The VPN connection to the secure gateway was interrupted and could not be automatically re-established. A new connection is necessary, which requires re-authentication.
Client Issue:
- Flakey connections
- nondeterministic reconnects
Trouble shooting:
- Does the client have IPv4 or IPv6 or dual stack in local LAN?
- Does the local provider provide IPv4 or IPv6 or dual stack in local LAN?
- IPv4 and IPv6 Traceroute from the vpn client towards the VPN gateways
- If there are multiple gateways, traceroute to all of them
- Check MTU Size:
cmd.exe run with admin privilegesnetsh interface ipv4 show interfacesdetermine Interface-IDnetsh interface ipv4 set subinterface “Interface-ID” mtu=1100 store=persistent
Analysis:
- Is the client next hop on the provider side showing 192.0.0.1 in the traceroue?
- If so, that’s an indication of them having deployed DS-LITE
- DS-Lite is a IPv6 transition mechanism widely deployed in Europe by cable providers such as Liberty Global (like UPC, Unitymedia, …), like Vodafone, Versatel, Kabel Deutschland and others.
- That goes together with AFTR (carrier grade NAT system) to transition users from their native IPv6 home connections to the IPv4 world.
- Therefore multiple users share a single external IPv4 address using this system.
- Please check rfc6333 for more information
- That doesn’t go well with VPN Tunnel technologies like Cisco AnyConnect Secure Mobility Client
Solution:
- Open a ticket with the DSL provider and ask them to change your connection from DS-LITE towards DS.
- Most cases they need a valid reason to do so. Tell them that you need native dual stack for business so that your VPN client can work properly.
- Good Luck!
