Cisco Anyconnect VPN Stability on RT-AC68U

[ScottR]

Long time lurker first time poster.

I have been using Merlin for the last year with my AC68U without issue except for VPN issues with Cisco Anyconnect on my work laptop. When I am wireless, my VPN connection drops constantly... it's basically unusable. When I am hardwired, it works 95% of the time but occasionally it will become unstable too. I only see these VPN stability issues when I am connected to my AC68U. Here are some additional data points:

• I leave all of the settings at Merlin default

• I've had this issue with all Merlin builds from 378.53 -> 380.61 (I noticed my hardwired connection has been more stable on 380.61 than any other version)

• I've done the 30/30/30 reset many times

• I've tried tweaking settings from posts but nothing has seemed to help

I've never used the default ASUS firmware but I'm thinking I might have to move to it if this is a known issue. Hopefully there is a fix I have overlooked. Thanks for any help.

 

[sfx2000]

Might not be the router, but the Wireless Card - what adapter and driver version is in use there?

Cisco AnyConnect is usually very stable over just about any connection (including 3G even).

 

[ColinTaylor]

• I've done the 30/30/30 reset many times

FYI The 30/30/30 reset is a DD-WRT thing. Doesn't apply to Merlin.

While it is generally not necessary to restore to factory defaults, it's not a bad idea, especially if there is a big jump in version number (from 112 to 178 for example). No need to do the 30/30/30 dance as required by DD-WRT - just do a plain Factory Default reset, or turn the device on while keeping the WPS button pressed (procedure can be different from one model to another).

https://github.com/RMerl/asuswrt-merlin/wiki/Installation
http://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

 

[rlcronin]

Not helpful, I know, but for what its worth I used AnyConnect for years with two different 68U's both running the Merlin firmware of the moment without any issues, although it was always with my laptop hardwired. The wireless card in it fried some years back and I never bothered to get it fixed. Sorry I can't run any tests on it or compare notes as I have since retired and don't have that laptop or use AnyConnect anymore.
--
Bob C

 

[cybrnook]

Long time lurker first time poster.

I have been using Merlin for the last year with my AC68U without issue except for VPN issues with Cisco Anyconnect on my work laptop. When I am wireless, my VPN connection drops constantly... it's basically unusable. When I am hardwired, it works 95% of the time but occasionally it will become unstable too. I only see these VPN stability issues when I am connected to my AC68U. Here are some additional data points:

• I leave all of the settings at Merlin default

• I've had this issue with all Merlin builds from 378.53 -> 380.61 (I noticed my hardwired connection has been more stable on 380.61 than any other version)

• I've done the 30/30/30 reset many times

• I've tried tweaking settings from posts but nothing has seemed to help

I've never used the default ASUS firmware but I'm thinking I might have to move to it if this is a known issue. Hopefully there is a fix I have overlooked. Thanks for any help.

I can confirm this same instability over wireless using cisco any connect. my company issued dell laptop with Intel wireless nic suffers terribly on asus merlin. not the WiFi connection itself, but the VPN connection. flaps about once every 20 minutes to an hour. even though WiFi connection is stable.

you're not crazy

 

[sfx2000]

A couple of links below (similar info in both) - the key thing is to enable logging in the client and debug from there.

http://www.cisco.com/c/en/us/td/doc...trator_Guide_4-0/troubleshoot-anyconnect.html

http://www.cisco.com/c/en/us/suppor...-firewalls/100597-technote-anyconnect-00.html

 

[westmc]

I use Cisco Anyconnect with my RT-AC68P and have never had a problem with any of the firmware versions, so whatever issue you are having is not 100%.

 

[woodyca]

I also use RT-AC68R with Cisco AnyConnect and basically find the VPN connection completely unstable. That is why I went to the extreme of downloading an alternative firmware in order to see if that would fix the problem before purchasing a new router different than Asus. I know it is specific to my home setup because I often travel and when using WiFi at the hotels, there are absolutely no issues with VPN connectivity for extended periods of time. At home about every 20mins I get "VPN Reconnecting" with Cisco AnyConnect client. My work IT will not do anything because there are not enough other users having the same problem so I am basically on my own to solve with whatever support I can find. I reached a dead-end with Asus support people.

Are there any logs that I can capture for anyone within this forum that could debug the issue and help restore VPN stability to maintain a connection? If anyone has the expertise and likes a challenge, I'd be happy to work with you to provide the logs necessary for troubleshooting. Asus support is not helpful at all.

 

[sfx2000]

Maybe find a different router...

I used AnyConnect to the office, and I work from home, so it's pretty much on from 8AM to 6PM most days...

Some tips - if you've gone beyond the factory firmware, check settings, esp. if one is also trying to run OpenVPN client mode on the same router...

 

[woodyca]

OpenVPN is not running on the router. Yes, I've tried factory firmware and also checking all settings as well as restoring to defaults.

 

[sfx2000]

Quick thought - are you on DSL?

I'm on cable for broadband - but thinking MTU sizing might cause a problem with PPPoE that DSL typically uses...

 

[woodyca]

I'm on cable broadband also, Cox. I've tried changing the MTU from 1500 to as low as 1300 with the custom firmware. This option was not available on the Asus firmware.

 

[RMerlin]

Make sure the IPSEC passthrough is enabled under WAN -> NAT Passthrough. It should already be by default, just double check.

 

[woodyca]

Thanks, yes ... IPSec passthrough is enabled under WAN.

 

[sfx2000]

Take a look here...

http://www.cisco.com/c/en/us/td/doc...trator_Guide_4-0/troubleshoot-anyconnect.html

 

[ScottR]

Just checking back in here. I flashed the stock firmware about 4 months ago and I haven't had any issues with VPN since. As a bonus, I have T-Mobile and my wi-fi calling isn't flaky anymore either. Not sure what was going on with Merlin. FYI I also had IPSEC passthrough enabled. I tried combinations of every option for months but just couldn't figure it out.

 

[squirrel]

A little late to the game, but I encountered this same situation this year as well, and spent months troubleshooting it. Unfortunately, like others, I found that Cisco AnyConnect VPN connections were completely unstable using recent builds of asuswrt (3.0.0.4.380.3264 or newer) and matching asuswrt-merlin derivatives. It was very frustrating to find all versions succumbing to this problem. 6 total RT-AC68Us were tested, on 3 different types of connections with 3 different ISPs, to no avail. Multiple devices (laptops, phones, tablets,etc) were all tested. All ultimately showed the same kinds of failures.

FIX: Installed latest version of kongs DD-WRT (DD-WRT v3.0-r31205M kongac (02/03/17)). All issues 100% resolved.

I am of the opinion that there is a fundamental flaw in the asuswrt firmware that prevents SSL/443 based VPNs from functioning properly over periods of time. Even with active use of the connection, the connection will still drop mid-activity for no reason. Logs indicate no response from the ASA. The only exception to this (which works most of the time), is having a constant ping running to an IP on the other side of my default gateway. Connection will stay mostly stable in this situation.

Again, DD-WRT fully resolved my issues. I REALLY wanted Merlin's build to be functional, but it just wasn't so. I'd be happy to assist in troubleshooting this further with other RT-AC68Us I have. Perhaps various timeouts or whatnot are to blame, but even if that were so, why would the connection drop within seconds of, or during the middle of active activity across the connection.

 

[woodyca]

Thanks for the post of sanity. I've been going crazy trying to get resolution of this. 4th RMA with ASUS they just don't get it and clearly don't support their own SW. I have no idea how they even come up with new versions. Certainly not based on user issues. I will search for the DD-WRT firmware and give that a try. Everything @squirrel highlights is exactly what I've been going through which has been a complete nightmare trying to get compatibility and a stable VPN connection. I usually resort to just shutting down the laptop when I drop the connection cuz it's a complete waste of time waiting another 15 mins for it to connect in order to complete a 30 sec task for work. Easier just to finish up in the morning at the office. I've contacted ASUS, ISP, work IT security team ... been working on this for almost a year now trying to get resolution. I find it amazing there are no logs that can be taken to debug/fix.

The one clear culprit is ASUS but they refuse to acknowledge it. I can remove the router and connect direct to the cable modem and life is good, but that's not a world we live in these days with a plethora of wireless connectivity. I've also tried LAN cable through the ASUS router and no luck either. Just something quirky with the way ASUS forwards the VPN packets.

 

[RMerlin]

Disable NAT acceleration.

 

[woodyca]

I can't remember if I've tried that one yet or not. Nonetheless, I turned it off and tested last night. I was not working long enough to know if I received a timeout/dropped the VPN. I'll continue testing and let you know. Thanks for giving another option to try.