10-10-2017 06:06 AM - edited 03-12-2019 04:37 AM
Hey all,
i have a customer with an ASA 5505 and we use anyconnect for VPN connections. Everything works fine except for a reconnect at around 65 to 67 seconds after the initial connection.
But I tried a new 4.x Version of anyconnect and it still reconnects, i tried the resolutions suggested anyways but that did not help either.
Any suggestions?
Thanks
Tobi
10-10-2017 06:36 AM
Hello @Tobi,
It seems to be that you are hitting option number 2 as "DTLS is blocked somewhere in the path", the only way to know what is happening with the connection is to collect the DART file and review what happens when the computer finally connects.
Share that information and I can help you out
HTH
Gio
10-10-2017 08:03 AM
Hey Gio,
thanks, since i cannot upload zipfiles here i sent you a sharepoint link.
Best regards
Tobi
10-10-2017 08:40 AM
Hello @Tobi,
I checked the DART file and this is the result:
+ The AnyConnect establishes the SSL connection properly and follow with the DTLS connection.
******************************************
Date : 10/09/2017
Time : 13:51:55
Type : Information
Source : acvpnagent
Description : The Primary SSL connection to the secure gateway is established.
******************************************
Date : 10/09/2017
Time : 13:51:57
Type : Information
Source : acvpnagent
Description : The Primary DTLS connection to the secure gateway is being established.
******************************************
+ When AC tries to build the DTLS, it cannot do it hence the connection is re-started (this process takes about 30-40 seconds):
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent
Description : Function: CDtlsProtocol::timerCallback
File: .\DtlsProtocol.cpp
Line: 394
Invoked Function: CDtlsProtocol::retransmit
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent
Description : Function: CCdtpProtocol::OnTunnelInitiateComplete
File: .\CdtpProtocol.cpp
Line: 538
Invoked Function: OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent
Description : Function: CTunnelStateMgr::OnTunnelInitiateComplete
File: .\TunnelStateMgr.cpp
Line: 1210
Invoked Function: Initiate tunnel callback status
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
DTLS tunnel state 0
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Error
Source : acvpnagent
Description : Function: CTlsTunnelMgr::OnTunnelInitiateComplete
File: .\TlsTunnelMgr.cpp
Line: 1088
Invoked Function: CTlsTunnelMgr::OnTunnelInitiateComplete
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Information
Source : acvpnagent
Description : The Primary DTLS connection to the secure gateway is down.
******************************************
Date : 10/09/2017
Time : 13:53:00
Type : Information
Source : acvpnagent
Description : The entire VPN connection is being reconfigured.
******************************************
Since the Client couldn´t build the DTLS connection it tried to rebuild the VPN tunnel in order to make the negotiation OK, pretty much this is what happens with the connection.
You need to check the path for the connection in order to see where UDP 443 is blocked, when you allow the port it should be working properly.
HTH
Gio
10-11-2017 05:26 AM
Hey Gio,
this is strange, it is a small network and a ASA 5505 forwards 443 to a webserver so i configured the anyconnect SSL VPN to listen on port 8443. And the ASA is more or less the only security related network device. There is another Router/Firewall but it just forwards everything to the ASA (exposed host).
So the ASA should not block 8443, is there any way to configure an ASA for SSL VPN on another port which could lead to this results?
Best regards
Tobi
10-11-2017 06:21 AM
Hello @Tobi,
If you are using a non-default port for the connection probably that can be the issue. One question, did you change the port for SSL and DTLS or just SSL?, it is a best practice to change both of them if you are not using the default 443.
Can you share the output for "show run webvpn" and "show asp table socket"?, we need to verify if the ASA is listening to the port that you changed.
HTH
Gio
10-11-2017 07:26 AM - edited 10-11-2017 07:29 AM
________________________________________________________________
webvpn
port 8443
enable outside
dtls port 8443
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect profiles VPN_BVK_client_profile disk0:/VPN_BVK_client_profile.xml
anyconnect enable
tunnel-group-list enable
________________________________________________________________________
Please ignore the old anyconnect Version, we do not use the asa to roll it out ;)
________________________________________________________________________
Protocol Socket State Local Address Foreign Address
SSL 00023058 LISTEN 192.168.10.254:443 0.0.0.0:*
SSL 0004e748 LISTEN 192.168.0.54:8443 0.0.0.0:*
TCP 00077808 LISTEN 192.168.10.254:22 0.0.0.0:*
DTLS 00080d38 LISTEN 192.168.0.54:443 0.0.0.0:*
SVC 299aa0f8 ESTAB 192.168.0.54:8443 78.35.197.250:49366
SSL 29bc7ce8 ESTAB 192.168.10.254:443 192.168.10.241:36247
SSL 29c77908 ESTAB 192.168.10.254:443 192.168.10.241:36252
SVC 29fba778 ESTAB 192.168.0.54:8443 79.232.179.111:53386
SSL 29fc5fe8 ESTAB 192.168.10.254:443 192.168.10.241:36344
_______________________________________________________________________________
192.168.10.254 is the inside Interface, 192.168.0.54 the outside interface of the ASA. I guess the 4th line is the problem but tbh i dont understand why if its configured correctly?
Thanks a lot so far
Best
Tobi
10-11-2017 07:40 AM
Hey @GioGonza
____________________________________________________________
webvpn
port 8443
enable outside
dtls port 8443
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect profiles VPN_BVK_client_profile disk0:/VPN_BVK_client_profile.xml
anyconnect enable
tunnel-group-list enable
____________________________________________________________
Please ignore the old anyconnect image, we do not use the asa to roll it out ;)
____________________________________________________________
Protocol Socket State Local Address Foreign Address
SSL 00023058 LISTEN 192.168.10.254:443 0.0.0.0:*
SSL 0004e748 LISTEN 192.168.0.54:8443 0.0.0.0:*
TCP 00077808 LISTEN 192.168.10.254:22 0.0.0.0:*
DTLS 00080d38 LISTEN 192.168.0.54:443 0.0.0.0:*
SVC 2a1d6168 ESTAB 192.168.0.54:8443 78.35.197.250:51484
SSL 2a3fbb28 ESTAB 192.168.10.254:443 192.168.10.241:36406
SSL 2a499038 ESTAB 192.168.10.254:443 192.168.10.241:36411
SSL 2a6bcdb8 ESTAB 192.168.10.254:443 192.168.10.241:36430
______________________________________________________________
It seems like the 4th line is the problem, but tbh i do not understand why since it is configured correctly.
Thanks a lot so far
Best
Tobi
10-11-2017 07:52 AM
Hello @Tobi,
Yes, that´s the problem, the port 8443 for DTLS is not enabled and when the user tries to connect, the ASA doesn´t respond back and that´s causing the disconnection.
What you can do is the following:
1. Remove the configuration ports for SSL and DTLS.
2. Check with "show asp table socket" if 8443 dissapeared.
3. If so, apply the configuration again and check again with the ASP table.
4. If you see both SSL and DTLS on port 8443, test again and it should work. If you don´t seee them again on the table try with another port and make the same steps.
Also, based on my experience, using an old AC image on the ASA can cause problems to connection, I would recommend to change it for testing purposes, I´m sorry I couldn´t ignore it... :)
HTH
Gio
10-12-2017 07:54 AM
Hey Gio,
sorry for the late reply, i tried to sort things out a little bit more since i dont have physical access to the ASA at the moment and will have to wait until i can try what you suggested.
I remembered that i had a similar problem with another customer where i did not change the ports (he just didnt care about the reconnects ;) ) and i have another almost identical ASA where i dont run into any problems (ports also not changed).
When connecting to the customer with problems the error messages in the DART Logs are identical to the ones you found
For example
Function: CDtlsProtocol::timerCallback
File: DtlsProtocol.cpp
Line: 438
Invoked Function: CDtlsProtocol::retransmit
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
When i compared the output of "show run webvpn" and "show asp table socket"the only difference i found was this on the ASA without problems:
SVC_UDP 3606f028 CNNECTED130.180.18.126:443 78.34.195.58:51633
I will check my documentation to find any more differences between the two setups and as soon as possible i will try your suggestions from yesterday. If you have any ideas what to check on the ASA with standard port settings please let me know
Best
Tobi
P.S.: Oh and i will take care of the anyconnect image ;)
10-13-2017 06:36 AM
Hello @Tobi,
The thing here is the connections on the AnyConnect, when it has problems with DTLS we have 2 options: fallback to SSL and work really slow or try to build DTLS no matter how (this is your option).
In the connection you shared the DTLS was able to connect and everything is working fine, also the port is not changed so it is using the defaults UDP 443. The problem changing the port is based on the ASA not able to "open" the new port and that´s it fails, another option is the port being blocked somewhere else but this is not your case.
Once you do the changes and test, let me know how it goes. Also it will be helpfull if you test the connection with 443 in order to see if DTLS goes up with the default ports... just a test :)
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide