, so I am bit reluctant to disable it, but I'll let you know if I try that path.