Thanks for that but I'd actually read that and none of it was relevant for this issue. Even the link to the wider troubleshooting article only deals actual connection failures, which we don't suffer from.

---

@PhilipDAth wrote:

> is like a cloud-managed, stripped down version of direct MX/ASA-based VPN access

 

I would say the opposite.  It's more like it's on steroids rather than stripped down.  It is very feature rich.

 

> it initially connects, then immediately disconnects and reconnects, at least two times.

 

The client requires both UDP and TCP to operate at its best.  I have seen many deployments where only TCP was allowed in the site firewall.  Check upstream firewalls for the Ethernet.

 

Is the Ethernet and WiFi networks behind the same site firewall, and using the same Internet connection?

 

 

To test for an MTU issue, on a Windows machine, run this command to find the name of the wired Ethernet adaptor:

netsh interface ipv4 show subinterface 

Then temporarily change the MTU with something like:

netsh interface ipv4 set subinterface “Ethernet” mtu=1200

If that stops the issue - you know you have an MTU issue.  If it keeps happening - look for a different issue.

Don't get me wrong, it's a great solution and it is very reliable but the configuration options within the web interface are very limited. A lot of the work involves hacking around with XML/config file settings, where a lot of this would be configurable within the VPN setup on the appliance for on-premise setups.

UDP traffic is a good call as I know the lack of DTLS connection can cause issues but we see no issues when connecting via WiFi behind the same environment, with the same policies applied. Having said that, I have just noticed from trawling the logs manually (Cisco/Meraki support didn't mention it) that a DTLS connection is brought up a little while after the TLS connection is made but after a few error events, is closes again, presumably falling back to TLS only. I'll pick this up separately and troubleshoot.

I've checked all the MTU settings and there is nothing untoward. We actually even have MTU set to 1280 in our config files so that setting will be applying regardless of the underlying adapter being used.

You just reminded me of a problem I once saw.

The machines were getting 100MB/s wired connections - but the WiFi was FASTER than the wired connection, so the machines kept swapping over to their WiFi connection.

That would be more than a bit frustrating! I think the default Windows 11 mechanism is to only connect to WiFi if ethernet is not available. Kind of resolves that 'two default routes not allowed' problem.

> I think the default Windows 11 mechanism is to only connect to WiFi if ethernet is not available.

Negative.  It connects to both, and lays in a default route to both using an interface metric.  The lowest metric wins.  The fastest reported access speed gets the lowest metric.

Here is a snapshot of the routing table on my machine.  Do you see how I have two default routes?  The one with the metric of 30 (which is my WiFi) is currently winning.

Ah so the plot thickens and that's useful to know. Is that two default route thing only while you're connected to the VPN or just generally while the machine is in use? 

I've just done a check and if I'm just using the machine without VPN, my WiFi adapter stays disconnected and the LAN adapter is, correctly, the only default route in the routing table:

For your default route battle, I suppose it's using the reported link speed value, which if you're WiFi 6E/7 could well exceed your (presumably) gigabit network card? OR it's just completely random!

If I connect to the VPN, I can see the WiFi adapter does indeed connect and adds in the additional default route within Windows, but the WiFi has a higher metric than LAN, with the VPN route much lower than all others, obviously.

Checking the AnyConnect VPN logs though, I can see it strips the WiFi route from its own table, after a bit of a recalculation and this is what causes my session reconnections.

Then it continues rock solid for the whole day.