Solved: Re: Enable DTLSv1.2 - Page 2

gal.avichid · ‎12-22-2023

Hi,

Facing some speed\connectivity issues with my RA-VPN.

After reading a lot, and tried few things, I still can't enable the DTLS.

Running Cisco 1010 and manage via FDM.

In the group policy of the VPN, I have enabled DTLS, but still when connecting, the protocol is TLS1.2

Something else is needed to be done?

Thank you

Rob Ingram · ‎12-22-2023

@gal.avichid you don't have a DTLS tunnel in that output. As I mentioned previously confirm if that traffic is being blocked in the path.

gal.avichid · ‎12-22-2023

Hope I did it right, first time using capture:

> capture cap1 interface outside match udp host CLIENT-IP host FTD-IP eq
443
>
>
> show capture cap1

0 packet captured

0 packet shown

Rob Ingram · ‎12-22-2023

@gal.avichid either traffic is blocked in the path which is why you cannot see it in the packet capture or DTLS is not enabled in the group policy. Do you have multiple group policies and it is not enabled the policy the user is receiving?

You can also run DART from the AnyConnect client and see what the logs say.

gal.avichid · ‎12-22-2023

Working on it

For the DART, there is a way to see the logs in action? or everytime I need to compile zip file with all the logs?

gal.avichid · ‎12-24-2023

There is an option to change the DTLS port?
I have tried via CLI \ Web can't find it.

All commands are different I guess with the FTD? (I start to dislike it)

Marvin Rhoads · ‎12-26-2023

When you use a non-default port for TLS (it looks like yours is set to tcp/7877 vs. the default tcp/443), DTLS will still try to connect using udp/443. If that port is blocked anywhere in the path, the connection will use TLS.

Only when using FMC can you change the DTLS port number. See step 6 here in the FMC guide:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-remote-access.html#id_49114

When using FDM, this advanced configuration option is not available.

gal.avichid · ‎12-26-2023

Thank you @Marvin Rhoads

I have returned to 443, verify the port open on the router my FW is behind.

After looking on the DART logs, I could find this error:

Type : Error
Source : acvpnagent

Description : Function: CTunnelStateMgr::OnTunnelInitiateComplete
File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\vpn\agent\tunnelstatemgr.cpp
Line: 1267
Invoked Function: Initiate tunnel callback status
Return Code: -31784946 (0xFE1B000E)
Description: TLSPROTOCOL_ERROR_MAX_RETRANSMITS_EXCEEDED
DTLS tunnel state 0

********UPDATE***********

Windows FW, was blocking the port, what a waste of time. sorry all and thanks for helping with this one.

In addition I have found another error that seems to cause the reconnecting issue:

Date : 12/26/2023
Time : 22:53:59
Type : Information
Source : acvpnagent

Description : Function: CRouteHandlerCommon::findMatchingRouteChange
File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\vpn\agentutilities\routing\routehandlercommon.cpp
Line: 5716
Found link-level VA route 10.0.78.0/24 with different metric (256, expected 1)

******************************************

Date : 12/26/2023
Time : 22:53:59
Type : Information
Source : acvpnagent

Description : A routing table change notification has been received. Starting automatic correction of the routing table.

******************************************

MHM Cisco World · ‎12-27-2023

No thanks to me lol..

Glad this issue solved

Have a happy Christmas and happy days

MHM