Major VPN bug in Android 4.4 leaves enterprise users with packet loss, connection errors

Uh-oh — it looks like Google could be in hot water with the many people using VPN for corporate connections. A bug has been discovered in Android 4.4 that could result in high amounts of packet loss, unusually high CPU load on host machines, and more. Cisco identified and submitted the bug to Google, offering up the following explanation:

android-bug

Due to a bug in Android 4.4 (KitKat) reported to Google under Issue #61948, AnyConnect users will experience High Packet Loss over their VPN connection (users will experience timeouts when attempting to access certain network resources). In the ASA logs, a syslog message will appear with text similar to “Transmitting large packet 1420 (threshold 1405).”

Some are saying that this bug can also affect more than those who use Cisco AnyConnect. The apparent problem is that the Android 4.4 TCP protocol shows an incorrect “maximum segment size” for VPN packet transfers, making way for all the aforementioned issues. The end-result could be corrupted pieces of data, and disconnection from the network.

How to fix it

Thankfully Cisco does have a solid workaround while waiting for Google to catch wind of the situation:

Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the ASA with the configuration command “sysopt connection tcpmss <mss size>”. The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365.

It sounds a bit messy, so we hope Google can get around to providing an actual fix sooner rather than later. We’ll be hitting them up to see if they’re aware of this bug, and we’ll be sharing anything we hear back. Be sure to comment and star the issue over at the issue tracker if you want to help speed things along.

[via XDA]

Continue reading:

TAGS: , , ,



  • toomuchgame441

    Pretty embarressing…

    • Mr. Smith

      Troll much ?

      • toomuchgame441

        troll troll, troll ya boat… gently down the stream!

        • Cesar Ortiz

          ._.

        • TONY ALDO

          merrily merrily merrily a patch is coming faster than it seems.

          • Cesar Ortiz

            nicely finished that song there buddy. You rock.

          • ari_free

            I would’ve added another ‘merrily’ but yeah :)

    • Cesar Ortiz

      *Embarrassing

      • toomuchgame441

        Don’t be THAT guy Cesar…

        • Cesar Ortiz

          Grammar Nazi? ._.

          • EarlyMon

            Spelling Nazi. There’s a difference but not by much. :D

          • Cesar Ortiz

            mein Führer.

        • ari_free

          Will you fix your typo faster than Google will fix KitKat?

  • Simon Belmont

    Another issue I’ve noticed in KitKat on my Nexus 5 is with the updated stock email client. It acts like it’s downloading attached pictures, but it never puts them in the gallery.

    Then the AttachmentDownloadService service just keeps running infinitely, unless I force stop it. The ironic thing is, if I go back to my Galaxy Nexus running Android 4.3, it works flawlessly. So, it can’t be a mail server issue. I hope Google fixes this in Android 4.4.1.

    • Josephus

      I experience the same issue with my HTC Rezound running 4.0.3

      • Simon Belmont

        That stinks. I actually had an EVO 3D (Android 4.0.3) prior to my G’Nex (and N5) and the stock HTC email app worked fine for attachments.

        I might give K-9 Email a shot, if Google doesn’t fix this. I get a lot of emails with attachments, so it would be nice if it actually worked.

        • Josephus

          I don’t even use the stock app (except for work), I use the gmail app itself

  • Cesar Ortiz

    The only Closest Cisco Device we have in our company is only a Linksys Wireless G Router.. Which is only been used as a Switch atm. Way better than a T-link mini switch we have.

  • JaswinderSinghJammu

    Did anyone try the Foxfi on Nexus 5 yet? I am on T Mobile

    • Kam Siu

      Cause of the problem is because in kitkat, the APN is directed to pcweb.tmobile.com. Which verifies if you have a mobile hotspot plan. the fix is simple if you’re rooted. Only took less than 5 minutes. http://forum.xda-developers.com/showpost.php?p=47203432&postcount=70

      • JaswinderSinghJammu

        Thanks Kam. I have about 2.5 GB on the hotspot, if am running out of data every month then I will try the XDA method

  • Troy

    I’ve never understood the fascination of being first to get new versions that Nexus owners tout as an advantage. There will always be bugs like this and app incompatibilities. I’m quite happy being on the n-1 release while the Nexus people beta test for me.

    • a) youth.in.asia

      Haha. But Google is a lot better with their software than Apple who releases patch after parch.. you would think Apple was making a quilt with all of their patches

      • lolwut

        That’s silly

    • danbob999

      Non-nexus devices have their own bugs added by the manufacturer’s custom skin.

  • aergern

    Seriously, I doubt there are THAT many N5 users howling about this. If 4.4 was already on the Nexus tablets, Google Play editions (S4/HTC) then I might buy it. This seems like a case of Chicken Little … 4.4.1 or .2 will fix this before it affects 99.7% of Android users. :/

    • http://google.com/+derekross Derek Ross

      It’s still a major issue that needs to be fixed. It’s part of AOSP and needs fixed before vendors start building OEM ROMs for their devices.

      If you were a Nexus 5 user and could not get work done via mobile, you would be pissed. I know if my Moto X upgraded to KK with this bug, I would be pissed. You obviously are not a corporate user that relies on a VPN to do business.

      • John Atkinson

        It’s hardly the end of the world. Just use TSG and/or web portals such as sharepoint for your users.
        End-user VPN connections are not something that you need in 2013.

  • Crystal Ciccone

    This is why I only use Blackberry!!!!!!

  • Crystal Ciccone

    You can’t beat the security of a BlackBerry

    • shadyguy

      Android has the same level of security as BB10. SELinux, runtime scanning, e.t.c make it almost impossible to hack. same as iOS.

  • ericdabbs

    I hope Google packs in a few more bug fixes and add some small features when they release Android 4.4.1