On Fri, Feb 14, 2014 at 11:51 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > I noticed that this pattern is on several other logs posted before. So > it seems that anyconnect handle the rekey of the TLS channel and simply > reconnect the DTLS channel at the same moment (I see that there isn't > even a configuration option to change the rekey time of DTLS). When comparing your new rekey code to what is in the existing start_cstp_connection(), it occurred to me that we may be operating under different assumptions: In your experimentation with Cisco AnyConnect clients, do you see them sending a brand new DTLS master secret during rekey (ala commit 9d2b41dc8) or merely re-handshaking / re-establishing the DTLS session in order to generate new session keys? To address your other point, I have found that many of the X-CSTP-* and X-DTLS-* options have identical values and cannot be configured independently on the ASA. On my box, compression is the only option that allows separate settings under "anyconnect dtls <opt>".