Cisco anyconnect VPN/CenturyLink

Ever since I got Century Link a few weeks ago I haven't been able to VPN into my work's network using Cisco AnyConnect the application will 'Connect' then loose connection and try to reconnect it will do that 3 times then fail.

I have a couple routers and switches on the network but have narrowed it down and isolated the issue to none other than CenturyLink's C1000A Modem/router/everything. Also please note this is happening on multiple computers with no software firewalls and no other devices in between.

Here's what I've done to try to get it to work
Reset to factory defaults..
Get Century Link to send out another modem to replace it which incidentally hadn't even been cleared of the settings from it's previous owner... morons.
I have the built in firewall (on modem) completely disabled
NAT enabled - and thus dynamic routing disabled
UPnP enabled
UPnP NAT-T enabled
I have even tried putting the VPNing device in DMZ.

This is embarrassing I help manage a network that handles thousands of both local and remote users with a nearly 5 9's availability for a living and this piece of junk has me stumped.


here's what Cisco says Anyconnect uses
TLS (SSL) – TCP 443
SSL Redirection – TCP 80 (optional)
DTLS – UDP 443 (optional but HIGHLY recommended)
IPsec/IKEv2 – UDP 500, UDP 4500 (and the client services port used for SSL)
Legacy IPsec IKEv1 - ESP mode – UDP 500, Protocol 50
IPsec/NAT-T – UDP 500, UDP 4500
IPsec/TCP – TCP XXX (admin definable)
IPsec/UDP – UDP 500, UDP XXX (admin definable)

I've monitored traffic during the connection attempts (on the machine using TCPView) and all I see are random hi-port TCP and UDP connections (last two lines of above) it's nothing super exotic so being in the DMZ it should work. although I want it to work from inside the network behind the firewall as well.

any help is appreciated.

thank you

 

Hi, I'm not a network guy but I Googled my problem and came to your post... I'm having the exact same problem, I had the service guys from CenturyLink out to my house and they claim that the connection and setup are all flawless (I have the same router as you too). Let me know if you are able to resolve the issue.
T

 

Having similar issue.

 

Same Issue

Having the exact same issue. Was this ever solved? I think I have narrowed it down to the DTLS protocol and my modem not supporting it.

 

Solved using bridge mode

I had the same problem with the ActionTec C1000A modem provide by CenturyLink. I resolved it by putting their modem into Transparent Bridging mode (google "ActionTec C1000A bridge") and using my own router to do the PPPoE authentication and handle my routing and wireless needs. With that setup, VPN works flawlessly.

Now that it's working, I'm planning to just buy a simple DSL modem and use that with my router instead of paying to rent their modem.

BTW, CenturyLink tech support did claim that their modem supports DTLS. They don't really know why it doesn't work with VPN - this after the tech support guy spent a long time with me and got input from two or three other departments!

 

Same issue but a twist

So I've got the CenturyLink Actiontec C1000A and when I activate my Cisco Anyconnect VPN client, I lose all internet connectivity. I can ping, run traceroute, nslookups, etc. with no problem, but browser based lookups hopelessly fail. Turn the client off and everything is back to normal. Also, I just moved from another home where I had the same CenturyLink service but a different modem (can't remember which one). I never had the problem at that house.

So here's the twist: my desktop has both a wired and wireless connection. When I connect via wireless, there are no issues. When I disable the wireless adapter and use the wired connection that's directly connected to the modem, there is no joy. Tried it on a completely separate computer with the same results so 99% positive the issue is something with the modem.

Now for the joy and wonder of dealing with Tech Support to see if they have any answers.

 

Sorta solved

After a LOT of troubleshooting and comparing configurations from several different systems, I think what finally solved it was installing the 64-bit "Deterministic Network Enhancer" (DNE) package from Citrix (I can't post links so google it).

That had been missing in the list of items used under the "Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64" network properties on my problem system.

Then again, I've been hacking around with so much crap trying to make this work, who knows what the magic recipe finally was!

Well, just tried this fix on another system and no joy there. Hmmmm....

 

Solved it for myself

After significant research into the problem - adjusting ALL settings on my router and Modem, I stumbled upon some articles that led me to believe that the Cisco anyconnect SSL software is sensitive to packet fragmentation. Because the MTU size of a PPPoE packet is 1492 (8 bytes of overhead), I assumed that my ISP (Centurylink) must be fragmenting my packets and thus causing drops of service on VPN. I performed the "ping -l 1492 -f w*w.searchengineofyourchoice.c0m" command in terminal which showed that the packets were indeed fragmented, and I continued to adjust that value down to 1472 - where there was no longer any fragmentation happening. Once I knew the value, I performed the command "netsh interface ipv4 show subinterfaces" command in terminal on my work laptop and saw (which I expected) the MTU set to 1500 and reset them to 1472 using the command "netsh interface ipv4 set subinterface "Local Area Connection" mtu=1472 store=persistent" and "netsh interface ipv4 set subinterface "Wireless Network Connection" mtu=1472 store=persistent" and voila - I have had a solid connection (first time to try to connect) for over an hour...

My setup:
Centurylink VDSL2 DSL
C1000A Modem (set up in my case as a transparent bridge, as I have a router internal to my network that functions as my PPPoE authentication - but this procedure should be applicable to those who use the router in the C1000A Modem
Work Computer is a Windows 7 computer (commands above are for windows - you'll have to figure out the ping command and MTU commands for Linux/Mac)
Linksys WRT610N running latest stable DD-WRT firmware

 

Altering the MTU, as ttcrew suggested, worked for me. Except I had to lower it to 1464 (just keep pinging until you find the highest value that does not fragment).

I joined this forum just to let you know how much I appreciate the help I found here!

My setup:
CenturyLink DSL with a brand new ZyXEL KP5001Z Modem
Windows 7 64bit Dell laptop
Cisco AnyConnect VPN Client Version 2.5.3054