Cisco Anyconnect disconnects and reconnects every 30/60 minutes

Hi, I’ve scoured the web the past couple days and can’t find any solution and IT hasn’t been helpful.

Basically, when I’m connected to my work vpn, every 30 minutes or 60 minutes, the vpn will disconnect and reconnect, without actually breaking the vpn connection. This has happened on Centurylink ethernet, Tmobile Home Internet wifi & ethernet. IT has reinstalled anyconnect with no results. Any ideas would be helpful. I’ve attached a sample of the logs.

FYI - I connected to the vpn at 8:05:46am.

12:35:46 PM Reconnecting to Blanky Blank…

12:35:47 PM Establishing VPN - Examining system…

12:35:54 PM Establishing VPN - Activating VPN adapter…

12:35:54 PM Establishing VPN - Configuring system…

12:35:55 PM Establishing VPN…

12:35:55 PM Connected to Blanky Blank.

12:35:55 PM Reconnecting to Blanky Blank…

12:35:55 PM Establishing VPN - Examining system…

12:35:55 PM Establishing VPN - Activating VPN adapter…

12:35:55 PM Establishing VPN - Configuring system…

12:35:55 PM Establishing VPN…

12:35:55 PM Connected to Blanky Blank.

1:05:47 PM Establishing VPN - Examining system…

1:05:47 PM Reconnecting to Blanky Blank…

1:05:54 PM Establishing VPN - Activating VPN adapter…

1:05:54 PM Establishing VPN - Configuring system…

1:05:54 PM Establishing VPN…

1:05:54 PM Connected to Blanky Blank.

1:05:54 PM Reconnecting to Blanky Blank…

1:05:55 PM Establishing VPN - Examining system…

1:05:55 PM Establishing VPN - Activating VPN adapter…

1:05:55 PM Establishing VPN - Configuring system…

1:05:55 PM Establishing VPN…

1:05:55 PM Connected to Blanky Blank.

1:35:47 PM Reconnecting to Blanky Blank…

1:35:47 PM Establishing VPN - Examining system…

1:35:54 PM Establishing VPN - Activating VPN adapter…

1:35:54 PM Establishing VPN - Configuring system…

1:35:55 PM Establishing VPN…

1:35:55 PM Connected to Blanky Blank.

1:35:55 PM Reconnecting to Blanky Blank…

1:35:55 PM Establishing VPN - Examining system…

1:35:55 PM Establishing VPN - Activating VPN adapter…

1:35:55 PM Establishing VPN - Configuring system…

1:35:55 PM Establishing VPN…

1:35:55 PM Connected to Blanky Blank.

2:35:48 PM Reconnecting to Blanky Blank…

2:35:48 PM Establishing VPN - Examining system…

2:35:56 PM Establishing VPN - Activating VPN adapter…

2:35:57 PM Establishing VPN - Configuring system…

2:35:57 PM Establishing VPN…

2:35:57 PM Connected to Blanky Blank.

2:35:57 PM Reconnecting to Blanky Blank…

2:35:57 PM Establishing VPN - Examining system…

2:35:57 PM Establishing VPN - Activating VPN adapter…

2:35:57 PM Establishing VPN - Configuring system…

2:35:57 PM Establishing VPN…

2:35:57 PM Connected to Blanky Blank.

​

Edit:

So I had commented that IT rolled back Anyconnect to version 4.9 and that had fixed the problem. But it only fixed it for 5 days before the issue came back. It went up the chain and official word was that our VPN did not work with non-cable ISP (satellite, fiber optic, cellular) and I have T-mobile home internet. They basically washed their hands of it and said I either had to get cable internet or work in office more. Which I did not accept.

After getting admin access, I was able to confirm test and confirm that it was an MTU packet size issue due to Tmobile having increased header size. I assume this would be a similar issue for other non-cable internet.

I’ll document the process for the next person who might have this issue.

Open CMD and type “netsh interface ipv4 show subinterface” and you should get something like this:

​

Default MTU is usually 1500. Here I’ve already adjusted mine down to 1452.

​

While connected to your vpn, start pinging a site. I used google in this example. The command is “ping -f -l 1500 www.google.com”. The 1500 is the mtu size.

​

This means mtu needs to be lowered

​

This means mtu is fine

If you need to lower mtu, then ping again with a lower mtu like 1480. I have read that anyconnect with auto round your mtu to the correct nearest size.

Once you have found a working mtu size, then enter this command: "netsh interface ipv4 set subinterface 'Local Area Connection’ mtu=1472 store=persistent”. Replace ‘Local Area Connection’ with the vpn “Interface” name. The “persistent” means it’ll stick through restarts. The other option is “active” which will only work until reset.

Create a DART File (settings - diagnostic) and check the logs for disconnect reason

A common issue is firmware bugs in ISP routers. Try upgrading the firmware on that device.

Maybe something in-line that has a connection timeout as 30 minutes is a rather…round…sort of timeout. Are you using DTLS at all?

As an end user, do I have access to that? All I see on my IU is the gear for “advanced window” and then “Preferences”, “Statistics”, “Route Details”, “Firewall”, and “Message History”.

Thanks for the suggestion. Router says it’s up to date.

I’m unsure as I’m not that knowledgeable about vpns, but someone over at Cisco said it may have to do with different versions of my anyconnect vs what the ASA has on file. Essentially might need to get IT to reinstall me whatever version anyconnect the rest of the company has. We shall see Monday!

You do, but it’s not here. Search for DART on your machine.

Yes end users (if you have machine permissions ) do

https://community.cisco.com/t5/security-knowledge-base/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

If Anyconnect is configured properly, the head end will have a particular client version deployed and your client will upgrade to that version when it first connects

Thanks! I was able get IT to enable DART for me.

Well it turns out it was not configured so nicely. Took like a day of IT thinking and they decided to roll my Anyconnect back to 4.9 to be inline with the rest of the company. And now it works again. Took forever. Thanks for your info!