Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
1
Replies

DTLS configured for 442 but not listening

lcaruso
Level 6
Level 6

‎07-25-2013 05:27 PM

Hi,

I've asked TAC to solve this for me but they don't have an answer so far. If anyone has an idea what might be wrong, please advise

sh asp table socket output proves DTLS is not listening on port 442 but configuration is setup for 442.

clients are not getting DTLS tunnels which are important for AnyConnect perfomance which suffers otherwise

ASA 9.1(2) code

AnyConnect 3.1.04059 client

Protocol  Socket    State      Local Address      Foreign Address

SSL       00005558  LISTEN     10.10.2.1:444      0.0.0.0:*                                   

SSL       0000b4d8  LISTEN     a.b.c.d:444        0.0.0.0:*                                   

SSL       0000d1c8  LISTEN     e.f.g.h:444        0.0.0.0:*                                   

TCP       00011088  LISTEN     a.b.c.d:22         0.0.0.0:*                                   

TCP       00017bb8  LISTEN     e.f.g.h:22         0.0.0.0:*                                   

TCP       00018bb8  LISTEN     10.10.2.1:22       0.0.0.0:*                                   

SSL       0001cf28  LISTEN     a.b.c.d:442        0.0.0.0:*                                   

DTLS      00023268  LISTEN     a.b.c.d:443        0.0.0.0:*

webvpn

port 442

enable outside1

dtls port 442

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 2

anyconnect profiles MCo-MDT disk0:/mdt-vpn-policy.xml

anyconnect profiles MCo-VPN disk0:/mco-vpn.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 60

webvpn

  anyconnect mtu 1200

  anyconnect ssl keepalive none

  anyconnect dpd-interval client none

  anyconnect dpd-interval gateway none

  anyconnect ssl df-bit-ignore enable

  anyconnect routing-filtering-ignore enable

group-policy mdt-vpn-policy internal

group-policy mdt-vpn-policy attributes

dns-server value 10.3.3.5 10.3.3.10

vpn-idle-timeout 60

vpn-filter value mdt_vpn

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value <>

address-pools value mdt-vpn-pool

webvpn

  anyconnect profiles value MCo-MDT type user

Labels:
0 Helpful
1 Reply 1

lcaruso
Level 6
Level 6

‎07-26-2013 12:43 PM

Known bug. Thank you TAC.

disable and re-enable to work around.

conf t

webvpn

no enable outside1

no port 442

no dtls port 442

enable outside1

port 442

dtls port 442

0 Helpful
Customers Also Viewed These Support Documents