08-10-2018 02:50 AM - edited 08-10-2018 06:28 AM
Hi everyone.
I have an ISR 4331 and AnyConnect 4.6.
When I try to establish a connection from my Android AnyConnect app - everything works fine.
But using Desktop CiscoAnyConnect Secure Mobility Client I get an error:
The VPN client failed to establish a connection.
I`ve tried to shut down firewall/antivirus, tried another PC - nothing works.
In logs on ISR I see this:
IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session Aug 10 11:48:45: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Session with IKE ID PAIR (aaa, bbb) is UP Aug 10 11:48:45: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Load IPSEC key material Aug 10 11:48:45: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database Aug 10 11:48:45: IPSEC(key_engine): got a queue event with 1 KMI message(s) Aug 10 11:48:45: crypto_engine: Generate IKEv2 keying Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys) Aug 10 11:48:45: crypto_engine: Create IPSec SA (by keys) Aug 10 11:48:45: IPSEC(rte_mgr): VPN Route Added XXXXXXX 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 1 Aug 10 11:48:45: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED Aug 10 11:48:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Checking for duplicate IKEv2 SA Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):No duplicate IKEv2 SA found Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (8 sec) to delete negotiation context Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From XXXXXXXXX:62160/To XXXXXXXXXXXX:4500/VRF i0:f0] Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash Aug 10 11:48:45: crypto_engine: Decrypt IKEv2 packet DELETE NOTIFY(DELETE_REASON) Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Building packet for encryption. Aug 10 11:48:45: crypto_engine: Encrypt IKEv2 packet Aug 10 11:48:45: crypto_engine: Generate IKEv2 hash Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To XXXXXXXXXXXXXX:62160/From XXXXXXXXXXX:4500/VRF i0:f0] Initiator SPI : 03856C4C634D023E - Responder SPI : BD5D87E5B1B4FE9D Message id: 6 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Process delete request from peer Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x03856C4C634D023E RSPI: 0xBD5D87E5B1B4FE9D] Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Check for existing active SA Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Delete all IKE SAs Aug 10 11:48:45: IKEv2:(SESSION ID = 116,SA ID = 1):Deleting SA Aug 10 11:48:45: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007EFBD7AC90F8
upd:
it it can help, I see in logs on the client:
Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.). 1541 HTTP 403 received CONNECTMGR_ERROR_HTTPS_NOT_ALLOWED:HTTPS access to the gateway not allowed due to gateway policy Establishing VPN session... CONNECTMGR_ERROR_UNEXPECTED VPN Profile Manifest entry not present
I don`t understand what it has to do with https secure gateway and what sort of of authentications it still fails after successfully passed IKE_AUTH
Solved! Go to Solution.
09-21-2018 01:54 AM
09-21-2018 01:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide