Re: Anyconnect randomly reconnects

buffkata · ‎03-11-2020

Hi,

I have a few users where their Anyconnect randomly reconnects - I have troubleshooted and believe it is related to the DPD but it do not make any sense to happen on just a few users. We have reinstalled their Anyconnect Client. Below is the part of the DART logs :

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Error
Source : acvpnagent

Description : Function: CTunnelProtocolDpdMgr::OnTimerExpired
File: TunnelProtocolDpdMgr.cpp
Line: 296
Invoked Function: CTunnelProtocolDpdMgr::handleExpiredDPD
Return Code: -26017782 (0xFE73000A)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets.
SSL/CSTP

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Error
Source : acvpnagent

Description : Function: CTunnelStateMgr::OnTunnelStatusChange
File: TunnelStateMgr.cpp
Line: 1362
Invoked Function: Tunnel status change callback status
Return Code: -26017782 (0xFE73000A)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets.
SSL

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Warning
Source : acvpnagent

Description : Tunnel level reconnect reason code 6:
Disruption of the VPN connection to the secure gateway.
Caching the default reconnect reason for SSL

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent

Description : The Primary SSL connection to the secure gateway is being re-established.

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent

Description : Function: CTND::OnTunnelStateChange
File: TND.cpp
Line: 2002
tunnel state change notification (new 1, old 1)

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Information
Source : acvpnagent

Description : The VPN client has sent the following close message to the gateway:
Reconnecting to recover from error.

******************************************

Date : 03/10/2020
Time : 11:17:12
Type : Warning
Source : acvpnagent

Description : A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify

Cristian Matei · ‎03-11-2020

Hi,

Do those machines have other VPN clients installed, or other apps that might interfere with the NIC somehow? Otherwise:

- try disabling DPD on the VPN gateway, see if it works

- try using higher DPD timers on the VPN gateway, see if it works

Regards,

Cristian Matei.

buffkata · ‎03-11-2020

Hi Cristian,

Thank you for responding, I don't see any DPD config in the ASA configuration.

Because this is affecting just a few users - I initially though that it is probably related to their laptops/or AD policy but I cannot find anything in the logs except the DPD ?

I dont see any other VPN clients installed / or software that can interfere with the NIC.

Cristian Matei · ‎03-11-2020

Hi,

Use "anyconnect ssl keepalive none" and see if it works. If it doesn't work, use "AnyConnect dpd-interval gateway none" and "AnyConnect dpd-interval client none" and see if it works. You find these settings under webvpn in your group-policy. If any of these settings do the trick, i would leave it enabled and upgrade the ASA/AnyConnect codes.

Regards,

Cristian Matei.

buffkata · ‎03-12-2020

Thank you,

Unfortunately we cannot make those changes under that group-policy. It might effect to many other users and it is making me nervous :(

But otherwise it looks like I am out of options - I looked into lowering the MTU size(on the client PC ) as a possible solution?

Cristian Matei · ‎03-12-2020

Hi,

Installing AnyConnect should automatically lower the MTU of the interfaces. Disabling keepalives and DPD, should do no harm to existing or new incoming AnyConnect sessions. You can play it safe, by creating a test connection-profile/group-policies with the mentioned settings, and test with one user which presents the issues; this way you're sure not to affect anything else.

Regards,

Cristian Matei.

PriyamPatel43540 · ‎04-15-2020

Any update on this? I am also having the same issue that started happening recently. A few users get dropped off at the same time but some are still connected. This initially made me think its a problem user side. This is until myself and until IT member who were on a phone call discussing about this and both had their VPN disconnect/reconnect at the same time. we check some users event viewer and fount two more that had dropout at the same time for same reason.

I am going to try disabling DPD and see if that helps.

KB8023 · ‎05-11-2020

Did disabling DPD hep with your issue?

PriyamPatel43540 · ‎05-11-2020

Yes, we have already tired that and it did not help. still having the same issue.

KB8023 · ‎05-13-2020

Try forcing connection over TCP

Setup a Windows Firewall custom rule to block UDP on all ports incoming and outgoing for the Cisco AnyConnect:

- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe

See if that stabilizes the connection.

Just did it for a user and seeing positive results so far

Prashobcv93 · ‎12-24-2020

Hi,
What was the outcome after this?