Hey Gio,

thanks, since i cannot upload zipfiles here i sent you a sharepoint link.  

Best regards

Tobi

Hello @Tobi, 

I checked the DART file and this is the result: 

+ The AnyConnect establishes the SSL connection properly and follow with the DTLS connection.

******************************************
Date : 10/09/2017
Time : 13:51:55
Type : Information
Source : acvpnagent

Description : The Primary SSL connection to the secure gateway is established.
******************************************

Date : 10/09/2017
Time : 13:51:57
Type : Information
Source : acvpnagent

Description : The Primary DTLS connection to the secure gateway is being established.
******************************************

+ When AC tries to build the DTLS, it cannot do it hence the connection is re-started (this process takes about 30-40 seconds): 

******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent

Description : Function: CDtlsProtocol::timerCallback
File: .\DtlsProtocol.cpp
Line: 394
Invoked Function: CDtlsProtocol::retransmit
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent

Description : Function: CCdtpProtocol::OnTunnelInitiateComplete
File: .\CdtpProtocol.cpp
Line: 538
Invoked Function: OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent

Description : Function: CTunnelStateMgr::OnTunnelInitiateComplete
File: .\TunnelStateMgr.cpp
Line: 1210
Invoked Function: Initiate tunnel callback status
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
DTLS tunnel state 0
******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent

Description : Function: CTlsTunnelMgr::OnTunnelInitiateComplete
File: .\TlsTunnelMgr.cpp
Line: 1088
Invoked Function: CTlsTunnelMgr::OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Information
Source : acvpnagent

Description : The Primary DTLS connection to the secure gateway is down.
******************************************

Date : 10/09/2017
Time : 13:53:00
Type : Information
Source : acvpnagent

Description : The entire VPN connection is being reconfigured.
******************************************

Since the Client couldn´t build the DTLS connection it tried to rebuild the VPN tunnel in order to make the negotiation OK, pretty much this is what happens with the connection.

You need to check the path for the connection in order to see where UDP 443 is blocked, when you allow the port it should be working properly.

HTH

Gio

Hey Gio,

this is strange, it is a small network and a ASA 5505 forwards 443 to a webserver so i configured the anyconnect SSL VPN to listen on port 8443. And the ASA is more or less the only security related network device. There is another Router/Firewall but it just forwards everything to the ASA (exposed host).

So the ASA should not block 8443, is there any way to configure an ASA for SSL VPN on another port which could lead to this results? 

Best regards

Tobi

Hello @Tobi,

If you are using a non-default port for the connection probably that can be the issue. One question, did you change the port for SSL and DTLS or just SSL?, it is a best practice to change both of them if you are not using the default 443. 

Can you share the output for "show run webvpn" and "show asp table socket"?, we need to verify if the ASA is listening to the port that you changed. 

HTH

Gio

________________________________________________________________

webvpn
 port 8443
 enable outside
 dtls port 8443
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect profiles VPN_BVK_client_profile disk0:/VPN_BVK_client_profile.xml
 anyconnect enable
 tunnel-group-list enable

________________________________________________________________________

Please ignore the old anyconnect Version, we do not use the asa to roll it out ;)

________________________________________________________________________

Protocol  Socket    State      Local Address                                Foreign Address
SSL     00023058  LISTEN    192.168.10.254:443           0.0.0.0:*                                   
SSL     0004e748  LISTEN    192.168.0.54:8443            0.0.0.0:*                                   
TCP     00077808  LISTEN   192.168.10.254:22             0.0.0.0:*                                   
DTLS   00080d38  LISTEN    192.168.0.54:443              0.0.0.0:*                                   
SVC     299aa0f8  ESTAB     192.168.0.54:8443             78.35.197.250:49366                         
SSL    29bc7ce8  ESTAB     192.168.10.254:443           192.168.10.241:36247                        
SSL    29c77908  ESTAB     192.168.10.254:443          192.168.10.241:36252                        
SVC     29fba778  ESTAB     192.168.0.54:8443          79.232.179.111:53386                        
SSL     29fc5fe8  ESTAB    192.168.10.254:443           192.168.10.241:36344                        

_______________________________________________________________________________

192.168.10.254 is the inside Interface, 192.168.0.54 the outside interface of the ASA. I guess the 4th line is the problem but tbh i dont understand why if its configured correctly?

Thanks a lot so far

Best

Tobi

Hey @GioGonza

____________________________________________________________

webvpn
 port 8443
 enable outside
 dtls port 8443
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect profiles VPN_BVK_client_profile disk0:/VPN_BVK_client_profile.xml
 anyconnect enable
 tunnel-group-list enable

____________________________________________________________

Please ignore the old anyconnect image, we do not use the asa to roll it out ;)

____________________________________________________________

Protocol  Socket    State      Local Address           Foreign Address
SSL 00023058  LISTEN     192.168.10.254:443   0.0.0.0:*                                   
SSL 0004e748  LISTEN     192.168.0.54:8443     0.0.0.0:*                                   
TCP 00077808  LISTEN     192.168.10.254:22     0.0.0.0:*                                   
DTLS  00080d38  LISTEN     192.168.0.54:443    0.0.0.0:*                                   
SVC  2a1d6168  ESTAB      192.168.0.54:8443   78.35.197.250:51484                         
SSL  2a3fbb28  ESTAB      192.168.10.254:443  192.168.10.241:36406                        
SSL  2a499038  ESTAB      192.168.10.254:443  192.168.10.241:36411                        
SSL  2a6bcdb8  ESTAB      192.168.10.254:443   192.168.10.241:36430         

______________________________________________________________

It seems like the 4th line is the problem, but tbh i do not understand why since it is configured correctly.

Thanks a lot so far

Best

Tobi             

Hello @Tobi,

Yes, that´s the problem, the port 8443 for DTLS is not enabled and when the user tries to connect, the ASA doesn´t respond back and that´s causing the disconnection. 

What you can do is the following:

1. Remove the configuration ports for SSL and DTLS. 

2. Check with "show asp table socket" if 8443 dissapeared. 

3. If so, apply the configuration again and check again with the ASP table. 

4. If you see both SSL and DTLS on port 8443, test again and it should work. If you don´t seee them again on the table try with another port and make the same steps. 

Also, based on my experience, using an old AC image on the ASA can cause problems to connection, I would recommend to change it for testing purposes, I´m sorry I couldn´t ignore it... :) 

HTH

Gio

Hey Gio, 

sorry for the late reply, i tried to sort things out a little bit more since i dont have physical access to the ASA at the moment and will have to wait until i can try what you suggested.

I remembered that i had a similar problem with another customer where i did not change the ports (he just didnt care about the reconnects ;) ) and i have another almost identical ASA where i dont run into any problems (ports also not changed). 

When connecting to the customer with problems the error messages in the DART Logs are identical to the ones you found 

For example

Function: CDtlsProtocol::timerCallback
File: DtlsProtocol.cpp
Line: 438
Invoked Function: CDtlsProtocol::retransmit
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED

When i compared the output of "show run webvpn" and "show asp table socket"the only difference i found was this on the ASA without problems:

SVC_UDP  3606f028 CNNECTED130.180.18.126:443  78.34.195.58:51633

I will check my documentation to find any more differences between the two setups and as soon as possible i will try your suggestions from yesterday. If you have any ideas what to check on the ASA with standard port settings please let me know

Best 

Tobi

P.S.: Oh and i will take care of the anyconnect image ;)

Hello @Tobi,

The thing here is the connections on the AnyConnect, when it has problems with DTLS we have 2 options: fallback to SSL and work really slow or try to build DTLS no matter how (this is your option). 

In the connection you shared the DTLS was able to connect and everything is working fine, also the port is not changed so it is using the defaults UDP 443. The problem changing the port is based on the ASA not able to "open" the new port and that´s it fails, another option is the port being blocked somewhere else but this is not your case. 

Once you do the changes and test, let me know how it goes. Also it will be helpfull if you test the connection with 443 in order to see if DTLS goes up with the default ports... just a test :)

HTH

Gio