Anyconnect clients with intermittant timeout/high MS
I'm having a problem where some clients are pinging servers on my lan just fine, but every so often it hangs with about 2500-3000ms then continues just fine for another 30-40 pings. If I connect with another machine running the same version of Anyconnect (the latest version) it pings consistenty.
Noticing a lot of strange issues with Anyconnect recently - is there any server side logging that can be enabled to gain more insight on what's going on with specific clients? I had to reboot another ASA earlier today to remedy a problem where some new clients could connect but couldn't ping anything...while others would work like nothing was wrong...connecting/disconnecting like usual.
Re: Anyconnect clients with intermittant timeout/high MS
I wil be difficult to figure out exactly what is going on without a TAC case but here are a couple of pointers that might help you to see what is going on:
1.) Filtered buffered logs on the ASA itself.
To verify if the traffic is dropped on the ASA or not, you can setup buffered logging:
logging buffered debugging
Then, check the IP address which is assigned to your AnyConnect client which is unable to pass traffic and check the entries related to it in the logs:
show logging | i
2.) Check the statistics of the AnyConnect session on the ASA
This command will show you a couple of counters related to your session and might give you a hint of what is wrong:
show vpn-sessiondb detail svc filter a-ipaddress
You can replace a-ipaddress by p-ipaddress or name if you want to filter on public IP of the client or username.
3.) Logs generated by the AnyConnect client itself
If you launch the event viewer from a Windows host where AnyConnect is installed ("eventvwr" command), you'll see that there is a new log type named "Cisco AnyConnect VPN Client". The client will write in there all the logs related to your connection.
If you are using Linux, the logs will either be stored under /var/log/messages or /var/log/syslog.
For OSX, it would be /var/log/system.log.
If you still don't see where the issue is after those steps. my advise would be to open a TAC case to have the issue investigated.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :