cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6048
Views
0
Helpful
6
Replies

DTLS negotiation problem

Jaru
Level 1
Level 1

Dear Engineers,

 

One of our customers provided our engineers Anyconnect for remote connection. Those engineers are suffering slow download speeds. I have noticed that there is problem with negotiating DTLS. I have checked RFC for DTLS. I can see that there is client hello, hello verify, client hello (with cookie and corrrect values) after those handshake I should get certicicate and hello finish, instead of this I have server hello and change cipher spec and users end up with TLS. From logs of anyconnect I can see:

- TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED DTLS tunnel state 0
- The Primary DTLS connection to the secure gateway is down.

- The Primary DTLS connection to the secure gateway is being torn down.

- SOCKETTRANSPORT_ERROR_WRITE DTLS

 

I have no access to customer ASA confoguration, all requested ports are opened, connection outside of our LAN works fine DTLS is negotiated. And I out of ideas what can be wrong. 

6 Replies 6

GioGonza
Level 4
Level 4

Hello @Jaru

 

The error refers to the communication with DTLS between the computer with AnyConnect and the ASA, you need to check the following: 

 

1. Check the port for the connection, sometimes it should be 443 but this can be changed.

2. Get the DART file for the connection and share it for review. 

3. Can you get the output for "show run webvpn" and "show asp table socket"?, we need to verify if the ASA is listening to the port.

4. Also keep in mind this port is normally blocked in some firewalls, so probably somewhere in the path the DTLS is being blocked and that´s why you cannot complete the negotiation. 

 

I´ll be waiting for any information you can share. 

 

HTH

Gio

 

From Wireshark I can see that DTLS port is 12443 and I can see that few messages are exchanged so the ports are opened. Im attaching DART bundle. At this point Im not able to get Asa config from customer as he is not responsive. Thank you for your help.

Hello @Jaru

 

I cannot download the attached file, can you send the file to giogonza@outlook.com?

 

Gio

Hi, I bypased our core switch and DTLS was negotiated. We have Cisco Cat 4500 and it seems that problem is somwhere there. Strange thing is that there are no ACLs that may be dropping packets as some of the packets we are recieving without any issues. 

Hello @Jaru

 

As I said before the problem was something blocking the DTLS on the path (Point number 4) but I couldn´t think the Cisco 4500 would be the one dropping the packets, I was doing further research about this and the only thing that I found for DTLS was this

 

Maybe is the answer, maybe not but I didn´t find any other reason why the 4500 would be dropping the DTLS packets. BTW, I´m glad you were able to find the device causing this problem. 

 

HTH

Gio

Thank you for your time and help. I will try to resolve this problemy by myself now.

 

regards.