Uh-oh — it looks like Google could be in hot water with the many people using VPN for corporate connections. A bug has been discovered in Android 4.4 that could result in high amounts of packet loss, unusually high CPU load on host machines, and more. Cisco identified and submitted the bug to Google, offering up the following explanation:
Due to a bug in Android 4.4 (KitKat) reported to Google under Issue #61948, AnyConnect users will experience High Packet Loss over their VPN connection (users will experience timeouts when attempting to access certain network resources). In the ASA logs, a syslog message will appear with text similar to “Transmitting large packet 1420 (threshold 1405).”
Some are saying that this bug can also affect more than those who use Cisco AnyConnect. The apparent problem is that the Android 4.4 TCP protocol shows an incorrect “maximum segment size” for VPN packet transfers, making way for all the aforementioned issues. The end-result could be corrupted pieces of data, and disconnection from the network.
How to fix it
Thankfully Cisco does have a solid workaround while waiting for Google to catch wind of the situation:
Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the ASA with the configuration command “sysopt connection tcpmss <mss size>”. The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365.
It sounds a bit messy, so we hope Google can get around to providing an actual fix sooner rather than later. We’ll be hitting them up to see if they’re aware of this bug, and we’ll be sharing anything we hear back. Be sure to comment and star the issue over at the issue tracker if you want to help speed things along.