08-17-2022 07:44 AM
Hello,
Cisco AnyConnect we use DTLS instead of TLS. Lately we have had some Users that are remote, using Cisco Finesse, having issues where their Cisco Finesse is constantly disconnecting and reconnecting. If I switch them to a VPN policy that uses TLS, the connection seems fine, so it appears to be a problem with UDP traffic. I have tried adjusting the MTU size for the DTLS connection and it did work for one User but not for everyone. Ignore Don't Fragment (DF) Bit is set to disable. We could switch them to TLS but I am worried about the extra overhead/CPU usage it will cause on the ASA 5545-X with TCP traffic. We are in the process of upgrading to new Firepower Devices but I am wondering if anyone else has experienced this or have some other suggestions I can try. It seems to be an ISP issue with UDP since it is only affecting a small amount of Users in rural Iowa with the same provider. However, I am constantly being asked about this from their Managers.
08-17-2022 07:49 AM
@jackfait1 what version ASA and AnyConnect are you using? Do they ever connect on DTLS, is it because udp/443 is blocked by their ISP?
You could use IKEv2/IPSec instead of TLS, you'd get a comparable performance to DTLS then.
08-17-2022 07:59 AM
Thanks for the reply Rob.
08-17-2022 08:06 AM
@jackfait1 It could be the ISP, as DTLS uses udp/443, so does QUIC protocol which some ISPs block or rate limit.
Upgrade and see if you still have the issue, not knowing your version it could be bug. Ensure you are on a up to date AnyConnect version. If you still have issues, have a look at IPSec again and ask questions on here if you are still having issues.
08-17-2022 08:52 AM
AnyConnect version is 4.10.05095 and I am in the process of testing an upgrade for firepower replacement
ASA version is 9.14(4)6 - 9.14.x is latest for 5545-X
ASDM is 7.16(1)150
08-17-2022 08:05 AM
dtls port XYZ
first try change the dtls port and see if this solve your issue or not.
08-18-2022 03:41 AM
We had simmilar problems here with Cisco IP Communicator - reducing AnyConnect MTU to (classic) 1300 seems to solve the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide