We have a customer who recently upgraded their Anyconnect client to 4.x (started at 4.2 moved to 4.6). After the upgrade, they started having clients lose traffic inbound into their VPN. After more troubleshooting, we found that only the clients that had Kaspersky anti-virus installed had the issue. What appeared to be happening were constant disconnects on the Anyconnect client. If we used a system without Kaspersky installed, or if we completely uninstalled the Kaspersky agent, we did not see any disconnects issues.
So apparently, there was a conflict with the Kaspersky anti-virus agent and the Cisco Anyconnect client 4.x. Note that on older Anyconnect versions (3.x), we did not see this problem.
The conflict appeared to be with Cisco using DTLS (Datagram Transport Layer Security). DTLS is used to prevent any eavesdropping on the communication and is built on the stream-oriented TLS (Transport Layer Security) protocol.
The fix was to modify the group-policy defined with the user and turn off DTLS. To do that, you need to go into the group-policy and then go to the wbvpn (*in the group-policy not the default webvpn). Then set the anyconnct ssl dtls to none, as opposed to enabled.
Here are the CLI commands:
wins-server value 10.99.5.8 10.99.3.9
dns-server value 10.99.5.8 10.99.3.9
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-network-list value ST-VPN
address-pools value VPN-POOL
anyconnect ssl dtls none
- Go to Configuration > Remote Access VPN > Network (client) Access > Group Policies.
- Edit the group policy.
- Then go to Advanced > Anyconnect Client.
- Here change the Datagram Transport Layer Security (DTLS) to Disable.
After making the changes, we tested multiple users, none had the disconnect issue we were seeing before.
Jason Howe, PEI