Last month I deployed a remote access VPN solution based on Cisco IOS routers with webvpn and Cisco’s AnyConnect client. After some basic tests everything looked good until someone with Windows 8.1 tried to make a connection. The user complained that it took at least 20 seconds before the authentication prompt appeared after making the initial connection. And guess what, the user was right! It was even worse -> also Android and iOS showed the same behavior.
So we fired up wireshark and looked at the packets to see what was going. We discovered that AnyConnect sends a client hello message using TLS 1.2, the IOS routers send a [FIN, ACK], terminating the session. AnyConnect eventually tries to connect using TLS 1.0, but that process took over 20 seconds to complete. So I contacted TAC and they filled a bug for this case (CSCun89616).
The good news is that Cisco fixed this bug with creating a new software release. The bad news is that at the this very moment there is not a software release out where bug CSCun89616 is fixed and the router does not crash when using webvpn because of bug CSCug17485… 🙁
So to make a long story short; if you are running into this issue you can’t fix it without giving up stability. I’m still in contact with TAC, so when there is a stable release where both bugs are fixed, I will update this post.
Update may: In IOS versions 15.3(3)M3 and 15.4(3)M both bugs should be fixed.