Blog: DTLS

Recently we've been experiencing a problem with the Cisco AnyConnect client disconnecting and reconnecting shortly after the initial connection is established. Originally we thought that this was a bug in the client. Cisco recommended switching to an IKEv2 connection profile, but the disconnect problem was never resolved, even with updated versions of the client. During a recent remote session with Cisco support, the root cause of the disconnects was discovered.

In later versions of the AnyConnect client, there are two protocols in use:  SSL and DTLS. DTLS is a variant of TLS that uses datagrams which are sensitive to delay. After authentication, the client attempts to negotiate a DLTS connection. If that negotiation is unsuccessful, the client disconnects and reconnects using SSL only. DTLS uses UDP port 443. In our test environment, the remote access firewall is behind another firewall that was only allowing TCP port 443 through. After updating the firewall rule to allow UDP port 443 as well, the disconnects stopped occurring.


 

During an IT security audit this week, I had the chance to test the Cisco AnyConnect VPN client from a VPN-hostile network.  The bank has implemented multiple layers of Internet filtering including web content filtering, outbound port filtering, and inbound IP address/port filtering.  As expected, the old Cisco IPSEC VPN client could not connect.  The AnyConnect client, however, connected on the first try without having to ask the bank to modify any of their access controls.

FYI, the AnyConnect client dynamically determines if it can also use a Datagram Transport Layer Security (DTLS) tunnel via UDP in addition to the SSL tunnel.  If the DTLS tunnel connects and is “healthy” the client will use both the SSL and DTLS tunnels to transmit data.  If the DTLS tunnel cannot connect or is unreliable, the client will dynamically switch to using only the SSL tunnel.  You can read more about it on Cisco’s AnyConnect FAQ page.