03-11-2020 02:05 PM
Hi,
I have a few users where their Anyconnect randomly reconnects - I have troubleshooted and believe it is related to the DPD but it do not make any sense to happen on just a few users. We have reinstalled their Anyconnect Client. Below is the part of the DART logs :
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Error
Source : acvpnagent
Description : Function: CTunnelProtocolDpdMgr::OnTimerExpired
File: TunnelProtocolDpdMgr.cpp
Line: 296
Invoked Function: CTunnelProtocolDpdMgr::handleExpiredDPD
Return Code: -26017782 (0xFE73000A)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets.
SSL/CSTP
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Error
Source : acvpnagent
Description : Function: CTunnelStateMgr::OnTunnelStatusChange
File: TunnelStateMgr.cpp
Line: 1362
Invoked Function: Tunnel status change callback status
Return Code: -26017782 (0xFE73000A)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets.
SSL
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Warning
Source : acvpnagent
Description : Tunnel level reconnect reason code 6:
Disruption of the VPN connection to the secure gateway.
Caching the default reconnect reason for SSL
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent
Description : The Primary SSL connection to the secure gateway is being re-established.
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent
Description : Function: CTND::OnTunnelStateChange
File: TND.cpp
Line: 2002
tunnel state change notification (new 1, old 1)
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent
Description : The VPN client has sent the following close message to the gateway:
Reconnecting to recover from error.
******************************************
Date : 03/10/2020
Time : 11:17:12
Type : Warning
Source : acvpnagent
Description : A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify
03-11-2020 02:49 PM
Hi,
Do those machines have other VPN clients installed, or other apps that might interfere with the NIC somehow? Otherwise:
- try disabling DPD on the VPN gateway, see if it works
- try using higher DPD timers on the VPN gateway, see if it works
Regards,
Cristian Matei.
03-11-2020 03:14 PM - edited 03-11-2020 03:18 PM
Hi Cristian,
Thank you for responding, I don't see any DPD config in the ASA configuration.
Because this is affecting just a few users - I initially though that it is probably related to their laptops/or AD policy but I cannot find anything in the logs except the DPD ?
I dont see any other VPN clients installed / or software that can interfere with the NIC.
03-11-2020 03:32 PM
Hi,
Use "anyconnect ssl keepalive none" and see if it works. If it doesn't work, use "AnyConnect dpd-interval gateway none" and "AnyConnect dpd-interval client none" and see if it works. You find these settings under webvpn in your group-policy. If any of these settings do the trick, i would leave it enabled and upgrade the ASA/AnyConnect codes.
Regards,
Cristian Matei.
03-12-2020 07:53 AM
Thank you,
Unfortunately we cannot make those changes under that group-policy. It might effect to many other users and it is making me nervous :(
But otherwise it looks like I am out of options - I looked into lowering the MTU size(on the client PC ) as a possible solution?
03-12-2020 09:00 AM
Hi,
Installing AnyConnect should automatically lower the MTU of the interfaces. Disabling keepalives and DPD, should do no harm to existing or new incoming AnyConnect sessions. You can play it safe, by creating a test connection-profile/group-policies with the mentioned settings, and test with one user which presents the issues; this way you're sure not to affect anything else.
Regards,
Cristian Matei.
04-15-2020 03:54 PM
Any update on this? I am also having the same issue that started happening recently. A few users get dropped off at the same time but some are still connected. This initially made me think its a problem user side. This is until myself and until IT member who were on a phone call discussing about this and both had their VPN disconnect/reconnect at the same time. we check some users event viewer and fount two more that had dropout at the same time for same reason.
I am going to try disabling DPD and see if that helps.
05-11-2020 10:50 AM
Did disabling DPD hep with your issue?
05-11-2020 11:00 AM
Yes, we have already tired that and it did not help. still having the same issue.
05-13-2020 08:22 AM
Try forcing connection over TCP
Setup a Windows Firewall custom rule to block UDP on all ports incoming and outgoing for the Cisco AnyConnect:
- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
See if that stabilizes the connection.
Just did it for a user and seeing positive results so far
12-24-2020 06:31 AM
Hi,
What was the outcome after this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide