05-08-2015 08:38 AM
Our company has a Cisco ASA 5512x that we are using for a remote access VPN server. We are running ASA version 9.2(3) and ASDM version 7.4(1). We are using the Cisco Anyconnect Secure mobility client version 4.0.00061.
The VPN is up and running. Users can authenticate with LDAP and connect, but at exactly 1 minute and 3 seconds after the connection is established, the connection will timeout and reconnect automatically. There is a 7 second window where the adapter is reconfigured for the VPN and the connection is once again established. Once the connection is reestablished, there is nothing wrong with the connection. You can stay in the VPN as long as you wish and it does not have the issue anymore after the timeout/reconnection. This has also been tested from multiple end user's homes including my own, and it is 1 minute and three seconds for all of them.
Has anyone else had this issue with the anyconnect VPN?
Solved! Go to Solution.
05-08-2015 03:12 PM
Hi Austin,
There might be an issue with the DTLS port being blocked somewhere in the path, for testing purposes you may disable the DTLS from the group policy, now it will not degrade your performance as you may think, the changes are the following:
group-policy XXXXXX attributes
webvpn
anyconnect ssl dtls none
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
05-08-2015 03:12 PM
Hi Austin,
There might be an issue with the DTLS port being blocked somewhere in the path, for testing purposes you may disable the DTLS from the group policy, now it will not degrade your performance as you may think, the changes are the following:
group-policy XXXXXX attributes
webvpn
anyconnect ssl dtls none
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
05-11-2015 04:33 AM
David,
Disabling DTLS has fixed my timeout/reconnect error! I haven't been disconnecting anymore, but to what extent will this degrade my connection?
05-11-2015 06:05 AM
Hi Austin,
DTLS is used to enhance performance, now when you TLS it will be based on TCP, so it is more reliable, you will barely detect the an issue with the performance. Now you may test to enable DTLS once again on the group policy, but try to change the TLS and DTLS ports to non-default ports, you may try to assign ports 4443:
To apply this you will need to disable the AnyConnect on the outside and then assign non-default ports:
group-policy AnyConnect attributes
webvpn
dtls port 4443
port 4443
Let me know if you have another question!
David Castro,
Regards
05-11-2015 07:04 AM
David,
Thanks for the info! I believe that the issue I was having was that I only allowed TCP 443 through our outside Firewall. So I plan on adding UDP 443 to the firewall today and I will test tonight when I go home. What is the purpose of changing to a non default port?
-Austin
05-12-2015 11:49 AM
Hi Austin,
It's actually that, to use another ports, because it was being blocked somewhere in the path. Go ahead and permit UDP 443 (DTLS) and it will work.
To confirm the DTLS sessions is being formed, issue this show command:
- show vpn-sessiondb detail anyconnect
Please proceed to rate alll of the helpful Posts!
David Castro,
Regards
05-12-2015 12:08 PM
I permitted UDP 443 this morning and now we are using DTLS.
Thanks for all of your help David!
-Austin
05-12-2015 03:02 PM
It was a plesure Austin, keep my contact information:
David Castro
davidfernandezcast@hotmail.com
If something comes up let me know!
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide