Solved: It was a plesure Austin, keep

austinmbailey1 · ‎05-08-2015

Our company has a Cisco ASA 5512x that we are using for a remote access VPN server. We are running ASA version 9.2(3) and ASDM version 7.4(1). We are using the Cisco Anyconnect Secure mobility client version 4.0.00061.

The VPN is up and running. Users can authenticate with LDAP and connect, but at exactly 1 minute and 3 seconds after the connection is established, the connection will timeout and reconnect automatically. There is a 7 second window where the adapter is reconfigured for the VPN and the connection is once again established. Once the connection is reestablished, there is nothing wrong with the connection. You can stay in the VPN as long as you wish and it does not have the issue anymore after the timeout/reconnection. This has also been tested from multiple end user's homes including my own, and it is 1 minute and three seconds for all of them.

Has anyone else had this issue with the anyconnect VPN?

David Johan Castro Fernandez · ‎05-08-2015

Hi Austin,

There might be an issue with the DTLS port being blocked somewhere in the path, for testing purposes you may disable the DTLS from the group policy, now it will not degrade your performance as you may think, the changes are the following:

group-policy XXXXXX attributes

webvpn

anyconnect ssl dtls none

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

View solution in original post

David Johan Castro Fernandez · ‎05-08-2015

Hi Austin,

There might be an issue with the DTLS port being blocked somewhere in the path, for testing purposes you may disable the DTLS from the group policy, now it will not degrade your performance as you may think, the changes are the following:

group-policy XXXXXX attributes

webvpn

anyconnect ssl dtls none

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

austinmbailey1 · ‎05-11-2015

David,

Disabling DTLS has fixed my timeout/reconnect error! I haven't been disconnecting anymore, but to what extent will this degrade my connection?

David Johan Castro Fernandez · ‎05-11-2015

Hi Austin,

DTLS is used to enhance performance, now when you TLS it will be based on TCP, so it is more reliable, you will barely detect the an issue with the performance. Now you may test to enable DTLS once again on the group policy, but try to change the TLS and DTLS ports to non-default ports, you may try to assign ports 4443:

To apply this you will need to disable the AnyConnect on the outside and then assign non-default ports:

group-policy AnyConnect attributes

webvpn

dtls port 4443

port 4443

Let me know if you have another question!

David Castro,

Regards

austinmbailey1 · ‎05-11-2015

David,

Thanks for the info! I believe that the issue I was having was that I only allowed TCP 443 through our outside Firewall. So I plan on adding UDP 443 to the firewall today and I will test tonight when I go home. What is the purpose of changing to a non default port?

-Austin

David Johan Castro Fernandez · ‎05-12-2015

Hi Austin,

It's actually that, to use another ports, because it was being blocked somewhere in the path. Go ahead and permit UDP 443 (DTLS) and it will work.

To confirm the DTLS sessions is being formed, issue this show command:

- show vpn-sessiondb detail anyconnect

Please proceed to rate alll of the helpful Posts!

David Castro,

Regards

austinmbailey1 · ‎05-12-2015

I permitted UDP 443 this morning and now we are using DTLS.

Thanks for all of your help David!

-Austin

David Johan Castro Fernandez · ‎05-12-2015

It was a plesure Austin, keep my contact information:

David Castro

davidfernandezcast@hotmail.com

If something comes up let me know!

Regards

Cisco AnyConnect ssl vpn