Solved: Cisco Anyconnect disconnects and reconnects every 30/60 minutes

theyee02 · ‎12-08-2022

Hi, I've scoured the web the past couple days and can't find any solution and IT hasn't been helpful.

Basically, when I'm connected to my work vpn, every 30 minutes or 60 minutes, the vpn will disconnect and reconnect, without actually breaking the vpn connection. This has happened on Centurylink ethernet, Tmobile Home Internet wifi & ethernet. IT has reinstalled anyconnect with no results. Any ideas would be helpful. I've attached a sample of the logs. I don't have access to DART, so is there any clue as to what may be going on without DART access?

FYI - I connected to the vpn at 8:05:46am.

12:35:46 PM Reconnecting to Blanky Blank...

12:35:47 PM Establishing VPN - Examining system...

12:35:54 PM Establishing VPN - Activating VPN adapter...

12:35:54 PM Establishing VPN - Configuring system...

12:35:55 PM Establishing VPN...

12:35:55 PM Connected to Blanky Blank.

12:35:55 PM Reconnecting to Blanky Blank...

12:35:55 PM Establishing VPN - Examining system...

12:35:55 PM Establishing VPN - Activating VPN adapter...

12:35:55 PM Establishing VPN - Configuring system...

12:35:55 PM Establishing VPN...

12:35:55 PM Connected to Blanky Blank.

1:05:47 PM Establishing VPN - Examining system...

1:05:47 PM Reconnecting to Blanky Blank...

1:05:54 PM Establishing VPN - Activating VPN adapter...

1:05:54 PM Establishing VPN - Configuring system...

1:05:54 PM Establishing VPN...

1:05:54 PM Connected to Blanky Blank.

1:05:54 PM Reconnecting to Blanky Blank...

1:05:55 PM Establishing VPN - Examining system...

1:05:55 PM Establishing VPN - Activating VPN adapter...

1:05:55 PM Establishing VPN - Configuring system...

1:05:55 PM Establishing VPN...

1:05:55 PM Connected to Blanky Blank.

1:35:47 PM Reconnecting to Blanky Blank...

1:35:47 PM Establishing VPN - Examining system...

1:35:54 PM Establishing VPN - Activating VPN adapter...

1:35:54 PM Establishing VPN - Configuring system...

1:35:55 PM Establishing VPN...

1:35:55 PM Connected to Blanky Blank.

1:35:55 PM Reconnecting to Blanky Blank...

1:35:55 PM Establishing VPN - Examining system...

1:35:55 PM Establishing VPN - Activating VPN adapter...

1:35:55 PM Establishing VPN - Configuring system...

1:35:55 PM Establishing VPN...

1:35:55 PM Connected to Blanky Blank.

2:35:48 PM Reconnecting to Blanky Blank...

2:35:48 PM Establishing VPN - Examining system...

2:35:56 PM Establishing VPN - Activating VPN adapter...

2:35:57 PM Establishing VPN - Configuring system...

2:35:57 PM Establishing VPN...

2:35:57 PM Connected to Blanky Blank.

2:35:57 PM Reconnecting to Blanky Blank...

2:35:57 PM Establishing VPN - Examining system...

2:35:57 PM Establishing VPN - Activating VPN adapter...

2:35:57 PM Establishing VPN - Configuring system...

2:35:57 PM Establishing VPN...

2:35:57 PM Connected to Blanky Blank.

Sheraz.Salim · ‎12-09-2022

I should have explain in more detail. ASA is the cisco firewall appliance (adaptive security appliance). In your logs I noted the ASA is running software (9.6(4)45).

normally, Firewall (cisco firewall) when doing the anyconnect configuration the administrator host the anyconnect file on the ASA appliances (also known as anyconnect headend). some/most of the time administrator of the firewall also keep open the SSL portal on the ASA.

I have seen in the past similar issue anyconnect software version does not matches the one with the same software which resides on the ASA. for example it could be ASA anyconnect is 4.x and your running the 9.x

yes you need to speak to your IT team. they will be able to get your the same software the one or rest of the company running on their machines (anyconnect).

please do not forget to rate.

View solution in original post

sadks · ‎12-09-2022

Hi theyee02,

It could be anything, we may need DART logs to confirm.

I have seen this trend if you are using SSL connection and DTLS is blocked at an end. In an AnyConnect SSL connection, the data traffic is shifted to DTLS (UDP) by default (unless configured otherwise). So if your connection is not supporting DTLS then data traffic goes via SSL but it will try to shift to DTLS to check and fail multiple times.

What is the OS of your PC? Is it windows? Do you have access to the event viewer logs?

Milos_Jovanovic · ‎12-09-2022

Hi @theyee02,

Given that it is reconnects always after 30 mins, we can rule out ISP or Internet connectivity as such, as no provider is capable for such precision.

Potentially, it could be TLS/DTLS switch as @sadks stated, but from my experience, I see this behavior within first minute or so after initial connection. I don't remember ever saw this like ut happens to you.

And again, as @sadks DART is required to figure out what is going on, as that is the place where details are located. Log you provided is just an indicative one, rarely contains info that can identify problem directly.

Kind regards,

Milos

theyee02 · ‎12-09-2022

Hi there @Milos_Jovanovic ,

I was able to get IT to install DART for me. There seems to be a lot of data that was generated. Can you point out to me which is the relevant log to upload here?

MHM Cisco World · ‎12-09-2022

can you share the DART as text here ?

theyee02 · ‎12-09-2022

So IT ran the DART and what was generated was the DART Bundle. I assume the relevant folder is the "cisco anyconnect secure mobility client" folder. Inside that are all of these...so I'm not sure which one is specifically "DART".

theyee02 · ‎12-09-2022

Hi @MHmh @Milos_Jovanovic ,

I think I found the log. Here is the data. At 11:15 it did not reconnect as expected (not 30 min sometimes), but happened just now at 11:45.

MHM Cisco World · ‎12-09-2022

I see many message about MTU change ?
can you check if MTU is set for anyconnect

webvpn

anyconnect mtu 1300

theyee02 · ‎12-09-2022

Is this something I would be able to check or is this an IT request? I'm pretty new to troubleshooting anyconnect. Can you direct me how to, if it's something I can do? Thanks!

Sheraz.Salim · ‎12-09-2022

Is your anyconnect software version matches the one with the same software which resides on the ASA? double check with your IT.

I noted in your logs you connected to TLS first then fall back to DTLS.

are you having issues to this laptop/computer only? have you tired a different machine to test if you see the same behaviour?

the log message which get my attention is "A SS/DTLS Alert was sent by the client during a write operation. Severity: warning Description: close notify"

and "SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer. callback"

if this issue is not on wide scale in your IT then it not a firewall playing up. but if it only issue occuring in your machine in this case its your operating system. just make sure the version you have of anyconnect resides on the ASA.

please do not forget to rate.

theyee02 · ‎12-09-2022

Hi @Sheraz.Salim, I will have to check with IT on Monday. The IT person who has been helping me just reinstalled the latest Cisco Anyconnect yesterday.

I only use use this laptop, but I have check with some coworkers and they don't have this issue at all. As far as I know, I'm the only one that has been experiencing this.

Can you explain more about what the ASA is? Is it something that IT manages? or something I can check on my computer?

Thank you!

Sheraz.Salim · ‎12-09-2022

I should have explain in more detail. ASA is the cisco firewall appliance (adaptive security appliance). In your logs I noted the ASA is running software (9.6(4)45).

normally, Firewall (cisco firewall) when doing the anyconnect configuration the administrator host the anyconnect file on the ASA appliances (also known as anyconnect headend). some/most of the time administrator of the firewall also keep open the SSL portal on the ASA.

I have seen in the past similar issue anyconnect software version does not matches the one with the same software which resides on the ASA. for example it could be ASA anyconnect is 4.x and your running the 9.x

yes you need to speak to your IT team. they will be able to get your the same software the one or rest of the company running on their machines (anyconnect).

please do not forget to rate.

theyee02 · ‎12-13-2022

I was finally able to get through to the correct IT team and after a full half day of brainstorming, they decided to go with reinstalling an older version of Anyconnect 4.9, versus my version of 4.10. This issue was already happening before the first IT tech installed 4.10 on my machine, so I suspect something just went wrong with an update somewhere and a reinstallation of 4.9 would have also fixed it. Thank you for your help! Everyone really!

Milos_Jovanovic · ‎12-10-2022

Inside DART file, first entry after 11.15 is 11.45 (exactly 30 mins later), with message "Description : Initiating rekey for SSL connection.", followed by message "Description : Initiating a reconnect for rekey with a new SSL connection.".

Based on these two lines, I would assume that on your ASA, inside a group-policy you are hitting (which is a group of settings applied to your device upon successfull connection), there are rekey configuration commands configured. Something like:

group-policy GP_Name attributes
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method new-tunnel

Based on these commands, it is expected to re-establish new tunnel, in order to use new crypto material, for better security. You can read about these options in config guide.

Please check with your ASA admins (IT team) is something like this configured for you, and that should be explanation of the behavior you are facing.

Kind regards,

Milos