Cisco anyconnect VPN/CenturyLink

Discussion in 'Routers and Switches' started by pr0n, Sep 23, 2012.

  1. pr0n

    pr0n

    Joined:
    Sep 23, 2012
    Messages:
    1
    Likes Received:
    0
    Ever since I got Century Link a few weeks ago I haven't been able to VPN into my work's network using Cisco AnyConnect the application will 'Connect' then loose connection and try to reconnect it will do that 3 times then fail.

    I have a couple routers and switches on the network but have narrowed it down and isolated the issue to none other than CenturyLink's C1000A Modem/router/everything. Also please note this is happening on multiple computers with no software firewalls and no other devices in between.

    Here's what I've done to try to get it to work
    Reset to factory defaults..
    Get Century Link to send out another modem to replace it which incidentally hadn't even been cleared of the settings from it's previous owner... morons.
    I have the built in firewall (on modem) completely disabled
    NAT enabled - and thus dynamic routing disabled
    UPnP enabled
    UPnP NAT-T enabled
    I have even tried putting the VPNing device in DMZ.

    This is embarrassing I help manage a network that handles thousands of both local and remote users with a nearly 5 9's availability for a living and this piece of junk has me stumped.


    here's what Cisco says Anyconnect uses
    TLS (SSL) – TCP 443
    SSL Redirection – TCP 80 (optional)
    DTLS – UDP 443 (optional but HIGHLY recommended)
    IPsec/IKEv2 – UDP 500, UDP 4500 (and the client services port used for SSL)
    Legacy IPsec IKEv1 - ESP mode – UDP 500, Protocol 50
    IPsec/NAT-T – UDP 500, UDP 4500
    IPsec/TCP – TCP XXX (admin definable)
    IPsec/UDP – UDP 500, UDP XXX (admin definable)

    I've monitored traffic during the connection attempts (on the machine using TCPView) and all I see are random hi-port TCP and UDP connections (last two lines of above) it's nothing super exotic so being in the DMZ it should work. although I want it to work from inside the network behind the firewall as well.

    any help is appreciated.

    thank you
     
    pr0n, Sep 23, 2012
    #1
    1. Advertisements

  2. pr0n

    tpc

    Joined:
    Nov 12, 2012
    Messages:
    1
    Likes Received:
    0
    Hi, I'm not a network guy but I Googled my problem and came to your post... I'm having the exact same problem, I had the service guys from CenturyLink out to my house and they claim that the connection and setup are all flawless (I have the same router as you too). Let me know if you are able to resolve the issue.
    T
     
    tpc, Nov 12, 2012
    #2
    1. Advertisements

  3. pr0n

    djdmspit

    Joined:
    Dec 20, 2012
    Messages:
    1
    Likes Received:
    0
    Having similar issue.
     
    djdmspit, Dec 20, 2012
    #3
  4. pr0n

    JKreisher

    Joined:
    May 10, 2013
    Messages:
    1
    Likes Received:
    0
    Same Issue

    Having the exact same issue. Was this ever solved? I think I have narrowed it down to the DTLS protocol and my modem not supporting it.
     
    JKreisher, May 10, 2013
    #4
  5. pr0n

    steve

    Joined:
    Jun 18, 2013
    Messages:
    1
    Likes Received:
    0
    Solved using bridge mode

    I had the same problem with the ActionTec C1000A modem provide by CenturyLink. I resolved it by putting their modem into Transparent Bridging mode (google "ActionTec C1000A bridge") and using my own router to do the PPPoE authentication and handle my routing and wireless needs. With that setup, VPN works flawlessly.

    Now that it's working, I'm planning to just buy a simple DSL modem and use that with my router instead of paying to rent their modem.

    BTW, CenturyLink tech support did claim that their modem supports DTLS. They don't really know why it doesn't work with VPN - this after the tech support guy spent a long time with me and got input from two or three other departments!
     
    steve, Jun 20, 2013
    #5
  6. pr0n

    Spamcop01

    Joined:
    Jul 26, 2013
    Messages:
    2
    Likes Received:
    0
    Same issue but a twist

    So I've got the CenturyLink Actiontec C1000A and when I activate my Cisco Anyconnect VPN client, I lose all internet connectivity. I can ping, run traceroute, nslookups, etc. with no problem, but browser based lookups hopelessly fail. Turn the client off and everything is back to normal. Also, I just moved from another home where I had the same CenturyLink service but a different modem (can't remember which one). I never had the problem at that house.

    So here's the twist: my desktop has both a wired and wireless connection. When I connect via wireless, there are no issues. When I disable the wireless adapter and use the wired connection that's directly connected to the modem, there is no joy. Tried it on a completely separate computer with the same results so 99% positive the issue is something with the modem.

    Now for the joy and wonder of dealing with Tech Support to see if they have any answers.
     
    Spamcop01, Jul 26, 2013
    #6
  7. pr0n

    Spamcop01

    Joined:
    Jul 26, 2013
    Messages:
    2
    Likes Received:
    0
    Sorta solved

    After a LOT of troubleshooting and comparing configurations from several different systems, I think what finally solved it was installing the 64-bit "Deterministic Network Enhancer" (DNE) package from Citrix (I can't post links so google it).

    That had been missing in the list of items used under the "Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64" network properties on my problem system.

    Then again, I've been hacking around with so much crap trying to make this work, who knows what the magic recipe finally was! :D

    Well, just tried this fix on another system and no joy there. Hmmmm....
     
    Spamcop01, Jul 28, 2013
    #7
  8. pr0n

    ttcrew

    Joined:
    Aug 11, 2013
    Messages:
    1
    Likes Received:
    0
    Solved it for myself

    After significant research into the problem - adjusting ALL settings on my router and Modem, I stumbled upon some articles that led me to believe that the Cisco anyconnect SSL software is sensitive to packet fragmentation. Because the MTU size of a PPPoE packet is 1492 (8 bytes of overhead), I assumed that my ISP (Centurylink) must be fragmenting my packets and thus causing drops of service on VPN. I performed the "ping -l 1492 -f w*w.searchengineofyourchoice.c0m" command in terminal which showed that the packets were indeed fragmented, and I continued to adjust that value down to 1472 - where there was no longer any fragmentation happening. Once I knew the value, I performed the command "netsh interface ipv4 show subinterfaces" command in terminal on my work laptop and saw (which I expected) the MTU set to 1500 and reset them to 1472 using the command "netsh interface ipv4 set subinterface "Local Area Connection" mtu=1472 store=persistent" and "netsh interface ipv4 set subinterface "Wireless Network Connection" mtu=1472 store=persistent" and voila - I have had a solid connection (first time to try to connect) for over an hour...

    My setup:
    Centurylink VDSL2 DSL
    C1000A Modem (set up in my case as a transparent bridge, as I have a router internal to my network that functions as my PPPoE authentication - but this procedure should be applicable to those who use the router in the C1000A Modem
    Work Computer is a Windows 7 computer (commands above are for windows - you'll have to figure out the ping command and MTU commands for Linux/Mac)
    Linksys WRT610N running latest stable DD-WRT firmware
     
    ttcrew, Aug 11, 2013
    #8
  9. pr0n

    emo110

    Joined:
    Jun 13, 2014
    Messages:
    1
    Likes Received:
    0
    Altering the MTU, as ttcrew suggested, worked for me. Except I had to lower it to 1464 (just keep pinging until you find the highest value that does not fragment).

    I joined this forum just to let you know how much I appreciate the help I found here!

    My setup:
    CenturyLink DSL with a brand new ZyXEL KP5001Z Modem
    Windows 7 64bit Dell laptop
    Cisco AnyConnect VPN Client Version 2.5.3054
     
    emo110, Jun 13, 2014
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.