Hi everyone.
I have an ISR 4331 and AnyConnect 4.6.
When I try to establish a connection from my Android AnyConnect app - everything works fine.
But using Desktop CiscoAnyConnect Secure Mobility Client I get an error:
The VPN client failed to establish a connection.
I`ve tried to shut down firewall/antivirus, tried another PC - nothing works.
In logs on ISR I see this:
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Aug 10 11:48:45: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Session with IKE ID PAIR (aaa, bbb) is UP
Aug 10 11:48:45: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Load IPSEC key material
Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Aug 10 11:48:45: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 10 11:48:45: crypto_engine: Generate IKEv2 keying
Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys)
Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys)
Aug 10 11:48:45: IPSEC(rte_mgr): VPN Route Added XXXXXXX 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 1
Aug 10 11:48:45: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Aug 10 11:48:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Checking for duplicate IKEv2 SA
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):No duplicate IKEv2 SA found
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (8 sec) to delete negotiation context
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From XXXXXXXXX:62160/To XXXXXXXXXXXX:4500/VRF i0:f0]
Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash
Aug 10 11:48:45: crypto_engine: Decrypt IKEv2 packet DELETE NOTIFY(DELETE_REASON)
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Building packet for encryption.
Aug 10 11:48:45: crypto_engine: Encrypt IKEv2 packet
Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To XXXXXXXXXXXXXX:62160/From XXXXXXXXXXX:4500/VRF i0:f0]
Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Process delete request from peer
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x03856C4C634D023E RSPI: 0xBD5D87E5B1B4FE9D]
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Check for existing active SA
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Delete all IKE SAs
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Deleting SA
Aug 10 11:48:45: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007EFBD7AC90F8
upd:
it it can help, I see in logs on the client:
Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).
1541 HTTP 403 received
CONNECTMGR_ERROR_HTTPS_NOT_ALLOWED:HTTPS access to the gateway not allowed due to gateway policy
Establishing VPN session...
CONNECTMGR_ERROR_UNEXPECTED
VPN Profile Manifest entry not present
I don`t understand what it has to do with https secure gateway and what sort of of authentications it still fails after successfully passed IKE_AUTH
