03-19-2020 04:58 PM
Cisco IOS router configured for IKEv2 and AnyConnect with Suite-B Cryptography. Flexvpn, certificate authentication, etc., with all the bells and whistles. Worked perfectly until recently. Now, it connects successfully and I can run exactly 9 successful pings to any internal IP address; then it stops pinging and it eventually disconnects. It's always 9 successful pings regardless of the size of the ping. If I change ISP then it works perfectly. Tried 4 different versions of AnyConnect; same problem. Ran several debugs on the router to compare BadISP with GoodISP and they are all identical except for crypto ikev2 client flexvp as could be expected. In the case of BadISP I can see Mar 19 13:10:28.814: IKEv2-INTERNAL:Successfully removed child SAs but the client does not disconnect. To me this means it was not the client that sent a disconnect request. After this both the client and the server are waiting for data but none get any and the server eventually disconnects prompting the client to do the same.
Ideas? Thanks!
03-19-2020 08:06 PM
Hi,
Could it be an MTU issue? Have you tried lowering the MTU?
Thanks
John
03-20-2020 06:41 AM
! aaa attribute list attr-list1 attribute type interface-config "ip mtu 1100" !
Even tried different values. Same problem.
03-22-2020 02:58 AM
...partial solution, not proud of it: add reconnect timeout 600 to the ikev2 profile.
PING 192.168.15.102 (192.168.15.102): 56 data bytes
64 bytes from 192.168.15.102: icmp_seq=0 ttl=63 time=54.502 ms
64 bytes from 192.168.15.102: icmp_seq=1 ttl=63 time=56.182 ms
64 bytes from 192.168.15.102: icmp_seq=2 ttl=63 time=52.586 ms
64 bytes from 192.168.15.102: icmp_seq=3 ttl=63 time=55.288 ms
64 bytes from 192.168.15.102: icmp_seq=4 ttl=63 time=55.303 ms
64 bytes from 192.168.15.102: icmp_seq=5 ttl=63 time=53.086 ms
64 bytes from 192.168.15.102: icmp_seq=6 ttl=63 time=53.434 ms
64 bytes from 192.168.15.102: icmp_seq=7 ttl=63 time=61.198 ms
64 bytes from 192.168.15.102: icmp_seq=8 ttl=63 time=53.376 ms
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
... ... ...
... ... ...
Request timeout for icmp_seq 41
Request timeout for icmp_seq 42
64 bytes from 192.168.15.102: icmp_seq=40 ttl=63 time=3278.307 ms
64 bytes from 192.168.15.102: icmp_seq=41 ttl=63 time=2273.741 ms
64 bytes from 192.168.15.102: icmp_seq=42 ttl=63 time=1272.228 ms
64 bytes from 192.168.15.102: icmp_seq=43 ttl=63 time=268.982 ms
64 bytes from 192.168.15.102: icmp_seq=44 ttl=63 time=57.495 ms
64 bytes from 192.168.15.102: icmp_seq=45 ttl=63 time=54.181 ms
64 bytes from 192.168.15.102: icmp_seq=46 ttl=63 time=52.116 ms
It never disconnects after this. I tried several mtu variations, changed access list to permit any from the client, but the reconnect was the only thing that worked. It would be interesting to find out why the reconnect is optional with one ISP and mandatory with another.
03-27-2020 06:00 AM
Hi,
What is the headend VPN gateway HW and SW model/version? Have you considered trying a version which is Cisco recommended, the gold star ones? This problem shows up, regardless of how many AnyConnect session are active, right?
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide