Symptom
An AnyConnect client is able to connect successfully with TLSv1.2, but the DTLSv1.2 session fails to complete. From a user perspective you'll see an AnyConnect popup in the bottom right that says 'Connected: '. Shortly after a 'Reconnecting' popup will appear. It will cycle back and forth a few times before staying on 'Connected'. Opening the AnyConnect advanced settings (the gear icon) you'll see the Protocol is TLSv1.2 and not DTLSv1.2. Similarly, checking output from 'show vpn-sessiondb anyconnect' on the firewall will show the protocol is tls and not dtls.
Conditions
FTD upgraded from 6.6.5 with FIPS enabled. AnyConnect version is 4.10.05xx and the following counter increments when the DTLS session fails to establish:
Protocol Counter Value Context
SSLERR SESSION_ID_CTXT_UNINITIALIZED 3 Summary
Workaround
None other than running 6.6.5 or earlier, or not using FIPS. Note it is impossible to disable FIPS on FTD once it has been enabled. Therefore to 'disable' FIPS as a workaround you would actually have to reimage.
On at least 1 customer, disabling DTLS brought some improvement by bypassing the issue.
Further Problem Description
