IOS WebVPN AnyConnect keeps reconnecting

Marcel Maeder · ‎12-27-2013

Hi

AnyConnect 3.1.05152 and 3.1.04063 reconnects about every minute on Windows 7 x64 and Windows 8.1 x32. This issue happens whether I'm connected via cable or wireless. Sometimes I see strange messages on the routers console depending on the client I use:

169BEE80: 16030300 89010000 85030352 BD99CFBD  ...........R=.O=
169BEE90: DBFF9A0E BFC9ADB6 8F77265E 80728829  [...?I-6.w&^.r.)
169BEEA0: 42F01ED7 6999F45E 0CDCB800 0026003C  Bp.Wi.t^.\8..&.<..

Gateway: Cisco 897VAW router, Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(1)T, RELEASE SOFTWARE (fc2). The problem also exists in with 15.3.3M1.

For troubleshooting purposes I connected the router and the client on the same subnet. On the client I'm pinging a loopback address of the router.

Message history in AnyConnect:

[12/27/13 16:33:21] Establishing VPN...
[27.12.2013 16:33:21] Connected to 192.168.x.y.
[27.12.2013 16:33:50] Reconnecting to 192.168.x.y...
[27.12.2013 16:33:50] Connected to 192.168.x.y.
[27.12.2013 16:34:20] Reconnecting to 192.168.x.y...
[27.12.2013 16:34:22] Connected to 192.168.x.y.
[27.12.2013 16:34:52] Reconnecting to 192.168.x.y...
[27.12.2013 16:34:56] Connected to 192.168.x.y.
[27.12.2013 16:35:26] Reconnecting to 192.168.x.y...
[27.12.2013 16:35:43] Establishing VPN - Examining system...
[27.12.2013 16:35:43] Establishing VPN - Activating VPN adapter...
[27.12.2013 16:35:43] Establishing VPN - Configuring system...
[27.12.2013 16:35:44] Establishing VPN...
[27.12.2013 16:35:44] Connected to 192.168.x.y.
[27.12.2013 16:36:13] Reconnecting to 192.168.x.y...
[27.12.2013 16:36:13] Connected to 192.168.x.y.
[27.12.2013 16:36:43] Reconnecting to 192.168.x.y...
[27.12.2013 16:36:45] Connected to 192.168.x.y.
[27.12.2013 16:37:15] Reconnecting to 192.168.x.y...
[27.12.2013 16:37:20] Connected to 192.168.x.y.
[27.12.2013 16:37:49] Reconnecting to 192.168.x.y...
[27.12.2013 16:38:06] Establishing VPN - Examining system...
[27.12.2013 16:38:06] Establishing VPN - Activating VPN adapter...
[27.12.2013 16:38:06] Establishing VPN - Configuring system...
[27.12.2013 16:38:07] Establishing VPN...
[27.12.2013 16:38:07] Connected to 192.168.x.y.
[27.12.2013 16:38:36] Reconnecting to 192.168.x.y...
[27.12.2013 16:38:36] Connected to 192.168.x.y.
[27.12.2013 16:39:06] Reconnecting to 192.168.x.y...
[27.12.2013 16:39:08] Connected to 192.168.x.y.
[27.12.2013 16:39:38] Reconnecting to 192.168.x.y...
[...]

Messages found via DART:

Date : 12/27/2013

Time : 16:33:50

Type : Error

Source : acvpnagent

Description : Function: CTlsTunnelMgr::OnTunnelReadComplete

File: .\TlsTunnelMgr.cpp

Line: 1690

Invoked Function: CTunnelStateMgr::readTunnel

Return Code: -31588336 (0xFE1E0010)

Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer.

callback

******************************************

Date : 12/27/2013

Time : 16:33:50

Type : Warning

Source : acvpnagent

Description : Tunnel level reconnect reason code 6:

Disruption of the VPN connection to the secure gateway.

Caching the default reconnect reason for SSL

******************************************

Date : 12/27/2013

Time : 16:33:50

Type : Information

Source : acvpnagent

Description : The Primary SSL connection to the secure gateway is being re-established.

******************************************

Date : 12/27/2013

Time : 16:33:50

Type : Information

Source : acvpnagent

Description : The VPN client has sent the following close message to the gateway:

Reconnecting to recover from error.

******************************************

Date : 12/27/2013

Time : 16:33:50

Type : Warning

Source : acvpnagent

Description : A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify

Example session on router:

show webvpn session user xy context all detail

Session Type : Full Tunnel

Client User-Agent : AnyConnect Windows 3.1.04063

Username : xy Num Connection : 1

Public IP : 192.168.x.x VRF Name : None

Context : PLUTO Policy Group : VPN-POLICY

Last-Used : 00:00:00 Created : 16:10:49.136 UTC Fri Dec 27 2013

Session Timeout : Disabled Idle Timeout : 2100

DPD GW Timeout : 300 DPD CL Timeout : 300

Address Pool : webvpn-pool MTU Size : 1399

Rekey Time : 3600 Rekey Method :

Lease Duration : 43200

Tunnel IP : 192.168.30.14 Netmask : 255.255.255.0

Tunnel-mode filte : VPN-ACL

Rx IP Packets : 85 Tx IP Packets : 175

CSTP Started : 00:00:04 Last-Received : 00:00:00

CSTP DPD-Req sent : 0 Virtual Access : 1

Msie-ProxyServer : None Msie-PxyPolicy : Disabled

Msie-Exception :

Split Include : 192.168.34.0 255.255.255.0

192.168.30.0 255.255.255.0

Client Ports : 49390

Relevant router configuration:

aaa new-model

aaa authentication login WEBVPN local-case

username xy@domain ...

crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.04063-k9.pkg sequence 1

webvpn gateway STARGATE

ip interface Vlan1 port 443

ssl encryption aes256-sha1 rsa-dhe-aes128-sha1 rsa-dhe-aes256-sha1

ssl trustpoint webvpn

inservice

!

webvpn context PLUTO

[...]

acl "VPN-ACL"

permit ip 192.168.30.0 255.255.255.0 ...

!

acl "DENY-ACL"

deny ip any any

aaa authentication list WEBVPN

aaa authentication domain @domain

gateway STARGATE

max-users 5

!

ssl authenticate verify all

!

inservice

!

policy group VPN-POLICY

acl "DENY-ACL"

functions svc-enabled

functions svc-required

filter tunnel VPN-ACL

svc address-pool "webvpn-pool" netmask 255.255.255.255

svc split include 192.168.34.0 255.255.255.0

svc split include 192.168.30.0 255.255.255.0

default-group-policy VPN-POLICY

I've already tried to use rc4-md5 as SSL encryption in the gateway, but it didn't solve the problem.

How can I fix this problem?

Andrew Vlasek · ‎03-27-2015

Sophos or other anti-virus installed? Try disabling and see if you get the same issues.

aldrabkin · ‎04-06-2015

Hi !

I have exactly same error ! AnyConnect session is reconnecting every 30 seconds, when CSTP timer reaches 29 seconds.

Router#sh webvpn session user USER context all
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:28:07             Created        : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       :
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 1
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:00:00             Created        : 20:57:04.657 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : RemoteAdminsPool     MTU Size       : 1199
Rekey Time        : 3600                 Rekey Method   :
Lease Duration    : 43200
Tunnel IP         : 100.100.100.2        Netmask        : 255.255.255.0
Rx IP Packets     : 1329                 Tx IP Packets  : 2023
CSTP Started      : 00:00:29             Last-Received  : 00:00:00
CSTP DPD-Req sent : 0                    Virtual Access : 4
Msie-ProxyServer  : None                 Msie-PxyPolicy : Disabled
Msie-Exception    :
Split Include     : ACL ACL_1
Client Ports      : 31054

Next sh webvpn session output looks like:

Router#sh webvpn session user USER context all
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:36:22             Created        : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       :
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:00:00             Created        : 21:25:41.482 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       : svc-required
                    svc-enabled

So my FullTunnel session change to Clientless after 30 seconds, and back to FullTunnel. CSTP timer reaches 29 seconds and all repeats.

aldrabkin · ‎04-08-2015

Solved!

After router image upgrade to c2900-universalk9-mz.SPA.154-3.M2.bin AnyConnect works fine.

The previous image was c2900-universalk9-mz.SPA.154-1.T.bin.