Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
0
Helpful
4
Replies

Incorrect operation of SSL VPN on Cisco ISR4451-X/K9

ba1617-1
Level 1
Level 1

‎12-08-2023 06:32 AM

I can't solve the problem with huge delays in user traffic in an SSL VPN session from
Cisco Secure Client to Cisco ISR4451-X/K9 with IOS-XE 17.9.4a

 

The SSL VPN session is rising successfully, albeit 2 times slower than with IPsec. But it's tolerable, not the most
the main problem.

 

It is very bad that user traffic is delayed up to 60 seconds! And there is no packet loss.

Interestingly, the delay from packet to packet gradually decreases by 1 second, reaching hundreds
milliseconds, then increases abruptly and then gradually decreases again, and so on in a

cycle.

 

This problem is not observed with FlexVPN (IPsec).

I compared the IP status of the virtual-access interfaces for SSL VPN and FlexVPN. It turns out that for SSL VPN
CEF is disabled on the

interface, and enabled on FlexVPN.

I observe many other oddities regarding the SSL VPN session.


I would like to understand if anyone has set up an SSL VPN on ISR4K for use in production, not for laboratory purposes, and has not encountered such a problem?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎12-08-2023 06:47 AM

Since this issue was occruing after upgrade, suggest to open a TAC case to investigate.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ba1617-1
Level 1
Level 1
In response to balaji.bandi

‎12-11-2023 01:12 AM

Unfortunately, the customer does not have a service contract to contact the TAC. In addition, he decided to switch to OpenVPN and another hardware platform if the problem could not be solved quickly.

0 Helpful

MHM Cisco World
VIP
VIP

‎12-08-2023 08:32 AM

If you capture traffic via Wireshark 

Do you see many re-transit?

MHM

0 Helpful

ba1617-1
Level 1
Level 1
In response to MHM Cisco World

‎12-11-2023 01:06 AM

With the re-transmits, the situation is like this: if you make a ping with a standard timeout of 4 seconds, there are a lot of them. But if you set a timeout of 100 seconds, then there are no re-transmits at all. All the answers come in almost exactly 64 seconds.

ping 10.0.10.2 -w 66000 -t

Pinging 10.0.10.2 with 32 bytes of data:
Reply from 10.0.10.2: bytes=32 time=64011ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64023ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64036ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64043ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64046ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64076ms TTL=253
Reply from 10.0.10.2: bytes=32 time=64054ms TTL=253

 

Preview file
21 KB
sslvpn.zip
0 Helpful
Customers Also Viewed These Support Documents