Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
1
Helpful
1
Replies

Troubleshooting DTLS issues

Go to solution
Chess Norris
Level 4
Level 4

‎03-18-2025 02:15 AM - edited ‎03-18-2025 02:19 AM

Hello,

A customer is having issues with Cisco Secure Client and DTLS. When the connection is established, both internal and Internet communication stops working (they tunnel all traffic).

It looks like Secure Client tries to send traffic over a DTLS v1.2-tunnel but this traffic fails and it reverts back to a TLS v1.3-tunnel. It does this back and forth for about four minutes before ditching the DTLS-tunnel entirely and then traffic starts working normally.

When looking at the ASA side, we can see that a few packets have been received but none have been sent from the ASA. It's also looks like a DTLS-tunnel is actually being established, it just not passing any traffic.

2025-03-18 100224.jpg

From the DART logs, I can see the follwing errors that's probably related to the issue:

******************************************

Date : 03/14/2025
Time : 14:08:12
Type : Error
Source : csc_vpnagent

Description : Function: CTunnelStateMgr::OnTunnelStatusChange
File: C:\temp\build\thehoff\Raccoon_MR50.78933656813\Raccoon_MR5\vpn\Agent\TunnelStateMgr.cpp
Line: 1430
Invoked Function: Tunnel status change callback status
Return Code: -25952246 (0xFE74000A)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets.
DTLS

******************************************

Date : 03/14/2025
Time : 14:08:12
Type : Information
Source : csc_vpnagent

Description : The Primary DTLS connection to the secure gateway is being re-established.

******************************************

Date : 03/14/2025
Time : 14:08:12
Type : Warning
Source : csc_vpnagent

Description : A DTLS Alert was sent by the client during a write operation. Severity: warning Description: close notify

******************************************

Date : 03/14/2025
Time : 14:08:15
Type : Information
Source : csc_vpnagent

Description : A DTLS 1.2 connection has been established using cipher ECDHE-ECDSA-AES256-GCM-SHA384

******************************************

Date : 03/14/2025
Time : 14:08:15
Type : Information
Source : csc_vpnagent

Description : The Primary DTLS connection to the secure gateway has been re-established.

******************************************

Date : 03/14/2025
Time : 14:08:19
Type : Warning
Source : csc_vpnagent

Description : Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
File: C:\temp\build\thehoff\Raccoon_MR50.78933656813\Raccoon_MR5\vpn\Agent\TunnelProtocolDpdMgr.cpp
Line: 638
Failed to determine the tunnel MTU via DPD handshake (DTLS/CDTP)

******************************************

Date : 03/14/2025
Time : 14:08:19
Type : Error
Source : csc_vpnagent

Description : Function: CTunnelProtocolDpdMgr::OnTimerExpired
File: C:\temp\build\thehoff\Raccoon_MR50.78933656813\Raccoon_MR5\vpn\Agent\TunnelProtocolDpdMgr.cpp
Line: 443
Invoked Function: CTunnelProtocolDpdMgr::handleExpiredMtuDPD
Return Code: -25952243 (0xFE74000D)
Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_MTU_DPD_RESPONSE:No DPD response was received to MTU DPD request packets.
DTLS/CDTP

******************************************

The customer doesn't have any firewall that blocks UDP/443 (DTLS packets). Anyone else that had similar issues with DTLS or have any suggestion troubleshooting the root cause to this issue? 

Could it be a MTU related issue?

Thanks

/Chess

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chess Norris
Level 4
Level 4

‎04-15-2025 12:19 AM

Just to follow up on this in case any others experience this issue.

After having a TAC case opened for almost one month, TAC was finally able to find the root cause.

It’s a bug that is currently registered as a FTD defect, but the issue is present on ASA as well. It has to do with a DTLS optimization feature that was introduced in FTD 7.6 and in ASA 9.22 and is also enabled by default.

The solution was to turn off DTLS optimization with the command “no flow-offload-dtls”

For FTD devices, this command must be entered with Flexconfig.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwn08524 

/Chess

View solution in original post

1 Reply 1

Go to solution
Chess Norris
Level 4
Level 4

‎04-15-2025 12:19 AM

Just to follow up on this in case any others experience this issue.

After having a TAC case opened for almost one month, TAC was finally able to find the root cause.

It’s a bug that is currently registered as a FTD defect, but the issue is present on ASA as well. It has to do with a DTLS optimization feature that was introduced in FTD 7.6 and in ASA 9.22 and is also enabled by default.

The solution was to turn off DTLS optimization with the command “no flow-offload-dtls”

For FTD devices, this command must be entered with Flexconfig.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwn08524 

/Chess

Customers Also Viewed These Support Documents