Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS WebVPN AnyConnect keeps reconnecting

Hi

AnyConnect 3.1.05152 and 3.1.04063 reconnects about every minute on Windows 7 x64 and Windows 8.1 x32. This issue happens whether I'm connected via cable or wireless. Sometimes I see strange messages on the routers console depending on the client I use:

169BEE80: 16030300 89010000 85030352 BD99CFBD  ...........R=.O=

169BEE90: DBFF9A0E BFC9ADB6 8F77265E 80728829  [...?I-6.w&^.r.)

169BEEA0: 42F01ED7 6999F45E 0CDCB800 0026003C  Bp.Wi.t^.\8..&.<..

Gateway: Cisco 897VAW router, Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(1)T, RELEASE SOFTWARE (fc2). The problem also exists in with 15.3.3M1.

For troubleshooting purposes I connected the router and the client on the same subnet. On the client I'm pinging a loopback address of the router.

Message history in AnyConnect:

[12/27/13 16:33:21] Establishing VPN...

[27.12.2013 16:33:21] Connected to 192.168.x.y.

[27.12.2013 16:33:50] Reconnecting to 192.168.x.y...

[27.12.2013 16:33:50] Connected to 192.168.x.y.

[27.12.2013 16:34:20] Reconnecting to 192.168.x.y...

[27.12.2013 16:34:22] Connected to 192.168.x.y.

[27.12.2013 16:34:52] Reconnecting to 192.168.x.y...

[27.12.2013 16:34:56] Connected to 192.168.x.y.

[27.12.2013 16:35:26] Reconnecting to 192.168.x.y...

[27.12.2013 16:35:43] Establishing VPN - Examining system...

[27.12.2013 16:35:43] Establishing VPN - Activating VPN adapter...

[27.12.2013 16:35:43] Establishing VPN - Configuring system...

[27.12.2013 16:35:44] Establishing VPN...

[27.12.2013 16:35:44] Connected to 192.168.x.y.

[27.12.2013 16:36:13] Reconnecting to 192.168.x.y...

[27.12.2013 16:36:13] Connected to 192.168.x.y.

[27.12.2013 16:36:43] Reconnecting to 192.168.x.y...

[27.12.2013 16:36:45] Connected to 192.168.x.y.

[27.12.2013 16:37:15] Reconnecting to 192.168.x.y...

[27.12.2013 16:37:20] Connected to 192.168.x.y.

[27.12.2013 16:37:49] Reconnecting to 192.168.x.y...

[27.12.2013 16:38:06] Establishing VPN - Examining system...

[27.12.2013 16:38:06] Establishing VPN - Activating VPN adapter...

[27.12.2013 16:38:06] Establishing VPN - Configuring system...

[27.12.2013 16:38:07] Establishing VPN...

[27.12.2013 16:38:07] Connected to 192.168.x.y.

[27.12.2013 16:38:36] Reconnecting to 192.168.x.y...

[27.12.2013 16:38:36] Connected to 192.168.x.y.

[27.12.2013 16:39:06] Reconnecting to 192.168.x.y...

[27.12.2013 16:39:08] Connected to 192.168.x.y.

[27.12.2013 16:39:38] Reconnecting to 192.168.x.y...

[...]

Messages found via DART:

Date        : 12/27/2013

Time        : 16:33:50

Type        : Error

Source      : acvpnagent

Description : Function: CTlsTunnelMgr::OnTunnelReadComplete

File: .\TlsTunnelMgr.cpp

Line: 1690

Invoked Function: CTunnelStateMgr::readTunnel

Return Code: -31588336 (0xFE1E0010)

Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer.

callback

******************************************

Date        : 12/27/2013

Time        : 16:33:50

Type        : Warning

Source      : acvpnagent

Description : Tunnel level reconnect reason code 6:

Disruption of the VPN connection to the secure gateway.

Caching the default reconnect reason for SSL

******************************************

Date        : 12/27/2013

Time        : 16:33:50

Type        : Information

Source      : acvpnagent

Description : The Primary SSL connection to the secure gateway is being re-established.

******************************************

Date        : 12/27/2013

Time        : 16:33:50

Type        : Information

Source      : acvpnagent

Description : The VPN client has sent the following close message to the gateway:

Reconnecting to recover from error.

******************************************

Date        : 12/27/2013

Time        : 16:33:50

Type        : Warning

Source      : acvpnagent

Description : A SSL Alert was sent by the client during a write operation.  Severity: warning Description: close notify


Example session on router:

show webvpn session user xy context all detail

Session Type      : Full Tunnel

Client User-Agent : AnyConnect Windows 3.1.04063

Username          : xy                   Num Connection : 1

Public IP         : 192.168.x.x          VRF Name       : None

Context           : PLUTO                Policy Group   : VPN-POLICY

Last-Used         : 00:00:00             Created        : 16:10:49.136 UTC Fri Dec 27 2013

Session Timeout   : Disabled             Idle Timeout   : 2100

DPD GW Timeout    : 300                  DPD CL Timeout : 300

Address Pool      : webvpn-pool          MTU Size       : 1399

Rekey Time        : 3600                 Rekey Method   :

Lease Duration    : 43200

Tunnel IP         : 192.168.30.14        Netmask        : 255.255.255.0

Tunnel-mode filte : VPN-ACL

Rx IP Packets     : 85                   Tx IP Packets  : 175

CSTP Started      : 00:00:04             Last-Received  : 00:00:00

CSTP DPD-Req sent : 0                    Virtual Access : 1

Msie-ProxyServer  : None                 Msie-PxyPolicy : Disabled

Msie-Exception    :

Split Include     : 192.168.34.0 255.255.255.0

                    192.168.30.0 255.255.255.0

Client Ports      : 49390

Relevant router configuration:

aaa new-model

aaa authentication login WEBVPN local-case

username xy@domain ...

crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.04063-k9.pkg sequence 1

webvpn gateway STARGATE

ip interface Vlan1 port 443

ssl encryption aes256-sha1 rsa-dhe-aes128-sha1 rsa-dhe-aes256-sha1

ssl trustpoint webvpn

inservice

!

webvpn context PLUTO

[...]

acl "VPN-ACL"

   permit ip 192.168.30.0 255.255.255.0 ...

!

acl "DENY-ACL"

   deny ip any any

aaa authentication list WEBVPN

aaa authentication domain @domain

gateway STARGATE

max-users 5

!

ssl authenticate verify all

!

inservice

!

policy group VPN-POLICY

   acl "DENY-ACL"

   functions svc-enabled

   functions svc-required

   filter tunnel VPN-ACL

   svc address-pool "webvpn-pool" netmask 255.255.255.255

   svc split include 192.168.34.0 255.255.255.0

   svc split include 192.168.30.0 255.255.255.0

default-group-policy VPN-POLICY

I've already tried to use rc4-md5 as SSL encryption in the gateway, but it didn't solve the problem.

How can I fix this problem?

3 REPLIES
New Member

Sophos or other anti-virus

Sophos or other anti-virus installed? Try disabling and see if you get the same issues.

New Member

Hi !

Hi !

I have exactly same error ! AnyConnect session is reconnecting every 30 seconds, when CSTP timer reaches 29 seconds.

 

Router#sh webvpn session user USER context all
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:28:07             Created        : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       :
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 1
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:00:00             Created        : 20:57:04.657 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : RemoteAdminsPool     MTU Size       : 1199
Rekey Time        : 3600                 Rekey Method   :
Lease Duration    : 43200
Tunnel IP         : 100.100.100.2        Netmask        : 255.255.255.0
Rx IP Packets     : 1329                 Tx IP Packets  : 2023
CSTP Started      : 00:00:29             Last-Received  : 00:00:00
CSTP DPD-Req sent : 0                    Virtual Access : 4
Msie-ProxyServer  : None                 Msie-PxyPolicy : Disabled
Msie-Exception    :
Split Include     : ACL ACL_1
Client Ports      : 31054

Next sh webvpn session output looks like:

Router#sh webvpn session user USER context all
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:36:22             Created        : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       :
Session Type      : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048

Username          : USER                 Num Connection : 0
Public IP         : 10.10.10.10          VRF Name       : None
Context           : VPN                  Policy Group   : POLICY
Last-Used         : 00:00:00             Created        : 21:25:41.482 MSK Mon Apr 6 2015
Session Timeout   : Disabled             Idle Timeout   : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix            : Disabled             Citrix Filter  : None
Capabilites       : svc-required
                    svc-enabled

So my FullTunnel session change to Clientless after 30 seconds, and back to FullTunnel. CSTP timer reaches 29 seconds and all repeats.

New Member

Solved!After router image

Solved!

After router image upgrade to c2900-universalk9-mz.SPA.154-3.M2.bin AnyConnect works fine.

The previous image was c2900-universalk9-mz.SPA.154-1.T.bin.

1598
Views
1
Helpful
3
Replies
CreatePlease login to create content