Deployed a new Cisco ASA Anyconnect gateway. End-users reported constant disconnect/reconnect problems. It was fixed by setting anyconnect mtu to 1200 (in this case).
When connection is first established, it builds a SSL tunnel (tcp-443) with a negotiated SSL MTU, after a minute, it tries to switch over to DTLS (udp-443). If the MTU is different, there is a visible disruption as the adapter must reestablish the connection. To eliminate this, we’ll set the MTU for both SSL and DTLS as equal.
# figure out which policy to edit
sh run group-policy
group-policy MY_RA_VPN_GROUP attributes
webvpn
anyconnect mtu 1200
# to view current MTU on Windows PC, run
netsh interface ipv4 show subinterface