Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
1
Helpful
2
Replies

Tools to quickly troubleshoot AnyConnect connectivity issues

tvotna
Spotlight
Spotlight

‎11-07-2023 08:04 AM

Hi team,

Do you know tools, such as ASA commands or something else to quickly troubleshoot situations when many users start complaining about constant reconnects or bad connectivity over AnyConnect SSL VPN? Typically this happens due to packet loss somewhere in the path. For example, only 3% of users can start complaining and call help desk out of 20K, but this is still a lot... and the issue can be intermittent. The problem is that it seems we don't have any statistics on ASA for SSL to quickly narrow down such issues and syslog is also not decisive enough. The frequency of below messages can change during the incident, but such messages are always produced even if connectivity is ok for most users, because users can roam or only few of them can experience connectivity issues, which is normal.

%ASA-4-722037: Group <> User <> IP <> SVC closing connection: DPD failure.
%ASA-5-722011: Group <> User <> IP <> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..
%ASA-5-722032: Group <> User <> IP <> New TCP SVC connection replacing old connection.
%ASA-5-722032: Group <> User <> IP <> New UDP SVC connection replacing old connection.
%ASA-5-722028: Group <> User <> IP <> Stale SVC connection closed.
%ASA-4-722037: Group <> User <> IP <> SVC closing connection: Transport closing.

So, what do you typically do in such cases?

 

 

Labels:
0 Helpful
2 Replies 2

Pavan Gundu
Cisco Employee
Cisco Employee

‎11-07-2023 08:22 AM

If it is for 3% of your user it can be due to their poor underlay network (real internet connection). A DART would be sufficient to find out the reason of termination of AnyConnect sessions for the affected clients.

0 Helpful

tvotna
Spotlight
Spotlight
In response to Pavan Gundu

‎11-08-2023 01:00 AM

This doesn't do, because it usually takes a whole lot of time to collect DART from a user, who cannot connect to the network, and then analyze it, especially taking into consideration how many useless and meaningless messages are there.

It's incomprehensible that in 2023 Cisco firewalls still lack any tools to display at least tps rate and accumulated disconnect reason stats for SSL. In case of IKEv2 there is "show crypto ikev2 stat" and various "debug menu" commands like "debug menu ikev2 8 0". It appears there is nothing like that for SSL.

 

 

 

Customers Also Viewed These Support Documents