cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1138
Views
0
Helpful
4
Replies

Blame the ISP? Need help diagnosing AnyConnect Flexvpn to router headend

jdmedeiros
Level 1
Level 1

Cisco IOS router configured for IKEv2 and AnyConnect with Suite-B Cryptography. Flexvpn, certificate authentication, etc., with all the bells and whistles. Worked perfectly until recently. Now, it connects successfully and I can run exactly 9 successful pings to any internal IP address; then it stops pinging and it eventually disconnects.  It's always 9 successful pings regardless of the size of the ping. If I change ISP then it works perfectly. Tried 4 different versions of AnyConnect; same problem. Ran several debugs on the router to compare BadISP with GoodISP and they are all identical except for crypto ikev2 client flexvp as could be expected. In the case of BadISP I can see Mar 19 13:10:28.814: IKEv2-INTERNAL:Successfully removed child SAs but the client does not disconnect. To me this means it was not the client that sent a disconnect request. After this both the client and the server are waiting for data but none get any and the server eventually disconnects prompting the client to do the same. 

 

Ideas? Thanks!

 

4 Replies 4

johnd2310
Level 8
Level 8

Hi,

 

Could it be an MTU issue? Have you tried lowering the MTU?

 

Thanks

John

**Please rate posts you find helpful**

!
aaa attribute list attr-list1
 attribute type interface-config "ip mtu 1100"
!

Even tried different values. Same problem.

...partial solution, not proud of it: add reconnect timeout 600 to the ikev2 profile.

 

PING 192.168.15.102 (192.168.15.102): 56 data bytes

64 bytes from 192.168.15.102: icmp_seq=0 ttl=63 time=54.502 ms

64 bytes from 192.168.15.102: icmp_seq=1 ttl=63 time=56.182 ms

64 bytes from 192.168.15.102: icmp_seq=2 ttl=63 time=52.586 ms

64 bytes from 192.168.15.102: icmp_seq=3 ttl=63 time=55.288 ms

64 bytes from 192.168.15.102: icmp_seq=4 ttl=63 time=55.303 ms

64 bytes from 192.168.15.102: icmp_seq=5 ttl=63 time=53.086 ms

64 bytes from 192.168.15.102: icmp_seq=6 ttl=63 time=53.434 ms

64 bytes from 192.168.15.102: icmp_seq=7 ttl=63 time=61.198 ms

64 bytes from 192.168.15.102: icmp_seq=8 ttl=63 time=53.376 ms

Request timeout for icmp_seq 9

Request timeout for icmp_seq 10

... ... ...

... ... ...

Request timeout for icmp_seq 41

Request timeout for icmp_seq 42

64 bytes from 192.168.15.102: icmp_seq=40 ttl=63 time=3278.307 ms

64 bytes from 192.168.15.102: icmp_seq=41 ttl=63 time=2273.741 ms

64 bytes from 192.168.15.102: icmp_seq=42 ttl=63 time=1272.228 ms

64 bytes from 192.168.15.102: icmp_seq=43 ttl=63 time=268.982 ms

64 bytes from 192.168.15.102: icmp_seq=44 ttl=63 time=57.495 ms

64 bytes from 192.168.15.102: icmp_seq=45 ttl=63 time=54.181 ms

64 bytes from 192.168.15.102: icmp_seq=46 ttl=63 time=52.116 ms

 

It never disconnects after this. I tried several mtu variations, changed access list to permit any from the client, but the reconnect was the only thing that worked. It would be interesting to find out why the reconnect is optional with one ISP and mandatory with another.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   What is the headend VPN gateway HW and SW model/version? Have you considered trying a version which is Cisco recommended, the gold star ones? This problem shows up, regardless of how many AnyConnect session are active, right? 

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: