Guest

Preview Tool

Cisco Bug: CSCvt33443 - ENH: Support Different Public IPs for AnyConnect TLS and DTLS Sessions

Last Modified

Jun 18, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3.7)

Description (partial)

Symptom:
Different services such as carrier-grade NAT and per-flow load-balancing can give a client multiple public IP addresses for different traffic flows. AnyConnect's TLS parent session may end up arriving at an ASA/FTD with one public IP while the DTLS session arrives with another.

Currently, we do not support this scenario. When an ASA/FTD receives a packet from the same AnyConnect client from a different IP, it assumes that the client has roamed to a new network. All return traffic is sent to the second IP, effectively blocking the first session.

Conditions:
Seen with AnyConnect 4.8 and ASA 9.12 / FTD 6.5
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.