Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9936
Views
5
Helpful
18
Replies

Cisco Anyconnect time out connection on IOS only

Go to solution
ladani001
Level 1
Level 1

‎05-15-2018 10:48 AM - edited ‎02-21-2020 07:46 AM

Hello everybody 

 

I have ASA 5540 and its configured for VPN over SSL only. it has been working for 2 years smooth, but since 3 days ago something weird is happening on most of my ios clients who are using cisco anyconnect on their IPhone and IPad. they are receiving " time out error ". Androids are using openconnect , windows and mac are using cisco anyconnect and they are working fine too, its happening on most of ios users.

 

ping to ASA, trace route ( MTR ) are fine. 

any idea ? 

 

best Regards

Yashar

 

1 person had this problem
Labels:
0 Helpful
18 Replies 18

Go to solution
ladani001
Level 1
Level 1
In response to Martin Carr

‎05-19-2018 10:40 AM - edited ‎05-19-2018 12:22 PM

Dear Martin 

 

I have set the GP on SSL and L2TP/IPSec tunnel only.

lets check again , maybe the way I have set port number is not correct. could you please let me know how should I set port number for authentication ( ex: srv.myvipport.com:800) ? I did on port setting ( screen shot "port-no" ) .

 

Preview file
29 KB
0 Helpful

Go to solution
Martin Carr
Level 4
Level 4
In response to ladani001

‎05-21-2018 05:26 AM

That port only applies to IPSEC.

 

I would recommend looking at the real time logs and then get someone to login, but from that error it suggests to me it's not deeming the connection to be from an SSL client.

Martin

0 Helpful

Go to solution
ladani001
Level 1
Level 1
In response to Martin Carr

‎05-21-2018 06:58 AM - edited ‎05-21-2018 11:20 AM

Dear Martin,

 

Yes, its for IPSec and because of that I have created IPSec profile and GP related to it with a tunnel type of IPSec , l2tp/IPSec.  

 

as I monitored Radius Server ( accounting ) here is the debug log :

User-Name = "aliyashar"
User-Password = "aliyashar"
NAS-Port = 9850880
Called-Station-Id = "ASA IP"
Calling-Station-Id = "Accounting IP"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "Accounting IP"
NAS-IP-Address = "ASA IP"
Cisco-AVPair = "ip:source-ip=Accounting "
Vendor-3076-Attr-146 = 0x6970736563
Vendor-3076-Attr-150 = 0x00000002

 

as you see ASA is sending password same as username.I set the password same as username and tried again,now, accounting accept the user authentication ( radius log: AuthOK), but user receives error and ASA resend request again and again to accounting.

 

when I set IPSec "ON" for connection in anyconnects advance setting authentication will be successful ( user/pass format will be sent correctly ). IPSec is filtered as 443 has been blocked already. 

 

 

the best way to bypassing the filtering is sending authentication request from a different port as I did ( srv.mydomain.com:800 ) and with out adding port number connection to ASA goes timeout, when I add port it reaches to authentication step and choosing profile, but error in authorization mechanism . 

 

Thank You

 

 

0 Helpful

Go to solution
ladani001
Level 1
Level 1
In response to ladani001

‎05-22-2018 12:03 PM

Hello All 

 

I have fixed the problem. I was changing the ports though the wizard and it was not working, but I went through command line, and its working now.

 

webvpn 
 no enable outside      
 port 800   
 enable outside
 anyconnect enable
 tunnel-group-list enable

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card