Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
3
Replies

While on VPN, Anyconnect user losing time

Go to solution
james.king14
Level 1
Level 1

‎04-28-2020 01:19 PM

Have report from user and others that while on VPN(AnyConnect v4.6) the enduser loses as much as 5 minutes during connection.  Checked the SYNC of the source devices with ASA and the NTP server.  Complete numerous NTP commands on the routers and ASA no problems with SYNC.  Yet users have been losing time.  Can you give me a idea where would be the next lo ation to chack or change to resolve issue.

Have enclosed configuration of webvpn on ASA 5585-X.  At most we have an average of 60 clients on at any given time.

Cleints use digital certificate (CAC) for login procedures.  

Labels:
Preview file
14 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Bradfield
Level 6
Level 6
In response to james.king14

‎04-29-2020 04:18 PM

HI

Do local users have the problem?

You say before VPN connection use Google, then once connected use your core router, how is this done? is it in the profile that is downloaded?

can the VPN users ping the core router ok?

also you can setup a capture on the ASA see if there is traffic

Capture ntp-traffic interface <interface that core router is connected to> match  UDP host < core router IP> eq 123 < Anyconnect IP address pool>

 

then do a show capture ntp-traffic

View solution in original post

0 Helpful
3 Replies 3

Go to solution
i.hughes
Level 1
Level 1

‎04-29-2020 12:09 AM

But where  is the user getting its time from the Router, ASA, or is the  time source on the Internet?

do you have split tunnel, or is all traffic for the Internet go thru the VPN, that might be an area that needs checking

0 Helpful

Go to solution
james.king14
Level 1
Level 1
In response to i.hughes

‎04-29-2020 06:48 AM

Before the user gets on the VPN they are getting the NTP from Google.  Once the get on the VPN they are getting NTP from our core Router.  Which the ASA gets it's timing from the Core router.  We are not using split tunneling, due to security reasons.  All of our traffic is required to go through the VPN.  Here is the ntp information from our ASA

Preview file
11 KB
0 Helpful

Go to solution
Richard Bradfield
Level 6
Level 6
In response to james.king14

‎04-29-2020 04:18 PM

HI

Do local users have the problem?

You say before VPN connection use Google, then once connected use your core router, how is this done? is it in the profile that is downloaded?

can the VPN users ping the core router ok?

also you can setup a capture on the ASA see if there is traffic

Capture ntp-traffic interface <interface that core router is connected to> match  UDP host < core router IP> eq 123 < Anyconnect IP address pool>

 

then do a show capture ntp-traffic

0 Helpful
Customers Also Viewed These Support Documents