Solved: Re: Enable DTLSv1.2

gal.avichid · ‎12-22-2023

Hi,

Facing some speed\connectivity issues with my RA-VPN.

After reading a lot, and tried few things, I still can't enable the DTLS.

Running Cisco 1010 and manage via FDM.

In the group policy of the VPN, I have enabled DTLS, but still when connecting, the protocol is TLS1.2

Something else is needed to be done?

Thank you

Rob Ingram · ‎12-22-2023

@gal.avichid is DTLS communication blocked (default UDP/443) between the client and the FTD? There have been problems running DTLS on a non-standard port. Run a packet capture to confirm if there is UDP traffic from client to FTD. You can also check to see if you have a DTLS using the command show vpn-sessiondb detail anyconnect (filter on your connection).

View solution in original post

Marvin Rhoads · ‎12-26-2023

When you use a non-default port for TLS (it looks like yours is set to tcp/7877 vs. the default tcp/443), DTLS will still try to connect using udp/443. If that port is blocked anywhere in the path, the connection will use TLS.

Only when using FMC can you change the DTLS port number. See step 6 here in the FMC guide:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-remote-access.html#id_49114

When using FDM, this advanced configuration option is not available.

View solution in original post

Rob Ingram · ‎12-22-2023

@gal.avichid you need to add a new SSL cipher and select the protocol version. Example:

If you do not have the option to do so you are running an older version and will need to upgrade, support to change the RAVPN SSL ciphers using FDM was added from 7.0 I believe.

balaji.bandi · ‎12-22-2023

Facing some speed\connectivity issues with my RA-VPN.

you need to provide more information - you using cisco any connect client software (what version)

you able to connect and have speed issue ? or you are not able to connect at all ?

check below guide : ( i was hoping you have 7.2 code ?)

https://www.cisco.com/c/en/us/support/docs/security/secure-client-5/220609-configure-modern-tls-and-dtls-ciphers-fo.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-22-2023

did you enable dtls in group policy?

MHM

gal.avichid · ‎12-22-2023

yes

MHM Cisco World · ‎12-22-2023

Hi again

After some review try below

1- select ignore df bit

2- change mtu to be 1300

Both above option in group policy.

If above not solve issue

Debug webvpn anyconnect 255

Share it

Goodluck

MHM

gal.avichid · ‎12-22-2023

Dec 22 2023 20:19:41: %FTD-6-302015: Built inbound UDP connection 415863 for outside:10.0.78.2/52488 (10.0.78.2/52488)(LOCAL\galavichid) to outside:208.67.222.222/53 (208.67.222.222/53) (galavichid)
Dec 22 2023 20:19:41: %FTD-6-302015: Built inbound UDP connection 415864 for outside:10.0.78.2/52488 (10.0.78.2/52488)(LOCAL\galavichid) to outside:208.67.220.220/53 (208.67.220.220/53) (galavichid)
Dec 22 2023 20:19:41: %FTD-6-302013: Built inbound TCP connection 415865 for outside:10.0.78.2/54348 (10.0.78.2/54348)(LOCAL\galavichid) to nlp_int_tap:169.254.1.3/443 (192.168.178.85/4433) (galavichid)
Dec 22 2023 20:19:41: %FTD-6-302013: Built inbound TCP connection 415866 for outside:10.0.78.2/54349 (10.0.78.2/54349)(LOCAL\galavichid) to nlp_int_tap:169.254.1.3/443 (192.168.178.85/4433) (galavichid)
Dec 22 2023 20:19:41: %FTD-6-302014: Teardown TCP connection 415865 for outside:10.0.78.2/54348(LOCAL\galavichid) to nlp_int_tap:169.254.1.3/443 duration 0:00:00 bytes 680 TCP FINs from outside (galavichid)
Dec 22 2023 20:19:42: %FTD-6-302016: Teardown UDP connection 415665 for outside:10.0.78.2/63907(LOCAL\galavichid) to outside:208.67.222.222/53 duration 0:02:08 bytes 282 (galavichid)
Dec 22 2023 20:19:42: %FTD-6-302016: Teardown UDP connection 415666 for outside:10.0.78.2/63907(LOCAL\galavichid) to outside:208.67.220.220/53 duration 0:02:07 bytes 376 (galavichid)
Dec 22 2023 20:19:45: %FTD-4-106023: Deny udp src outside:192.168.178.129/60787 dst identity:239.255.255.250/1900 by access-group "NGFW_ONBOX_ACL" [0x84953cae, 0x0]
Dec 22 2023 20:19:45: %FTD-4-106023: Deny udp src outside:192.168.178.94/49834 dst identity:239.255.255.250/1900 by access-group "NGFW_ONBOX_ACL" [0x84953cae, 0x0]
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415675 for outside:208.67.222.222/53 to nlp_int_tap:169.254.1.3/33497 duration 0:02:01 bytes 150
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415676 for outside:208.67.222.222/53 to nlp_int_tap:169.254.1.3/35278 duration 0:02:01 bytes 141
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415677 for outside:208.67.222.222/53 to nlp_int_tap:169.254.1.3/60245 duration 0:02:01 bytes 117
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415678 for outside:208.67.222.222/53 to nlp_int_tap:169.254.1.3/37113 duration 0:02:01 bytes 150
Dec 22 2023 20:19:47: %FTD-6-305012: Teardown dynamic UDP translation from nlp_int_tap:169.254.1.3/33497 to outside:192.168.178.85/33497 duration 0:02:01
Dec 22 2023 20:19:47: %FTD-6-305012: Teardown dynamic UDP translation from nlp_int_tap:169.254.1.3/35278 to outside:192.168.178.85/35278 duration 0:02:01
Dec 22 2023 20:19:47: %FTD-6-305012: Teardown dynamic UDP translation from nlp_int_tap:169.254.1.3/60245 to outside:192.168.178.85/60245 duration 0:02:01
Dec 22 2023 20:19:47: %FTD-6-305012: Teardown dynamic UDP translation from nlp_int_tap:169.254.1.3/37113 to outside:192.168.178.85/37113 duration 0:02:01
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415668 for outside:10.0.78.2/64966(LOCAL\galavichid) to outside:208.67.222.222/53 duration 0:02:08 bytes 108 (galavichid)
Dec 22 2023 20:19:47: %FTD-6-302016: Teardown UDP connection 415670 for outside:10.0.78.2/64966(LOCAL\galavichid) to outside:208.67.220.220/53 duration 0:02:07 bytes 144 (galavichid)
Dec 22 2023 20:19:48: %FTD-6-302016: Teardown UDP connection 415679 for outside:208.67.222.222/53 to nlp_int_tap:169.254.1.3/54649 duration 0:02:02 bytes 198
Dec 22 2023 20:19:48: %FTD-6-305012: Teardown dynamic UDP translation from nlp_int_tap:169.254.1.3/54649 to outside:192.168.178.85/54649 duration 0:02:02
Dec 22 2023 20:19:49: %FTD-6-302016: Teardown UDP connection 415671 for outside:10.0.78.2/56264(LOCAL\galavichid) to outside:208.67.222.222/53 duration 0:02:08 bytes 159 (galavichid)
Dec 22 2023 20:19:49: %FTD-6-302016: Teardown UDP connection 415673 for outside:10.0.78.2/56264(LOCAL\galavichid) to outside:208.67.220.220/53 duration 0:02:07 bytes 212 (galavichid)
Dec 22 2023 20:19:49: %FTD-6-302016: Teardown UDP connection 415672 for outside:10.0.78.2/51541(LOCAL\galavichid) to outside:208.67.222.222/53 duration 0:02:08 bytes 132 (galavichid)
Dec 22 2023 20:19:49: %FTD-6-302016: Teardown UDP connection 415674 for outside:10.0.78.2/51541(LOCAL\galavichid) to outside:208.67.220.220/53 duration 0:02:07 bytes 176 (galavichid)
Dec 22 2023 20:19:50: %FTD-5-199017: sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/local/sf/bin/sfcli.pl cclimo_cmd cclimo show logging ?

Dec 22 2023 20:19:51: %FTD-5-199017: sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/local/sf/bin/sfcli.pl cclimo_cmd cclimo show logging

Dec 22 2023 20:19:52: %FTD-6-302016: Teardown UDP connection 415680 for outside:10.0.78.2/61220(LOCAL\galavichid) to outside:208.67.222.222/53 duration 0:02:01 bytes 36 (galavichid)

is it enough shared? I wasn't sure how to output longer log.

I tried also the MTU\ignore df - didn't help

MHM Cisco World · ‎12-23-2023

NGFW_ONBOX_ACL <<- this ACL allow UDP DTLS Port for anyconnect?
MHM

gal.avichid · ‎12-23-2023

I can't see this ACL, its maybe a default one?

gal.avichid · ‎12-22-2023

@Rob Ingram I have set as you mention, still the connection is with TLS - I am using different port then 443 for connecting to the VPN, is that can be the issue?

@balaji.bandi I dont have FTD, only FDM. the Anyconnect version is 4.10.07073

I am able to connect, but facing speed issues (connection should be 100mbit, but I get 1mb), and disconnections from the VPN here and there that I can't understand why

balaji.bandi · ‎12-22-2023

FTD is Firepower Thread Defence - FDM is the tool to manage that device ?

If the speed issue - check the MTU as guide lines :

https://community.cisco.com/t5/security-knowledge-base/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579#toc-hId-339712844

your internet speed may be 100MB, but 1MB where you downloading or uploading is based on the location and available bandwidth on the head end side,

same download how speed when you download from head end side ?>

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎12-22-2023

@gal.avichid is DTLS communication blocked (default UDP/443) between the client and the FTD? There have been problems running DTLS on a non-standard port. Run a packet capture to confirm if there is UDP traffic from client to FTD. You can also check to see if you have a DTLS using the command show vpn-sessiondb detail anyconnect (filter on your connection).

gal.avichid · ‎12-22-2023

Changed also the port to 443 for testing, still the same result

MHM Cisco World · ‎12-22-2023

FTD72# show vpn-sessiondb detail anyconnect filter name trconner

Shre output of above after change name

MHM

gal.avichid · ‎12-22-2023

ession Type: AnyConnect Detailed

Username : galavichid Index : 2996
Assigned IP : 10.0.78.2 Public IP : 2.137.36.161
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 25394116 Bytes Rx : 2040342
Pkts Tx : 44561 Pkts Rx : 25541
Pkts Tx Drop : 409 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : XX-VPN
Login Time : 15:43:44 UTC Fri Dec 22 2023
Duration : 0h:10m:20s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8b25500bb40006585aeb0
Security Grp : none Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 2996.1
Public IP : 2.137.36.161
Encryption : none Hashing : none
TCP Src Port : 58930 TCP Dst Port : 7877
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 19 Minutes
Client OS : win
Client OS Ver: 10.0.22631
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.07073
Bytes Tx : 7764 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 2996.2
Assigned IP : 10.0.78.2 Public IP : 2.137.36.161
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 58937
TCP Dst Port : 7877 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.07073
Bytes Tx : 25386352 Bytes Rx : 2040342
Pkts Tx : 44555 Pkts Rx : 25541
Pkts Tx Drop : 409 Pkts Rx Drop : 0