cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
12430
Views
15
Helpful
8
Replies
joe richards
Beginner

VPN via Cisco AnyConnect fails after 2 minutes in Ubuntu 12.04

Hi;

my employer is switching from Nortel VPN to Cisco AnyConnect as the remote connection solution.

I have downloaded and installed the tarball (anyconnect-predeploy-linux-3.1.00495-k9.tar.gz) with no problems.

The anyconnect gui launches, and I can connect to the corporate network with no problems.

However; the connection consistently fails after ~2 minutes. To re-establish a connection I need to force a disconnect, then repeat the connection sequence

I am running ubuntu 12.04 (64bit) on a Toshiba Portege laptop. Firewall is disabled when I am making the connection

Any ideas on what is happening to kill my connection after the initial success?

thanks - jmr

8 REPLIES 8
Marcin Latosiewicz
Cisco Employee

JMR,

Open up a TAC case, we're had similar reports from other people. vide:

https://supportforums.cisco.com/thread/2194914

It's MOST LIKELY related to:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud43082

But would not hurt to have a look in depth.

M.

Marcin;

When I follow your link to open a TAC case, the system responds

"Your login ID is not set up to access the TAC Service Request Tool (TSRT)." and further says I can get access by entering contract numbers.

As a user of the system (not an admin on the infrastrucure side) I do not have knowledge of the contract numbers.

Am I at a dead-end or is there a way I can contribute to help solve the issue.

Thanks - jmr

joe richards
Beginner

I thought I fixed this problem.

I upgraded to 12.10 and did not see any change in behavior.

With a clean install of Ubuntu 12.10 I was able to connect to the corp network and stay connected when I had a wired (LAN) connection.

When I connect via wireless the connection is lost after ~ 2 minutes (Amped Wireless R10000G).

I repeated with an old wireless router (Linksys WRT54G), I get the same results.

Previous VPN software (Nortel) did not show this behavior with either router.

Any pointers or help on getting this cleared up is greatly appreciated (alternative is Citrix - which I don't care for)

thanks - jmr

Message was edited (2/17/13) by: joe richards

joe richards
Beginner

Additional troubleshooting information.

Reviewing syslog (/var/log/syslog) I find the following meesages:

Feb  2 16:05:17 jo-mama-laptop acvpnagent[1134]: Function: OnTimerExpired File: ../../vpn/Agent/TunnelProtocolDpdMgr.cpp Line: 296 Invoked Function: CTunnelProtocolDpdMgr::handleExpiredDPD Return Code: -26017782 (0xFE73000A) Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. SSL/CSTP

Feb  2 16:05:17 jo-mama-laptop acvpnagent[1134]: Function: OnTunnelStatusChange File: ../../vpn/Agent/TunnelStateMgr.cpp Line: 1363 Invoked Function: Tunnel status change callback status Return Code: -26017782 (0xFE73000A) Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. SSL

Feb  2 16:05:17 jo-mama-laptop acvpnagent[1134]: Tunnel level reconnect reason code 6: Disruption of the VPN connection to the secure gateway. Caching the default reconnect reason for SSL

Feb  2 16:05:17 jo-mama-laptop acvpnagent[1134]: The Primary SSL connection to the secure gateway is being re-established.

looking for information on "TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE" I found the following Cisco support document:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809b4754.shtml

The relevant section of the tech note has the following notes and instructions:

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to dpd failure. This error is resolved by tweaking the dpd keepalives and issuing these commands:

webvpn
   svc keepalive 30
   svc dpd-interval client 80
   svc dpd-interval gateway 80

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA version 8.4(1) and later as shown here:

webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 5

Where / How in the AnyConnect client do I make these changes?

thanks - jmr

OK - more information on this problem:

I visited my brother in-law over the weekend and tried to use his wireless to connect via VPN to my corp network. It worked - no problems keeping the connection active, and the connection was repeatable. Not just a one time fluke. The WIFI I connected to was completely open - no security, encryption or MAC address filtering. I was on to a good solid clue...

When I returned home, I confidently reset my WIFI to mimic the settings that worked - no security, SSID broadcast on, no encryption, no MAC address filtering. This did not fix my issue - the VPN connection still dies after ~ 2 minutes.

I pulled out the old Linksys router and duplicated the setup - no security, SSID broadcast on, no encryption, no MAC address filtering. Still no joy - VPN dies after ~ 2 minutes.

My next steps are to try a different cable modem, then troubleshooting with my ISP.

Any better ideas out there - let me know as I would love to fix this issue.

thanks in advance - jmr

Hi Joe,

I also see frequent dpd triggering on Ubuntu 13.04 (and I think in 12.10 also) using openconnect client as well as cisco anyconnect client (the latter being unusable). The advice regarding keep alives and dpd interval you found looks promising. But these are configuration options that have to changed on the server side. I think you can not change this on the client.

Take a look at your syslog and search a line starting with "Current Profile: ". In mine I can see there:

Current Profile:  [...] TLS MTU: 1331  TLS Compression: disabled  TLS Keep Alive: 20 seconds  TLS Rekey Interval: none  TLS DPD: 30 seconds  DTLS: enabled  DTLS MTU: 1418  DTLS Compression: lzs  DTLS Keep Alive: 20 seconds  DTLS Rekey Interval: none  DTLS DPD: 30 seconds  Session Timeout: 0 seconds  Disconnect Timeout: 1800 seconds  Idle Timeout: 1800 seconds

So at least TSL Keep Alive is 20 seconds whereas DTLS DPD is 30 seconds. If this is the same as dpd-interval above we would have another order than in the recommendation. I will see, if the IT department is willing to change settings...

Good luck,

Sven

Hi, not sure if this will be of any help but I was having very similar problems to you so even if this isnt your problem it may be of help to someone out there.

My home lan is on a 192.168.0.0 with a netmask of 255.255.240.0.

When connecting to the vpn it duely added a whole bunch of new routes to various private ip ranges 10. and 172. but also 192.

     route -n

revealed it had added "192.168.0.0 netmask 255.255.252.0 dev vpn0" which was completely unneeded and conflicted with my home setup.

Im not sure how the connection worked at all with that extra route but it did and would fail after about 5 minutes with a dead peer detection leading to symptoms the same as your own.

To fix it I had to do a

     sudo route del -net 192.168.0.0 netmask 255.255.252.0 dev vpn0

to remove the spurious route and then everything works fine.

I haven't looked into how to make this automatic yet but I thought I would share what I found.

As a side note, cisco really like to make you jump through hoops just to post a message here.. I almost didnt bother when it started telling me my home town was unacceptable...deeply annoying.. and apologies for not knowing the markup for embedding a line of code.

Good luck,

Tony

joe richards
Beginner

Problem has been solved with teh latest release of the 64bit version of the AnyConnect client.

the release anyconnect-linux-64-3.1.04066-k9.pkg installed without issue and worked with the VPN server set up by my employer.

Thanks to everyone who offered help.

thanks - jmr

Content for Community-Ad