- Cisco Community
- Technology and Support
- Security
- VPN
- Anyconnect reconnects every 4 Minutes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2023 06:51 AM
Hello,
i have a FTD 1010 Device. Anyconnect is configured and the users are able to connect. But the clients reconnect every 4 Minutes. (MTU is already reduced to 1300, udp Port 443 is not blocked, DTLS should work) I see following in the Logs every time it reconnects:
Sep 12 2023 12:27:07: %FTD-6-302013: Built inbound TCP connection 13512324 for outside:172.16.7.150/54513 (172.16.7.150/54513) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:07: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/54513 to 172.16.1.64/443 for TLS session
Sep 12 2023 12:27:07: %FTD-7-725010: Device supports the following 20 cipher(s)
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[4] : AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[8] : AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[12] : AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[16] : AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[18] : AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[20] : AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725008: SSL client outside:172.16.7.150/54513 to 172.16.1.64/443 proposes the following 19 cipher(s)
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[7] : AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[8] : AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[9] : AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[17] : AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[18] : AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[19] : AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:172.16.7.150/54513 to 172.16.1.64/443
Sep 12 2023 12:27:07: %FTD-6-725016: Device selects trust-point xxx-vpn for client outside:172.16.7.150/54513 to 172.16.1.64/443
This is the SSL Handshake for TLS, ciphers were choosen corectly, then it tries the SSL Handshake for DTLS:
Sep 12 2023 12:27:07: %FTD-6-302015: Built inbound UDP connection 13512325 for outside:172.16.7.150/57966 (172.16.7.150/57966) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:07: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/57966 to 172.16.1.64/443 for DTLS session
Sep 12 2023 12:27:07: %FTD-6-725002: Device completed SSL handshake with client outside:172.16.7.150/54513 to 172.16.1.64/443 for TLSv1.2 session
Sep 12 2023 12:27:07: %FTD-6-302016: Teardown UDP connection 13512325 for outside:172.16.7.150/57966 to identity:172.16.1.64/443 duration 0:00:00 bytes 153
Sep 12 2023 12:27:07: %FTD-6-302015: Built inbound UDP connection 13512326 for outside:172.16.7.150/57966 (172.16.7.150/57966) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:07: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/57966 to 172.16.1.64/443 for DTLS session
Sep 12 2023 12:27:07: %FTD-7-725010: Device supports the following 20 cipher(s)
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[4] : AES256-GCM-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[8] : AES256-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[12] : AES128-GCM-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[16] : AES128-SHA256
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[18] : AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[20] : AES128-SHA
Sep 12 2023 12:27:07: %FTD-7-725008: SSL client outside:172.16.7.150/57966 to 172.16.1.64/443 proposes the following 1 cipher(s)
Sep 12 2023 12:27:07: %FTD-7-725011: Cipher[1] : AES256-SHA
Sep 12 2023 12:27:07: %FTD-7-725014: SSL lib error. Function: ssl3_get_client_hello Reason: no shared cipher
Sep 12 2023 12:27:07: %FTD-6-302016: Teardown UDP connection 13512326 for outside:172.16.7.150/57966 to identity:172.16.1.64/443 duration 0:00:00 bytes 140
Sep 12 2023 12:27:07: %FTD-4-722037: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> SVC closing connection: Transport closing.
Sep 12 2023 12:27:07: %FTD-5-722032: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> New TCP SVC connection replacing old connection.
Sep 12 2023 12:27:07: %FTD-6-722022: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> TCP SVC connection established without compression
Sep 12 2023 12:27:07: %FTD-6-722055: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.05095
Sep 12 2023 12:27:07: %FTD-4-722051: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> IPv4 Address <10.10.10.4> IPv6 address <::> assigned to session
Sep 12 2023 12:27:07: %FTD-6-725007: SSL session with client outside:172.16.7.150/54449 to 172.16.1.64/443 terminated
Sep 12 2023 12:27:07: %FTD-5-722028: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> Stale SVC connection closed.
Sep 12 2023 12:27:07: %FTD-6-725007: SSL session with client outside:172.16.7.150/58224 to 172.16.1.64/443 terminated
Sep 12 2023 12:27:07: %FTD-6-722023: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> UDP SVC connection terminated without compression
Sep 12 2023 12:27:07: %FTD-6-302016: Teardown UDP connection 13512005 for outside:172.16.7.150/58224 to identity:172.16.1.64/443 duration 0:04:00 bytes 13133
Sep 12 2023 12:27:07: %FTD-6-302014: Teardown TCP connection 13512003 for outside:172.16.7.150/54449 to identity:172.16.1.64/443 duration 0:04:00 bytes 11030 TCP Reset-O from identity
Sep 12 2023 12:27:07: %FTD-6-106015: Deny TCP (no connection) from 172.16.7.150/54449 to 172.16.1.64/443 flags FIN ACK on interface outside
This happens every 4 Minutes, then it makes an SSL Handshake for TLS an is reconnected:
Sep 12 2023 12:27:07: %FTD-7-710005: TCP request discarded from 172.16.7.150/54449 to outside:172.16.1.64/443
Sep 12 2023 12:27:07: %FTD-4-722037: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> SVC closing connection: Transport closing.
Sep 12 2023 12:27:07: %FTD-6-725007: SSL session with client outside:172.16.7.150/54513 to 172.16.1.64/443 terminated
Sep 12 2023 12:27:07: %FTD-6-722023: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> TCP SVC connection terminated without compression
Sep 12 2023 12:27:07: %FTD-6-302014: Teardown TCP connection 13512324 for outside:172.16.7.150/54513 to identity:172.16.1.64/443 duration 0:00:00 bytes 10734 TCP Reset-I from outside
Sep 12 2023 12:27:07: %FTD-7-609002: Teardown local-host outside:172.16.7.150 duration 0:04:00
Sep 12 2023 12:27:08: %FTD-7-609001: Built local-host outside:172.16.7.150
Sep 12 2023 12:27:08: %FTD-6-302013: Built inbound TCP connection 13512327 for outside:172.16.7.150/54514 (172.16.7.150/54514) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:08: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/54514 to 172.16.1.64/443 for TLS session
Sep 12 2023 12:27:08: %FTD-7-725010: Device supports the following 20 cipher(s)
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[4] : AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[8] : AES256-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[12] : AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[16] : AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[18] : AES256-SHA
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[20] : AES128-SHA
Sep 12 2023 12:27:08: %FTD-7-725008: SSL client outside:172.16.7.150/54514 to 172.16.1.64/443 proposes the following 19 cipher(s)
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[7] : AES256-GCM-SHA384
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[8] : AES256-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[9] : AES256-SHA
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[17] : AES128-GCM-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[18] : AES128-SHA256
Sep 12 2023 12:27:08: %FTD-7-725011: Cipher[19] : AES128-SHA
Sep 12 2023 12:27:08: %FTD-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:172.16.7.150/54514 to 172.16.1.64/443
Sep 12 2023 12:27:08: %FTD-6-725016: Device selects trust-point xxxx for client outside:172.16.7.150/54514 to 172.16.1.64/443
Sep 12 2023 12:27:08: %FTD-6-725002: Device completed SSL handshake with client outside:172.16.7.150/54514 to 172.16.1.64/443 for TLSv1.2 session
Sep 12 2023 12:27:08: %FTD-5-722034: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> New TCP SVC connection, no existing connection.
Sep 12 2023 12:27:08: %FTD-6-722022: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> TCP SVC connection established without compression
Sep 12 2023 12:27:08: %FTD-6-722055: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.05095
Sep 12 2023 12:27:08: %FTD-4-722051: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> IPv4 Address <10.10.10.4> IPv6 address <::> assigned to session
Sep 12 2023 12:27:08: %FTD-6-302015: Built inbound UDP connection 13512328 for outside:172.16.7.150/53765 (172.16.7.150/53765) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:08: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/53765 to 172.16.1.64/443 for DTLS session
Sep 12 2023 12:27:08: %FTD-6-302016: Teardown UDP connection 13512328 for outside:172.16.7.150/53765 to identity:172.16.1.64/443 duration 0:00:00 bytes 153
Sep 12 2023 12:27:08: %FTD-6-302015: Built inbound UDP connection 13512329 for outside:172.16.7.150/53765 (172.16.7.150/53765) to identity:172.16.1.64/443 (172.16.1.64/443)
Sep 12 2023 12:27:08: %FTD-6-725001: Starting SSL handshake with client outside:172.16.7.150/53765 to 172.16.1.64/443 for DTLS session
Sep 12 2023 12:27:08: %FTD-6-725003: SSL client outside:172.16.7.150/53765 to 172.16.1.64/443 request to resume previous session
Sep 12 2023 12:27:08: %FTD-3-402148: CRYPTO: Random Number Generator error
Sep 12 2023 12:27:08: %FTD-6-725002: Device completed SSL handshake with client outside:172.16.7.150/53765 to 172.16.1.64/443 for DTLSv0.9 session
Sep 12 2023 12:27:08: %FTD-5-722033: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> First UDP SVC connection established for SVC session.
Sep 12 2023 12:27:08: %FTD-6-722022: Group <DfltGrpPolicy> User <xxxx> IP <172.16.7.150> UDP SVC connection established without compression
Why does the connection fail during choosing ciphers for DTLS? The Device offers AES256-SHA an the Client also. But it failes with "no shared ciphers", but thats not true or am i wrong?
Regards Torsten
Solved! Go to Solution.
- Labels:
-
AnyConnect
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2023 03:10 AM
I've upgraded the device, anyconnect is now connected for 20 min and counting, no reconnects so far.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2023 03:10 AM
I've upgraded the device, anyconnect is now connected for 20 min and counting, no reconnects so far.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide