my employer is switching from Nortel VPN to Cisco AnyConnect as the remote connection solution.
I have downloaded and installed the tarball (anyconnect-predeploy-linux-3.1.00495-k9.tar.gz) with no problems.
The anyconnect gui launches, and I can connect to the corporate network with no problems.
However; the connection consistently fails after ~2 minutes. To re-establish a connection I need to force a disconnect, then repeat the connection sequence
I am running ubuntu 12.04 (64bit) on a Toshiba Portege laptop. Firewall is disabled when I am making the connection
Any ideas on what is happening to kill my connection after the initial success?
thanks - jmr
Open up a TAC case, we're had similar reports from other people. vide:
It's MOST LIKELY related to:
But would not hurt to have a look in depth.
When I follow your link to open a TAC case, the system responds
"Your login ID is not set up to access the TAC Service Request Tool (TSRT)." and further says I can get access by entering contract numbers.
As a user of the system (not an admin on the infrastrucure side) I do not have knowledge of the contract numbers.
Am I at a dead-end or is there a way I can contribute to help solve the issue.
Thanks - jmr
I thought I fixed this problem.
I upgraded to 12.10 and did not see any change in behavior.
With a clean install of Ubuntu 12.10 I was able to connect to the corp network and stay connected when I had a wired (LAN) connection.
When I connect via wireless the connection is lost after ~ 2 minutes (Amped Wireless R10000G).
I repeated with an old wireless router (Linksys WRT54G), I get the same results.
Previous VPN software (Nortel) did not show this behavior with either router.
Any pointers or help on getting this cleared up is greatly appreciated (alternative is Citrix - which I don't care for)
thanks - jmr
Message was edited (2/17/13) by: joe richards
Additional troubleshooting information.
Reviewing syslog (/var/log/syslog) I find the following meesages:
Feb 2 16:05:17 jo-mama-laptop acvpnagent: Function: OnTimerExpired File: ../../vpn/Agent/TunnelProtocolDpdMgr.cpp Line: 296 Invoked Function: CTunnelProtocolDpdMgr::handleExpiredDPD Return Code: -26017782 (0xFE73000A) Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. SSL/CSTP
Feb 2 16:05:17 jo-mama-laptop acvpnagent: Function: OnTunnelStatusChange File: ../../vpn/Agent/TunnelStateMgr.cpp Line: 1363 Invoked Function: Tunnel status change callback status Return Code: -26017782 (0xFE73000A) Description: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. SSL
Feb 2 16:05:17 jo-mama-laptop acvpnagent: Tunnel level reconnect reason code 6: Disruption of the VPN connection to the secure gateway. Caching the default reconnect reason for SSL
Feb 2 16:05:17 jo-mama-laptop acvpnagent: The Primary SSL connection to the secure gateway is being re-established.
looking for information on "TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE" I found the following Cisco support document:
The relevant section of the tech note has the following notes and instructions:
The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to dpd failure. This error is resolved by tweaking the dpd keepalives and issuing these commands:
webvpn svc keepalive 30 svc dpd-interval client 80 svc dpd-interval gateway 80
The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA version 8.4(1) and later as shown here:
webvpn anyconnect ssl keepalive 15 anyconnect dpd-interval client 5 anyconnect dpd-interval gateway 5
Where / How in the AnyConnect client do I make these changes?
thanks - jmr
OK - more information on this problem:
I visited my brother in-law over the weekend and tried to use his wireless to connect via VPN to my corp network. It worked - no problems keeping the connection active, and the connection was repeatable. Not just a one time fluke. The WIFI I connected to was completely open - no security, encryption or MAC address filtering. I was on to a good solid clue...
When I returned home, I confidently reset my WIFI to mimic the settings that worked - no security, SSID broadcast on, no encryption, no MAC address filtering. This did not fix my issue - the VPN connection still dies after ~ 2 minutes.
I pulled out the old Linksys router and duplicated the setup - no security, SSID broadcast on, no encryption, no MAC address filtering. Still no joy - VPN dies after ~ 2 minutes.
My next steps are to try a different cable modem, then troubleshooting with my ISP.
Any better ideas out there - let me know as I would love to fix this issue.
thanks in advance - jmr
I also see frequent dpd triggering on Ubuntu 13.04 (and I think in 12.10 also) using openconnect client as well as cisco anyconnect client (the latter being unusable). The advice regarding keep alives and dpd interval you found looks promising. But these are configuration options that have to changed on the server side. I think you can not change this on the client.
Take a look at your syslog and search a line starting with "Current Profile: ". In mine I can see there:
Current Profile: [...] TLS MTU: 1331 TLS Compression: disabled TLS Keep Alive: 20 seconds TLS Rekey Interval: none TLS DPD: 30 seconds DTLS: enabled DTLS MTU: 1418 DTLS Compression: lzs DTLS Keep Alive: 20 seconds DTLS Rekey Interval: none DTLS DPD: 30 seconds Session Timeout: 0 seconds Disconnect Timeout: 1800 seconds Idle Timeout: 1800 seconds
So at least TSL Keep Alive is 20 seconds whereas DTLS DPD is 30 seconds. If this is the same as dpd-interval above we would have another order than in the recommendation. I will see, if the IT department is willing to change settings...
Hi, not sure if this will be of any help but I was having very similar problems to you so even if this isnt your problem it may be of help to someone out there.
My home lan is on a 192.168.0.0 with a netmask of 255.255.240.0.
When connecting to the vpn it duely added a whole bunch of new routes to various private ip ranges 10. and 172. but also 192.
revealed it had added "192.168.0.0 netmask 255.255.252.0 dev vpn0" which was completely unneeded and conflicted with my home setup.
Im not sure how the connection worked at all with that extra route but it did and would fail after about 5 minutes with a dead peer detection leading to symptoms the same as your own.
To fix it I had to do a
sudo route del -net 192.168.0.0 netmask 255.255.252.0 dev vpn0
to remove the spurious route and then everything works fine.
I haven't looked into how to make this automatic yet but I thought I would share what I found.
As a side note, cisco really like to make you jump through hoops just to post a message here.. I almost didnt bother when it started telling me my home town was unacceptable...deeply annoying.. and apologies for not knowing the markup for embedding a line of code.
Problem has been solved with teh latest release of the 64bit version of the AnyConnect client.
the release anyconnect-linux-64-3.1.04066-k9.pkg installed without issue and worked with the VPN server set up by my employer.
Thanks to everyone who offered help.
thanks - jmr