cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
0
Replies

Can Not Anyconnect From Specific Laptop

WildMan365
Level 1
Level 1

First off Anyconnect works perfectly with 3 laptops my techs are using. They all have version 4.5 Anyconnect client apps & never have any issues. However one of my other users has Anyconnect client version  3.1.12020 & can successfully authenticate (most of the time) when trying to connect to the same ASA but immediately after entering the password & seeing the banner, the user gets an error saying "The vpn client failed to establish connection ". I am including my config below & the log I captured when the user experienced this issue.

 

Here are some important facts worth mentioning...

 

1) The user puts the public address of the outside interface of the ASA in question into the Anyconnect client & attempts connections the same way the other users do.

2) There is no tacacs+/radius authentication involved just locally configured usernames.

3) The issue happens on the same circuits that the successful users use.

4) The user experiencing issues only experiences this issue with this ASA & can successfully connect to other ASA's using the same laptop & client.

5) The same exact .pkg file/version on the ASA in question is running on other ASA's that the problem user is connectiong to successfully with no issues.

6) Anyconnect client version  3.1.12020 is end of life & can not be downloaded from cisco support anymore so I can not downgrade my other users from 4.5, nor do I want to if I could.

7) There are 100 IP addresses available for SSL clients in the pool when the issue happens.

8) I in

 

LOGS....

 

Apr 02 2018 16:05:16: %ASA-6-302013: Built inbound TCP connection 63426 for outside:1.1.1.1/62276 (1.1.1.1/62276) to identity:2.2.2.2/443 (2.2.2.2/443)
Apr 02 2018 16:05:16: %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.1/62276 for TLS session.
Apr 02 2018 16:05:16: %ASA-7-725010: Device supports the following 6 cipher(s).
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[1] : RC4-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[4] : AES128-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[5] : AES256-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[6] : DES-CBC3-SHA
Apr 02 2018 16:05:16: %ASA-7-725008: SSL client outside:1.1.1.1/62276 proposes the following 3 cipher(s).
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[1] : AES256-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[2] : AES128-SHA
Apr 02 2018 16:05:16: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA
Apr 02 2018 16:05:16: %ASA-7-725012: Device chooses cipher : AES128-SHA for the SSL session with client outside:1.1.1.1/62276
Apr 02 2018 16:05:16: %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.1/62276

Apr 02 2018 16:05:16: %ASA-6-725007: SSL session with client outside:1.1.1.1/62276 terminated.

 

ASA CONFIG....

 

asa# sh run
: Saved
:
: Serial Number: JMX1422Z1SF
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname asa
enable password Z5tXLWscwJUZOz0q encrypted
passwd Z5tXLWscwJUZOz0q encrypted
names
ip local pool SSLCLIENTPOOL 10.0.2.1-10.0.2.100 mask 255.255.255.0
ip local pool NON-ADMINS 10.0.3.1-10.0.3.100 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ddns update hostname enterprise.ddns.net
 ip address dhcp setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 10.20.10.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object service HTTP
 service tcp source eq www
object service HTTPS-ALTERNATE
 service tcp source eq 4443
 description Port 443 used for Anyconnet- Cant reassign
object-group network DENIED-ADDRESSES
 network-object host 123.183.209.139
object-group network ANYCONNECT-REMOTE-USERS
 network-object 10.0.2.0 255.255.255.0
 network-object 10.0.3.0 255.255.255.0
object-group network DMZ-SUBNET
 network-object 10.20.10.0 255.255.255.0
object-group network SERVER
 description internal server 10.0.1.0/24
 network-object host 10.0.1.15
object-group network INSIDENET
 network-object 10.0.1.0 255.255.255.0
access-list acl-inside extended permit tcp any any eq www
access-list acl-inside extended permit tcp any any eq https
access-list acl-inside extended permit udp any any eq domain
access-list acl-inside extended permit icmp any any
access-list acl-inside extended permit icmp any any echo-reply
access-list acl-outside extended permit icmp any any
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit tcp any object-group SERVER eq www
access-list acl-outside extended permit tcp any object-group SERVER eq 4443
access-list acl-outside extended deny ip any any log
access-list acl-DMZ extended permit icmp any any
access-list acl-DMZ extended permit icmp any any echo-reply
access-list acl-DMZ extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging monitor debugging
logging buffered debugging
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static SERVER interface service HTTP HTTP
nat (inside,outside) source static SERVER interface service HTTPS-ALTERNATE HTTPS-ALTERNATE
nat (inside,outside) source static any any destination static ANYCONNECT-REMOTE-USERS ANYCONNECT-REMOTE-USERS no-proxy-arp route-lookup
nat (outside,outside) source dynamic ANYCONNECT-REMOTE-USERS interface
!
nat (DMZ,outside) after-auto source dynamic DMZ-SUBNET interface
nat (inside,outside) after-auto source dynamic INSIDENET interface
access-group acl-inside in interface inside
access-group acl-outside in interface outside
access-group acl-DMZ in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint LOCALTRUST
 enrollment self
 fqdn none
 subject-name CN=eagleshouse.ddns.net
 keypair SSLVPNKEY
 crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.2.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcp-client update dns server both
dhcpd update dns both
!
dhcpd address 10.0.1.100-10.0.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 604800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.6.2.70 source outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy SSLCLIENT-user internal
group-policy SSLCLIENT-user attributes
 banner value <3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3
 banner value
 banner value Private Network Accessed Successfully
 banner value
 banner value <3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 address-pools value NON-ADMINS
group-policy SSLCLIENT internal
group-policy SSLCLIENT attributes
 banner value $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 banner value
 banner value Private LAN Accessed Successfully
 banner value
 banner value $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 address-pools value SSLCLIENTPOOL
username user password fRAgGdr9iEIBx9ry encrypted privilege 15
username user attributes
 service-type remote-access
username manager password 2bCZa9d0lswzoyHg encrypted privilege 15
username usernet password u7/ry.bOw8ISRWnM encrypted privilege 15
username usernet attributes
 vpn-group-policy SSLCLIENT-user
 service-type remote-access
tunnel-group SSLCLIENT-VPN type remote-access
tunnel-group SSLCLIENT-VPN general-attributes
 default-group-policy SSLCLIENT
tunnel-group SSLCLIENT-VPN webvpn-attributes
 group-alias ENTERPRISE enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2c6cdb344525bea4f49f8178829c9e02
: end

 

 

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: