Kevin, you have relatively easy access to ASAs for testing, don't you? I'm chasing up a packet loss issue that I suspect might be related to http://rt.openssl.org/Ticket/Display.html?id=1752&user=guest&pass=guest which I fixed in OpenSSL a few years ago. It looks like when DTLS packets are reordered in transit, the ASA is dropping the out-of-order ones. Since I have dual bonded ADSL lines, I see a lot more packet reordering than normal people might. And if I send a packet which is just larger than the VPN MTU, that gets split into two fragments each in their own DTLS packet ? and the shorter one, although sent last, is fairly much guaranteed to overtake the longer one in transit over the Internet. Causing the ASA to *drop* the longer one when it does arrive. Are you able to test this? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141219/18b2bfb0/attachment.bin>
