Users are connecting to ASA with Anyconnect, they are authenticated using LDAP in Active Directory and IP addresses are statically assigned to all of them with values stored in AD in Framed-IP-Address attribute. Everything is ... almost ok. The problem appears when user disconnects the Anyconnect "brutally" - for instance when shut the network interface down while in connection, or when the system on a desktop got blue screen. When user tries to reconnect he gets a message "... no address available for svc connection" . ASA do not want to assign the ip address to a new session when another session with the same ip address is still active - suspended in fact. After the idle timeout, the old session is cleared and the user is now able to reestablish the connection. I could not find some kind of DPD mechism which can control the availability of remote peer (VPN client) by ASA - it could solve that problem. Even though there is a DPD in SSL VPN Group Policy configuration it is used to something else - it checks only the availability of DTLS. At the moment I made an workaroud - I set idle timeout to 10 min, but it is not the resolution which I expected.
Do anyone have any idea how I can resolve that issue. I would be the most grateful for any help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...