topic Re: Anyconnect VPN issues in Network Security

Anyconnect VPN issues

trilerian1 — Wed, 18 Oct 2023 19:30:33 GMT

Having a weird issue with anyconnect VPN. I am running 2 5545 ASAs in HA. If I am on my secondary ASA a specific vpn profile works just fine. However if I failover to my primary ASA, Anyconnect comes back with the following error.

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

Other profiles however seem to work.

Re: Anyconnect VPN issues

Rob Ingram — Wed, 18 Oct 2023 19:36:41 GMT

@trilerian1 any reason why the secondary was active in the first place? Was there an issue with the primary that caused a failover and this is not resolved? Run "show failover history" and "show failover" and provide the output.

Re: Anyconnect VPN issues

trilerian1 — Wed, 18 Oct 2023 19:43:17 GMT

Actually, the primary had to have the control license updated, for some reason that had expired. Cisco TAC was confused as to why... So was I, to be honest. But why would that affect only 1 anyconnect profile?

Re: Anyconnect VPN issues

Marvin Rhoads — Thu, 19 Oct 2023 08:17:25 GMT

Control licenses (for ASA Firepower service modules) are non-expiring. Also, they should not (in any case I can think of) affect AnyConnect remote access VPN at all.

I have seen issues with HA setups referring to xml profiles where one member does not have the profile files, causing the VPN to fail to establish for that connection profile.

Re: Anyconnect VPN issues

AViftrup — Thu, 19 Oct 2023 11:38:41 GMT

As mentioned by Marvin.

Keep in mind that XML profiles created aren't replicated between devices in a HA-pair. Make sure every time you change XML settings, that you copy the changes to the standby unit as well.

Re: Anyconnect VPN issues

trilerian1 — Thu, 19 Oct 2023 12:47:36 GMT

This profile was working on both the primary asa and the secondary up to last week. It just stopped working. The only other thing that I can think of is that I issued a new cert for the vpn, but I put that in the indentity certs and assigned it to the outside interfaces. And, the other anyconnect profiles are fine.

Re: Anyconnect VPN issues

trilerian1 — Thu, 19 Oct 2023 12:51:07 GMT

I generally make changes in the ASDM. I also manage some FTDs, and I guess I am just used to pulling up a GUI for changes.

But regardless, we normally run on the primary ASA and I use the vpn everyday since I am remote.

Re: Anyconnect VPN issues

Marius Gunnerud — Fri, 20 Oct 2023 10:09:28 GMT

Run a debug webvpn and then connect to AnyConnect, anything that stands out in the output?

Re: Anyconnect VPN issues

AViftrup — Fri, 20 Oct 2023 10:55:42 GMT

Just keep in mind, even if you're doing changes on the active unit. If you change XML configuration (profile editor either standalone or through ASDM) the XML profiles aren't automatically replicated to the standby peer.

Re: Anyconnect VPN issues

trilerian1 — Fri, 20 Oct 2023 14:33:51 GMT

I understand, but we generally run on the primary. This worked on the primary and stopped working for whatever reason. Now this tunnel only connects on the secondary.

The funny thing, I can connect while the secondary is active, then do a no failover active and stay connected.

Re: Anyconnect VPN issues

Marius Gunnerud — Mon, 23 Oct 2023 06:50:35 GMT

While the primary ASA is active run a "dubug webvpn" and then connect to AnyConnect, and monitor the debug output to see if anything stands out.

Re: Anyconnect VPN issues

MHM Cisco World — Mon, 23 Oct 2023 07:27:35 GMT

can I see

show version

Re: Anyconnect VPN issues

trilerian1 — Mon, 23 Oct 2023 15:17:49 GMT

Cisco Adaptive Security Appliance Software Version 9.12(4)54
SSP Operating System Version 2.6(1.260)
Device Manager Version 7.18(1)152

Compiled on Wed 12-Oct-22 04:54 GMT by builders
System image file is "disk0:/asa9-12-4-54-smp-k8.bin"
Config file at boot was "startup-config"

XXXXXXX-01 up 261 days 11 hours
failover cluster up 3 years 76 days

Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
ASA: 6487 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 2c33.11, irq 11
1: Ext: GigabitEthernet0/0 : address is 2c33.11, irq 5
2: Ext: GigabitEthernet0/1 : address is 2c33.11, irq 5
3: Ext: GigabitEthernet0/2 : address is 2c33.11 irq 10
4: Ext: GigabitEthernet0/3 : address is 2c33.11, irq 10
5: Ext: GigabitEthernet0/4 : address is 2c33.11, irq 5
6: Ext: GigabitEthernet0/5 : address is 2c33.11, irq 5
7: Ext: GigabitEthernet0/6 : address is 2c33.11, irq 10
8: Ext: GigabitEthernet0/7 : address is 2c33.11 irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 2c33.11, irq 0
13: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5545 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2500 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5545 VPN Premium license.

Serial Number: ##########
Running Permanent Activation Key: #############################
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by enable_1 at 14:33:37.682 EDT Wed Oct 18 2023

Re: Anyconnect VPN issues

trilerian1 — Mon, 23 Oct 2023 15:19:39 GMT

I will have to get someone else to help with this as I can't really debug my own session when I can't see the firewall...

Re: Anyconnect VPN issues

Marvin Rhoads — Mon, 23 Oct 2023 16:02:16 GMT

Note you only have the two built-in free AnyConnect licenses. If you attempt to connect a third session it will give an error on the client similar to what you have reported.

Re: Anyconnect VPN issues

MHM Cisco World — Mon, 23 Oct 2023 16:09:49 GMT

Yes but peer (active HA FW) have license for 2500 and it appear in vpn peer.

So if he access to active then he have up to 2500. When failed then the license will hosted by standby and also he Wil get up to 2500.

The issue I think when failover the detection is not fast that why anyconnect failed since license not hosted until failover completed done.

@trilerian1 do you change hello timer of HA?

Re: Anyconnect VPN issues

trilerian1 — Fri, 10 Nov 2023 16:04:53 GMT

I just want to say that this issue seems to have fixed itself with no intervention by me. I did a failover back to my primary ASA today and was able to connect to the vpn with the correct profile afterwards.

Honestly, I got nothing. PFM, y'all know it is a thing.

Re: Anyconnect VPN issues

Marius Gunnerud — Fri, 10 Nov 2023 17:46:49 GMT

Could you be missing anyconnect files, certificate, client profile, etc, on the standby device?

Re: Anyconnect VPN issues

trilerian1 — Fri, 10 Nov 2023 17:48:40 GMT

The secondary worked fine. It was the primary that was having issues. And it is working on the primary now.