cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
288
Views
5
Helpful
1
Replies
Highlighted

AnyConnect fails to establish IPSec VPN (DELETE NOTIFY)

Hi everyone.

I have an ISR 4331 and AnyConnect 4.6.

When I try to establish a connection from my Android AnyConnect app - everything works fine.

But using Desktop CiscoAnyConnect Secure Mobility Client I get an  error:

The VPN client failed to establish a connection.

 I`ve tried to shut down firewall/antivirus, tried another PC - nothing works.

In logs on ISR I see this:

IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Aug 10 11:48:45: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Session with IKE ID PAIR (aaa, bbb) is UP
Aug 10 11:48:45: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Load IPSEC key material
Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Aug 10 11:48:45: IPSEC(key_engine): got a queue event with 1 KMI message(s)


Aug 10 11:48:45: crypto_engine: Generate IKEv2 keying
Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys)
Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys)


Aug 10 11:48:45: IPSEC(rte_mgr): VPN Route Added XXXXXXX 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 1
Aug 10 11:48:45: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Aug 10 11:48:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Checking for duplicate IKEv2 SA
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):No duplicate IKEv2 SA found

Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (8 sec) to delete negotiation context

Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From XXXXXXXXX:62160/To XXXXXXXXXXXX:4500/VRF i0:f0]
Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash
Aug 10 11:48:45: crypto_engine: Decrypt IKEv2 packet  DELETE NOTIFY(DELETE_REASON)

Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Building packet for encryption.
Aug 10 11:48:45: crypto_engine: Encrypt IKEv2 packet
Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash

Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To XXXXXXXXXXXXXX:62160/From XXXXXXXXXXX:4500/VRF i0:f0]
Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 ENCR

Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Process delete request from peer
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x03856C4C634D023E RSPI: 0xBD5D87E5B1B4FE9D]
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Check for existing active SA
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Delete all IKE SAs
Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Deleting SA
Aug 10 11:48:45: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007EFBD7AC90F8

 

upd:

it it can help, I see in logs on the client:

Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).
1541 HTTP 403 received
CONNECTMGR_ERROR_HTTPS_NOT_ALLOWED:HTTPS access to the gateway not allowed due to gateway policy 
Establishing VPN session...
CONNECTMGR_ERROR_UNEXPECTED 
VPN Profile Manifest entry not present

I don`t understand what it has to do with https secure gateway and what sort of of authentications it still fails after successfully passed IKE_AUTH 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: AnyConnect fails to establish IPSec VPN (DELETE NOTIFY)

1 REPLY
Beginner

Re: AnyConnect fails to establish IPSec VPN (DELETE NOTIFY)

CreatePlease to create content
Ask the Expert- MPLS troubleshooting