Thank you for your comment, but the issue is anyconnect client assigns this route by using the DHCP server of physical host not the VPN client. Unfortunately which is also our DNS server for VPN and non VPN clients. It seems that this version of Cisco VPN Client uses different DPD algorithm, which is similar to ASA “semi-periodic” DPD. I.e. the VPN Client sends its R-U-THERE message to a peer if the peer was idle for approximately ten seconds. The VPN Client may have nothing to send to the peer, but DPD is still sent if the peer is idle.<\/p>\n
Hand editing the file to the correct name fixed the problem for me. They have attempted to connect using the IP address of the Cisco ASA, as well as the Domain name pointing to the ASA. Where can I get a trial version of the AnyConnect Secure Mobility Client? I am studying for the security exam and would like to be able to practice it.<\/p>\n
I.e. they send R-U-THERE message to a peer if the peer was idle for seconds. ASA may have nothing to send to the peer, but DPD is still sent if the peer is idle. If the VPN session is comletely idle the R-U-THERE messages are sent every seconds. Another caveat is that you cannot disable DPD completely. DPD is always negotiated, even if not configured or disabled in ISAKMP profile with “no keepalive”.<\/p>\n
Also, it is possible to configure DPD in ISAKMP profiles. The caveat, however, is that there are no “periodic” and “on-demand” configuration options. So, the ISAKMP profile will inherit global setting.<\/p>\n
I am having the same problem now that we have moved to Anyconnect 4.4 and seeing the exact same issue. This host routes disappears once I disconnect from the VPN. So I believe host tries to reach DNS sever over wrong address. The most common problem with DPD is Windows or network firewall that blocks server to client communications over UDP. Causes the VPN Client to negotiate NAT-T, even if there is no NAT device involved in the connection attempt. This helps with some firewalls’ disconnecting the VPN Client unexpectedly.<\/p>\n
After some number of retransmitted messages, an implementation should assume its peer to be unreachable and delete IPSec and IKE SAs to the peer. I only saw the issue on the mobile Anyconnect clients the PC clients were unaffected. Thanks for that – I noticed the TLSv1.2 cipher was set to medium – when all the others were AES128-SHA only (which is what it should be). We have just upgrade to the Cisco recommended release (9.4(2)11) and found this issue only affects the Mobile Anyconnect client.<\/p>\n
If I set the logging messages to debugging I can see that the device selects the correct trustpoint, but it doesn’t extract anything from the certificate. Come back to expert answers, step-by-step guides, recent topics, and more. The Cisco AnyConnect Secure Mobility Client can be downloaded for free, however, you need to have client licenses to use it.<\/p>\n