Solved: Re: Anyconnect mtu value and DPD

ivanzrv200 · ‎08-07-2020

Hi,

We currently have some Anyconnect users that are experiencing disconnects. After troubleshooting and researching the issue online I believe that if change the MTU size to 1200 we can fix the current issue.

Most of the disconnects are random and can affect different users.

ASA5585-X v9.8.4.20

I plan to execute the following on the ASA to mitigate the issue:

group-policy Group_SSL-Pol attributes
webvpn
anyconnect mtu 1200

But because I see some of the disconnects are related to the DPD (syslog messages) and we have DTLS enabled i believe that this will help (but I am not sure what affect will it have ????) :

{Group <Group_SSL-Pol> User <*****> IP <1x.x.x.x> SVC closing connection: DPD failure.}

group-policy Group_SSL-Pol attributes
webvpn
anyconnect dpd-interval gateway 30
anyconnect dpd-interval client 10

(https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_anyconnect.html#44629)

---------------current group policy bellow-----------------

group-policy Group_SSL-Pol internal

group-policy Group_SSL-Pol attributes
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client
ipsec-udp enable
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain none
address-pools value GroupPool
webvpn
anyconnect modules none
anyconnect profiles value SSL_VPN type user

Richard Burts · ‎08-11-2020

Thanks for the additional information. I agree that MTU issues are probably separate from DPD. At least as a test I would suggest that you change the MTU and see if it helps. I would also comment that I have seen MTU issues where a particular source to some destination would have issues and that same source to some other destination would have no issues at all. So I believe that you have nothing to lose and potentially something to gain by changing the MTU.

The article that you reference certainly does suggest that you should enable DPD for AnyConnect.

HTH

Rick

View solution in original post

Richard Burts · ‎08-14-2020

I do not have an authoritative answer to that question. It seems to me that if you change the MTU to 1200 that there will be some instances where AnyConnect might send 2 packets where with the original MTU 1 packet might have been enough. I do not think that it would happen all that often. And we do not know in sending a web page for example how many packets it already takes and so might not have much impact to add another packet to the data stream. I do not expect that you will have noticeable impact from this change. And to the extent that there might be some impact you will need to balance the benefit from resolving the disconnects against the possible performance change from the MTU.

HTH

Rick

View solution in original post

Richard Burts · ‎08-08-2020

If you are experiencing disconnects of established sessions and your research indicates that changing the MTU might help then you might go ahead and try the change. I do not see anything in what you post that indicates to me that DPD would be impacted by MTU setting.

HTH

Rick

ivanzrv200 · ‎08-10-2020

I was not very detailed in my previous post but I was looking for an expert opinion on why the MTU size would cause intermittent reconnects/disconnects for random users - or if this is even possible.

For the DTLS question(which I dont think is related to the MTU size) - I see the following line in the syslogs :

{Group <Group_SSL-Pol> User <*****> IP <1x.x.x.x> SVC closing connection: DPD failure.}

and because we have DTLS enabled but we dont have the DPD enabled when I found the following Note in the cisco document

I thought this will be needed to mitigate the issue seen in the syslog(please, let me know if I am correct) . Again this is not related to the MTU size(probably).

Note If you enable DTLS, enable Dead Peer Detection (DPD) also. DPD enables a failed DTLS connection to fallback to TLS. Otherwise, the connection terminates.

(https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_anyconnect.html#44629)

Richard Burts · ‎08-11-2020

Thanks for the additional information. I agree that MTU issues are probably separate from DPD. At least as a test I would suggest that you change the MTU and see if it helps. I would also comment that I have seen MTU issues where a particular source to some destination would have issues and that same source to some other destination would have no issues at all. So I believe that you have nothing to lose and potentially something to gain by changing the MTU.

The article that you reference certainly does suggest that you should enable DPD for AnyConnect.

HTH

Rick

ivanzrv200 · ‎08-13-2020

Hi Richard,

Thank you for your time to respond to my questions.

I just thought of something :

Will the MTU size change(1200) affect the RAVPN users internet speed? Currently we are tunneling all traffic to the ASA.

Richard Burts · ‎08-14-2020

I do not have an authoritative answer to that question. It seems to me that if you change the MTU to 1200 that there will be some instances where AnyConnect might send 2 packets where with the original MTU 1 packet might have been enough. I do not think that it would happen all that often. And we do not know in sending a web page for example how many packets it already takes and so might not have much impact to add another packet to the data stream. I do not expect that you will have noticeable impact from this change. And to the extent that there might be some impact you will need to balance the benefit from resolving the disconnects against the possible performance change from the MTU.

HTH

Rick