Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6046
Views
0
Helpful
6
Replies

DTLS negotiation problem

Jaru
Level 1
Level 1

‎12-05-2017 01:37 PM - edited ‎03-12-2019 04:47 AM

Dear Engineers,

 

One of our customers provided our engineers Anyconnect for remote connection. Those engineers are suffering slow download speeds. I have noticed that there is problem with negotiating DTLS. I have checked RFC for DTLS. I can see that there is client hello, hello verify, client hello (with cookie and corrrect values) after those handshake I should get certicicate and hello finish, instead of this I have server hello and change cipher spec and users end up with TLS. From logs of anyconnect I can see:

- TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED DTLS tunnel state 0
- The Primary DTLS connection to the secure gateway is down.

- The Primary DTLS connection to the secure gateway is being torn down.

- SOCKETTRANSPORT_ERROR_WRITE DTLS

 

I have no access to customer ASA confoguration, all requested ports are opened, connection outside of our LAN works fine DTLS is negotiated. And I out of ideas what can be wrong. 

Labels:
0 Helpful
6 Replies 6

GioGonza
Level 4
Level 4

‎12-05-2017 02:37 PM

Hello @Jaru

 

The error refers to the communication with DTLS between the computer with AnyConnect and the ASA, you need to check the following: 

 

1. Check the port for the connection, sometimes it should be 443 but this can be changed.

2. Get the DART file for the connection and share it for review. 

3. Can you get the output for "show run webvpn" and "show asp table socket"?, we need to verify if the ASA is listening to the port.

4. Also keep in mind this port is normally blocked in some firewalls, so probably somewhere in the path the DTLS is being blocked and that´s why you cannot complete the negotiation. 

 

I´ll be waiting for any information you can share. 

 

HTH

Gio

 

0 Helpful

Jaru
Level 1
Level 1
In response to GioGonza

‎12-05-2017 11:14 PM

From Wireshark I can see that DTLS port is 12443 and I can see that few messages are exchanged so the ports are opened. Im attaching DART bundle. At this point Im not able to get Asa config from customer as he is not responsive. Thank you for your help.

DARTBundle_1201_1055.tar
0 Helpful

GioGonza
Level 4
Level 4
In response to Jaru

‎12-06-2017 05:28 AM

Hello @Jaru

 

I cannot download the attached file, can you send the file to giogonza@outlook.com?

 

Gio

0 Helpful

Jaru
Level 1
Level 1
In response to GioGonza

‎12-06-2017 07:47 AM

Hi, I bypased our core switch and DTLS was negotiated. We have Cisco Cat 4500 and it seems that problem is somwhere there. Strange thing is that there are no ACLs that may be dropping packets as some of the packets we are recieving without any issues. 

0 Helpful

GioGonza
Level 4
Level 4
In response to Jaru

‎12-12-2017 05:42 AM

Hello @Jaru

 

As I said before the problem was something blocking the DTLS on the path (Point number 4) but I couldn´t think the Cisco 4500 would be the one dropping the packets, I was doing further research about this and the only thing that I found for DTLS was this

 

Maybe is the answer, maybe not but I didn´t find any other reason why the 4500 would be dropping the DTLS packets. BTW, I´m glad you were able to find the device causing this problem. 

 

HTH

Gio

0 Helpful

Jaru
Level 1
Level 1
In response to GioGonza

‎12-12-2017 11:05 PM

Thank you for your time and help. I will try to resolve this problemy by myself now.

 

regards.

0 Helpful
Customers Also Viewed These Support Documents