cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11304
Views
5
Helpful
3
Replies

Anyconnect issue

Hi Team,

We have this anyconnect vpn issue with one of our client and I’m trying to troubleshoot this issue remotely.

Issue is when user connects to remote network using anyconnect, he gets connected and after one minute or so he gets automatically reconnected and it happens only for one of the branch and in other branch users connects to same anyconnect vpn without any issue.

Weird thing is once after reconnecting its stable and only first time if u connect it gets disconnects after a minute and reconnects and it works.

I have tried changing MTU on the client side and it didn’t work.

Would appreciate if anyone can guide towards resolution of this issues and pls let me know what information I need to collect.

Thanks/Basavaraj

3 Replies 3

Abaji Rawool
Level 3
Level 3

Hi Check if the issue is similar to one mentioned below

 

 This syslog is seen on the ASA: 

%ASA-6-722036: Group <ac_users_group> User <vpn> IP <10.1.75.111> 

Transmitting large packet 1418 (threshold 1347).
Causes 

The cause of this issue is the failure to build a Datagram Transport Layer Security (DTLS) tunnel. This could be because of two reasons:

  • DTLS is blocked somewhere in the path
  • Use of a non-default DTLS port 

DTLS is Blocked Somewhere in the Path 

As of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.
As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect). 

Resolution

In order to eliminate this visible transition of DTLS > TLS,  the administrator can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions). 

  1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.

group-policy ac_users_group attributes
 webvpn
  anyconnect mtu 1300

This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.

  1. The second option is to allow fragmentation. 

group-policy ac_users_group attributes
 webvpn
  anyconnect ssl df-bit-ignore enable

With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.

  1. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:

sysopt conn tcpmss 1460

In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.

 

HTH

Abaji.

Hi Abaji,

 

Thank you so much for your time !

I have to check this at the firewall side, since i didn’t have firewall access and when i googled i found similar update, In one of the discussion they were asking to change MTU settings at the client PC side and try connecting, i have tried to change MTU at the client PC and it didnt work. I have rough guess that there should not be any issues at the firewall side because users from other branches are connecting to same anyconnect without any issue. Only this particular branch users have this problem. They all use anyconenct ver.3.

 

Thanks/Basavaraj

 

Hi,

 

As mentioned on the post, MTU is not the only cause for this and you can check for other issues (DTLS blocked) as well.

You can collect anyconnect Diagnostic logs (DART) and captures on client side to debug this further.

HTH

Abaji.