Cisco 2130 FTD Anyconnect outside interface no response

osw200051 · ‎08-04-2019

Dear Expert,

I have deployed anyconnect on outside interface. But when i want to connect the anyconnect, the connection is timeout. No response. Even i brower the IP address on web, still no response. I suspect the outside interface deny the incoming traffic. But I try to allow any any from outside to inside on access policy, but no help.

Can anyone help me?

current version: 6.2.2.5

(One more, when I try to enable the Anyconnect on inside interface, i can successfully connect. That for testing only. So why i suspect the outside interface deny my connection)

Thanks

Rob Ingram · ‎08-04-2019

Hi,

The ACP doesn't control whether the VPN is enabled on the outside interface. When you run the Remote Access VPN wizard it prompts you for which interface you want to enable incoming VPN access on.

Are you connecting via IP address or FQDN? If FQDN is this registered in public DNS?

I assume there isn't another firewall or ACL in front of the FTD that could be blocking access?

HTH

osw200051 · ‎08-05-2019

Thanks RJI.

Already done what you mentioned, But the outside interface was still failed. no response

Marvin Rhoads · ‎08-05-2019

Can you share output of the two commands like I have shown below on a working FTD device with SSL VPN:

> show running-config webvpn
webvpn
 enable Outside-Home
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/csm/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1 regex "Windows"
 anyconnect profiles ccielab_ftdv.xml disk0:/csm/ccielab_ftdv.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  no disable
 error-recovery disable
>          
> show asp table socket 


Protocol   Socket    State      Local Address                                Foreign Address
SSL        0000d468  LISTEN     192.168.0.204:443                            0.0.0.0:*                                    
DTLS      00012218  LISTEN     192.168.0.204:443                            0.0.0.0:*                                    
>

osw200051 · ‎08-05-2019

Here is the output:

webvpn
enable outside
anyconnect image disk0:/csm/anyconnect-win-4.6.04056-webdeploy-k9.pkg 1 regex "Windows"
anyconnect profiles anyconnect-profile disk0:/csm/AC.xml
anyconnect enable
tunnel-group-list enable
cache
no disable

> show asp table socket
Protocol Socket State Local Address Foreign Address
SSL 01602578 LISTEN 69.238.151.16:443 0.0.0.0:*
DTLS 00a01448 LISTEN 69.238.151.16:443 0.0.0.0:*

Marvin Rhoads · ‎08-05-2019

Thanks - that all looks ok.

Is your device directly connected to public Internet circuit with a public IP address?

Does it have a default route to the Internet and can it reach Internet hosts from the outside interface?

Are any other services through it working OK?

osw200051 · ‎08-06-2019

Thanks Marvin,

All done. In fact, the Outside interface with public IP address. Default route to ISP gateway already. And the Internet access is very good.

Marvin Rhoads · ‎08-06-2019

I'm not sure the incoming traffic is getting to your device.

Your address isn't replying to ping. Have you disabled ICMP in the platform settings?

Have you tried a packet capture to see if you can see the incoming client trying to reach the outside interface?