Anyconnect Session

-

 1. Tunnels (Sessions)

There are three different tunnels (sessions) on the ASA, each one with a specific purpose:

  1. Clientless or Parent-Tunnel: This is the main session that is created in the negotiation in order to set up the session token that is necessary in case a reconnect is needed due to network connectivity issues or hibernation. Based on the connection mechanism, the Cisco Adaptive Security Appliance (ASA) lists the session as Clientless (Weblaunch via the Portal) or Parent (Standalone AnyConnect).

  2. Secure Sockets Layer (SSL)-Tunnel: The SSL connection is established first, and data is passed over this connection while it attempts to establish a DTLS connection. Once the DTLS connection is established, the client sends the packets via the DTLS connection instead of via the SSL connection. Control packets, on the other hand, always go over the SSL connection.

  3. DTLS-Tunnel: When the DTLS-Tunnel is fully established, all data moves to the DTLS-tunnel, and the SSL-Tunnel is only used for occasional control channel traffic. If something happens to User Datagram Protocol (UDP), the DTLS-Tunnel is torn down and all data passes through the SSL-Tunnel again.


    The session is considered Inactive (and the timer begins to increase) only when the SSL-Tunnel does not exist anymore in the session
ASA5506# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username     : user1                  Index        : 53
Assigned IP  : 192.168.123.33         Public IP    : 192.168.2.19
Protocol     : AnyConnect-Parent       << no SSL and DTLS info, means this is inactive tunnel 
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none
Hashing      : AnyConnect-Parent: (1)none
Bytes Tx     : 48373                  Bytes Rx     : 35530
Group Policy : ISE_VPN                Tunnel Group : ISE_AAA
Login Time   : 14:55:17 UTC Tue Mar 16 2021
Duration     : 0h:37m:06s
Inactivity   : 0h:29m:58s       <<increased timer, means this is inactive tunnel 
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac100101000350006050c6d5
Security Grp : none

Username     : user1                  Index        : 55
Assigned IP  : 192.168.123.34         Public IP    : 192.168.2.19
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel  << this is active tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 56613                  Bytes Rx     : 31387
Group Policy : ISE_VPN                Tunnel Group : ISE_AAA
Login Time   : 15:10:16 UTC Tue Mar 16 2021
Duration     : 0h:22m:07s
Inactivity   : 0h:00m:00s    <<No increased timer, means this is active tunnel 
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac100101000370006050ca58
Security Grp : none

ASA5506#

ASA5506# sh vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : user1                  Index        : 55
Assigned IP  : 192.168.123.34         Public IP    : 192.168.2.19
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 58026                  Bytes Rx     : 41478
Pkts Tx      : 124                    Pkts Rx      : 316
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : ISE_VPN                Tunnel Group : ISE_AAA
Login Time   : 15:10:16 UTC Tue Mar 16 2021
Duration     : 2h:48m:11s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac100101000370006050ca58
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 55.1
  Public IP    : 192.168.2.19
  Encryption   : none                   Hashing      : none
  TCP Src Port : 49176                  TCP Dst Port : 443
  Auth Mode    : userPassword                                 <<<Authentication Method
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : win
  Client OS Ver: 6.1.7601 Service Pack 1
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 10567                  Bytes Rx     : 216
  Pkts Tx      : 6                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
  Tunnel ID    : 55.2
  Assigned IP  : 192.168.123.34         Public IP    : 192.168.2.19
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384
  Encapsulation: TLSv1.2                TCP Src Port : 49182
  TCP Dst Port : 443                    Auth Mode    : userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : Windows
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 7903                   Bytes Rx     : 122
  Pkts Tx      : 6                      Pkts Rx      : 2
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3

DTLS-Tunnel:
  Tunnel ID    : 55.3
  Assigned IP  : 192.168.123.34         Public IP    : 192.168.2.19
  Encryption   : AES256                 Hashing      : SHA1
  Ciphersuite  : AES256-SHA
  Encapsulation: DTLSv1.0               UDP Src Port : 58658
  UDP Dst Port : 443                    Auth Mode    : userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
  Client OS    : Windows
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 39556                  Bytes Rx     : 41140
  Pkts Tx      : 112                    Pkts Rx      : 314
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3

ASA5506#



2. When does the ASA drop the SSL-Tunnel?
  2.1 DPD   << this seems to be the SSL/DTLS packets between client home address and ASA public IP
        anyconnect dpd-interval command under the WebVPN attributes in the group-policy settings. By default, the DPD is enabled and set to 30 seconds for both the ASA (gateway) and the client.
        ASA holds the Parent-Tunnel up in order to allow the user to roam networks, go to sleep, and recover the session
   2.2 Idle-Timeout 
       in group-policy, default 30 minutes

3. Why do Keepalives need to be enabled if DPDs are already enabled?

As explained previously, the DPD does not kill the AnyConnect session itself. It merely kills the tunnel within that session so that the client can reestablish the tunnel. If the client cannot reestablish the tunnel, the session remains until the idle timer expires on the ASA. Since DPDs are enabled by default, customers might often get disconnected due to flows closing in one direction with Network Address Translation (NAT), Firewall and Proxy devices. Enabling keepalives at low intervals, such as 20 seconds, helps to prevent this.

Keepalives are enabled under the WebVPN attributes of a particular group-policy with the anyconnect ssl keepalive command. By default, the timers are set to 20 seconds.


<< Keepalive keep the tunnel up until reach idle-timeout, DPD will detect if VPN client/gateway is reachable, if not, will tear down SSL/DTLS tunnels but keep parent tunnel until idle-timeout, when peer is reachable again like wake up from sleep, client will re-connect right away without re-authentication.



https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html


Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more