Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1794
Views
0
Helpful
4
Replies

Debug AnyConnect for single user

praveenmathew27
Level 1
Level 1

‎10-19-2020 03:23 AM

We have some users complaining about connectivity issues to our VPN gateway, which is running on a mix of Cisco ASA and Firepower running ASA image under vpn load-balancing. Basically, they connect and after some time, they get this reconnecting issue randomly. 

 

 Connected to VPN Gateway.

 Reconnecting to VPN Gateway...

 

They are using AnyConnect client to connect.  

 

I would like to run a debug on the ASA for a PARTICULAR user and keep it running for a while. Is that possible?  What command should I use? I want to figure out what exactly causes the disconnection. 

Labels:
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎10-19-2020 03:33 AM

Hi,

Start with disabling DTLS and reducing MTU then see if it works. Also,
check anyconnect logs on the client (using DART file) to see what the
client is facing.

**** please remember to rate useful posts
0 Helpful

praveenmathew27
Level 1
Level 1
In response to Mohammed al Baqari

‎10-19-2020 08:46 PM

I don't want to mess around with DTLS or MTU at the moment, as it has been working fine for some years now. 

I asked the customer to run DART, but I don't see anything useful in the log during the "Reconnecting" phase or before. 

I'm looking at this file though. Cisco AnyConnect Network Visibility Module\NetworkVisibility.txt

 

Is there anything in particular I could look for?   

 

Again, back to main question, is it possible to do a debug for anyconnect connection for a single user? (like debug webvpn anyconnect...) 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to praveenmathew27

‎10-19-2020 11:05 PM

No, you can't debug single user on ASA/FTD. You need to try disabling DTLS
as your provider might changed something even if it worked for years. This
can be tried per-user by creating new group-policy for testing purpose with
DTLS off.

**** please remember to rate useful posts
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-19-2020 05:09 AM

You can download and intstall DART or look at event logger to see what was the issue.

 

we need to findout mostly what was the reason of disconenction.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents