Cisco 5505 Administration Guide - Page 97

Chapter 9 Monitoring and Maintaining the AnyConnect Client Viewing AnyConnect Client and SSL VPN Sessions This command affects only the AnyConnect Client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes. The default size for this command in the default group policy is 1406. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead. This command affects AnyConnect Client connections established in SSL and those established in SSL with DTLS. The following example configures the MTU size to 1200 bytes for the group policy telecommuters: hostname(config)# group-policy telecommuters attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc mtu 1200 Many consumer-grade end user terminating devices (for example, a home router) do not properly handle the creation or assembly of IP fragments. This is particularly true of UDP. Since DTLS is a UDP-based protocol, it is sometimes necessary to reduce the MTU to prevent fragmentation. The MTU parameter is used by both the client and the security appliance to set the maximum size of the packet to be transmitted over the tunnel. If an end user is experiencing a significant amount of lost packets, or if an application such as Microsoft Outlook is not functioning over the tunnel, it might indicate a fragmentation issue. Lowering the MTU for that user or group of users may address the problem. The client proposes an MTU value that is 94 bytes less than the MTU of the physical adapter used for the SSL and DTLS connection to the security appliance. The security appliance accepts the lesser of the configured MTU or the value proposed by the client. Both the client and the security appliance use the value selected by the security appliance. For example, if the physical adapter on the PC has been changed to use an MTU of 1300, then the client proposes an MTU of 1206 to the security appliance. If the security appliance is set for a value lower than 1206, both the client and the security appliance use the lower value that was set using the MTU configuration command. Logging Off AnyConnect Client Sessions To log off all AnyConnect Client and SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode: vpn-sessiondb logoff svc In response, the system asks you to confirm that you want to log off the VPN sessions. To confirm press Enter or type y. Entering any other key cancels the logging off. The following example logs off all SSL VPN sessions: hostname# vpn-sessiondb logoff svc INFO: Number of sessions of type "svc" logged off : 1 Do you want to logoff the VPN session(s)? [confirm] INFO: Number of sessions logged off : 6 hostname# You can log off individual sessions using either the name option, or the index option: vpn-sessiondb logoff name name vpn-sessiondb logoff index index For example, to log off the user named tester, enter the following command: hostname# vpn-sessiondb logoff name tester Do you want to logoff the VPN session(s)? [confirm] OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 9-3