Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1203
Views
5
Helpful
6
Replies

DTLS VS TLS - AnyConnect

jackfait1
Level 1
Level 1

‎08-17-2022 07:44 AM

Hello,

Cisco AnyConnect we use DTLS instead of TLS. Lately we have had some Users that are remote, using Cisco Finesse, having issues where their Cisco Finesse is constantly disconnecting and reconnecting. If I switch them to a VPN policy that uses TLS, the connection seems fine, so it appears to be a problem with UDP traffic. I have tried adjusting the MTU size for the DTLS connection and it did work for one User but not for everyone. Ignore Don't Fragment (DF) Bit is set to disable. We could switch them to TLS but I am worried about the extra overhead/CPU usage it will cause on the ASA 5545-X with TCP traffic. We are in the process of upgrading to new Firepower Devices but I am wondering if anyone else has experienced this or have some other suggestions I can try. It seems to be an ISP issue with UDP since it is only affecting a small amount of Users in rural Iowa with the same provider. However, I am constantly being asked about this from their Managers.

 

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎08-17-2022 07:49 AM

@jackfait1 what version ASA and AnyConnect are you using? Do they ever connect on DTLS, is it because udp/443 is blocked by their ISP?

You could use IKEv2/IPSec instead of TLS, you'd get a comparable performance to DTLS then.

jackfait1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2022 07:59 AM

Thanks for the reply Rob. They can connect on DTLS but then have these disconnect issues so I am thinking maybe the ISP is limiting UDP traffic? I know my predecessors first had AnyConnect using IPSEC when AnyConnect first came out many years ago, but they said there were a lot of issues with it at the time. That would be something to test though since I am in the process of upgrading. Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to jackfait1

‎08-17-2022 08:06 AM

@jackfait1 It could be the ISP, as DTLS uses udp/443, so does QUIC protocol which some ISPs block or rate limit.

Upgrade and see if you still have the issue, not knowing your version it could be bug. Ensure you are on a up to date AnyConnect version. If you still have issues, have a look at IPSec again and ask questions on here if you are still having issues.

 

0 Helpful

jackfait1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2022 08:52 AM

AnyConnect version is 4.10.05095 and I am in the process of testing an upgrade for firepower replacement
ASA version is 9.14(4)6 - 9.14.x is latest for 5545-X
ASDM is 7.16(1)150

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-17-2022 08:05 AM 

dtls port XYZ

first try change the dtls port and see if this solve your issue or not. 

0 Helpful

cscherb
Level 1
Level 1

‎08-18-2022 03:41 AM

We had simmilar problems here with Cisco IP Communicator - reducing AnyConnect MTU to (classic) 1300 seems to solve the problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents