10-18-2023 12:30 PM
Having a weird issue with anyconnect VPN. I am running 2 5545 ASAs in HA. If I am on my secondary ASA a specific vpn profile works just fine. However if I failover to my primary ASA, Anyconnect comes back with the following error.
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
Other profiles however seem to work.
10-23-2023 08:17 AM
Cisco Adaptive Security Appliance Software Version 9.12(4)54
SSP Operating System Version 2.6(1.260)
Device Manager Version 7.18(1)152
Compiled on Wed 12-Oct-22 04:54 GMT by builders
System image file is "disk0:/asa9-12-4-54-smp-k8.bin"
Config file at boot was "startup-config"
XXXXXXX-01 up 261 days 11 hours
failover cluster up 3 years 76 days
Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
ASA: 6487 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 2c33.11, irq 11
1: Ext: GigabitEthernet0/0 : address is 2c33.11, irq 5
2: Ext: GigabitEthernet0/1 : address is 2c33.11, irq 5
3: Ext: GigabitEthernet0/2 : address is 2c33.11 irq 10
4: Ext: GigabitEthernet0/3 : address is 2c33.11, irq 10
5: Ext: GigabitEthernet0/4 : address is 2c33.11, irq 5
6: Ext: GigabitEthernet0/5 : address is 2c33.11, irq 5
7: Ext: GigabitEthernet0/6 : address is 2c33.11, irq 10
8: Ext: GigabitEthernet0/7 : address is 2c33.11 irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 2c33.11, irq 0
13: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5545 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2500 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
This platform has an ASA5545 VPN Premium license.
Serial Number: ##########
Running Permanent Activation Key: #############################
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_1 at 14:33:37.682 EDT Wed Oct 18 2023
11-10-2023 08:04 AM
I just want to say that this issue seems to have fixed itself with no intervention by me. I did a failover back to my primary ASA today and was able to connect to the vpn with the correct profile afterwards.
Honestly, I got nothing. PFM, y'all know it is a thing.
11-10-2023 09:46 AM
Could you be missing anyconnect files, certificate, client profile, etc, on the standby device?
11-10-2023 09:48 AM
The secondary worked fine. It was the primary that was having issues. And it is working on the primary now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide