Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

AnyConnect VPN session disconnect and reconnect

I have a cisco ASA 5525-X firewall, configured to accept AnyConnect VPN client (IKEv2) connection.

 

Anyconnect VPN client can successfully login.

During the 1st 10 minute after login, Anyconnect VPN client will lost VPN connection for a few seconds (ranging from 3 seconds to 10 seconds), then it automatically reconnect back. After that, no more connection lost happen.

Connection lost happened to multiple labtops. So far, at least 4 labtops demonstrate the same problem. 

 

It doesn't affect network operation, but it gives unpleasant impression to the users. 

 

I tried monitoring firewall logs from ASDM, no error log detected.

I use Wireshark to capture traffic at client side, also no error detected. 

 

Can idea how I can continue troubleshoot this problem? 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi Limlayhin, You can go

Hi Limlayhin,

 

You can go ahead and capture the dart logs. You can download the dart bundle for the version of anyconnect you are using and run after you experience this issue. Please make sure that you clear all you event viewer logs before you initiate the Anyconnect client. 

 

To clear the event viewer logs, follow these steps:

1. Start>>Run>>Eventvwr

2. It will then open Event Viewer Window

3. Maximize Application and Service Logs and below that you will find an option "Cisco Anyconnect Secure Mobility Client"

4. Right click on the Cisco Anyconnect Secure Mobility Client and select clear logs. Select clear after that. 

 

Once you are done with this, initiate the anyconnect connection and let the problem occur. Once the problem occurs, disconnect the anyconnect client and run the dart logs. It will create a Zip file on your desktop (by default) and you can go through the Anyconnect connection logs to look for the root cause.

Let me know if this helps.

 

Vishnu 

3 REPLIES

Hi Limlayhin, You can go

Hi Limlayhin,

 

You can go ahead and capture the dart logs. You can download the dart bundle for the version of anyconnect you are using and run after you experience this issue. Please make sure that you clear all you event viewer logs before you initiate the Anyconnect client. 

 

To clear the event viewer logs, follow these steps:

1. Start>>Run>>Eventvwr

2. It will then open Event Viewer Window

3. Maximize Application and Service Logs and below that you will find an option "Cisco Anyconnect Secure Mobility Client"

4. Right click on the Cisco Anyconnect Secure Mobility Client and select clear logs. Select clear after that. 

 

Once you are done with this, initiate the anyconnect connection and let the problem occur. Once the problem occurs, disconnect the anyconnect client and run the dart logs. It will create a Zip file on your desktop (by default) and you can go through the Anyconnect connection logs to look for the root cause.

Let me know if this helps.

 

Vishnu 

Community Member

I used DART to troubleshoot

I used DART to troubleshoot the problem. 

 

Error message that I suspected related to the problem is as below: 

- The Primary DTLS connection to the secure gateway is down.

- Reconfigure reason code 16:New MTU configuration.

- The entire VPN connection is being reconfigured.

- Message type information sent to the user: Establishing VPN - Examining system...

- A new MTU needs to be applied to the VPN network interface. Disabling and re-enabling the Virtual Adapter. Applications utilizing the private network may need to be restarted.

- VPN state: Reconnecting Network state: Network Accessible Network control state: Network Access: Restricted Network type: Undefined

- Message type information sent to the user: Reconnecting to <vpngw_domain_name>...

- Message type information sent to the user: Establishing VPN - Activating VPN adapter...

Community Member

 I managed to solve the

 

I managed to solve the problem. 

Reason:

Anyconnect VPN Client was tried to use DTLS in its connection. When it detected that DTLS is not successful, it switch to TLS which cause a session reset. 

 

Disable DTLS or reduce MTU to 1200 stop the session disconnect and reconnect problem. 

 

Reference:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html

http://security.stackexchange.com/questions/29172/what-changed-between-tls-and-dtls

21760
Views
5
Helpful
3
Replies
CreatePlease to create content