Forum Discussion
NimbostratusSSL offload from Cisco ASA5520
I am trying to offload SSL connections (Anyconnect and clientless) to F5 LTM and then (re-encrypt and) pass through to available VPN gateway (Cisco 5520).
This works but the AnyConnect client will continuously disconnect and reconnect every second and not pass any traffic.
Has anyone observed (and resolved) this behaviour?
TAC also logged with Cisco for this.
Thanks, Dan
5 Replies
dansmaaash_1158Some more info: SSL offloading works and the VPN client builds a tunnel through to the ASA. PING tests with packet size of 1371 bytes (or lower) work and the tunnel is stable with no loss. PING sizes of 1372+ bytes and the tunnel drops and reconnects. Possibly related to DF-bit being set by F5? Anyone have any ideas?- dansmaaash_1158
Solution was related to fragmentation between the F5 and Cisco ASA.
What_Lies_Bene1Cirrostratus
Thanks Dan, good to know. PMTUD would sort this kind of thing out if anyone ever let ICMP through their firewall!
wilken_151979Hi , could you please tell what was the solution. i'm having the same problem.
Binh_ThaiI ran into the same problem with a similar deployment (LTM performing client-ssl & server-ssl before forwarding traffic to an ASA 5580). The ASA firewall is running v9.1.4 & AnyConnect v3, and I found the following link that describes the problem:
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html
I tried using the workaround on the firewall as outlined in the link above, but none of them work for me. Finally, to fix this issue, I created another virtual server which load balances DTLS (UDP 443) to the ASA firewall, and the AnyConnect issues disappear.
