The VPN connection to the secure gateway was interrupted and could not be automatically re-established. A new connection is necessary, which requires re-authentication.

Client Issue:

  • Flakey connections
  • nondeterministic reconnects

Trouble shooting:

  • Does the client have IPv4 or IPv6 or dual stack in local LAN?
  • Does the local provider provide IPv4 or IPv6 or dual stack in local LAN?
  • IPv4 and IPv6 Traceroute from the vpn client towards the VPN gateways
  • If there are multiple gateways, traceroute to all of them
  • Check MTU Size:

Analysis:

  • Is the client next hop on the provider side showing 192.0.0.1 in the traceroue?
  • If so, that’s an indication of them having deployed DS-LITE
  • DS-Lite is a IPv6 transition mechanism widely deployed in Europe by cable providers such as Liberty Global (like UPC, Unitymedia, …), like Vodafone, Versatel, Kabel Deutschland and others.
  • That goes together with AFTR (carrier grade NAT system) to transition users from their native IPv6 home connections to the IPv4 world.
  • Therefore multiple users share a single external IPv4 address using this system.
  • Please check rfc6333 for more information
  • That doesn’t go well with VPN Tunnel technologies like Cisco AnyConnect Secure Mobility Client

Solution:

  • Open a ticket with the DSL provider and ask them to change your connection from DS-LITE towards DS.
  • Most cases they need a valid reason to do so. Tell them that you need native dual stack for business so that your VPN client can work properly.
  • Good Luck!