11-07-2023 08:04 AM
Hi team,
Do you know tools, such as ASA commands or something else to quickly troubleshoot situations when many users start complaining about constant reconnects or bad connectivity over AnyConnect SSL VPN? Typically this happens due to packet loss somewhere in the path. For example, only 3% of users can start complaining and call help desk out of 20K, but this is still a lot... and the issue can be intermittent. The problem is that it seems we don't have any statistics on ASA for SSL to quickly narrow down such issues and syslog is also not decisive enough. The frequency of below messages can change during the incident, but such messages are always produced even if connectivity is ok for most users, because users can roam or only few of them can experience connectivity issues, which is normal.
%ASA-4-722037: Group <> User <> IP <> SVC closing connection: DPD failure.
%ASA-5-722011: Group <> User <> IP <> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..
%ASA-5-722032: Group <> User <> IP <> New TCP SVC connection replacing old connection.
%ASA-5-722032: Group <> User <> IP <> New UDP SVC connection replacing old connection.
%ASA-5-722028: Group <> User <> IP <> Stale SVC connection closed.
%ASA-4-722037: Group <> User <> IP <> SVC closing connection: Transport closing.
So, what do you typically do in such cases?
11-07-2023 08:22 AM
If it is for 3% of your user it can be due to their poor underlay network (real internet connection). A DART would be sufficient to find out the reason of termination of AnyConnect sessions for the affected clients.
11-08-2023 01:00 AM
This doesn't do, because it usually takes a whole lot of time to collect DART from a user, who cannot connect to the network, and then analyze it, especially taking into consideration how many useless and meaningless messages are there.
It's incomprehensible that in 2023 Cisco firewalls still lack any tools to display at least tps rate and accumulated disconnect reason stats for SSL. In case of IKEv2 there is "show crypto ikev2 stat" and various "debug menu" commands like "debug menu ikev2 8 0". It appears there is nothing like that for SSL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide