cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7355
Views
5
Helpful
18
Replies

Cisco Anyconnect time out connection on IOS only

ladani001
Beginner
Beginner

Hello everybody 

 

I have ASA 5540 and its configured for VPN over SSL only. it has been working for 2 years smooth, but since 3 days ago something weird is happening on most of my ios clients who are using cisco anyconnect on their IPhone and IPad. they are receiving " time out error ". Androids are using openconnect , windows and mac are using cisco anyconnect and they are working fine too, its happening on most of ios users.

 

ping to ASA, trace route ( MTR ) are fine. 

any idea ? 

 

best Regards

Yashar

 

1 Accepted Solution

Accepted Solutions

Hello All 

 

I have fixed the problem. I was changing the ports though the wizard and it was not working, but I went through command line, and its working now.

 

webvpn 
 no enable outside      
 port 800   
 enable outside
 anyconnect enable
 tunnel-group-list enable

View solution in original post

18 Replies 18

Florin Barhala
Frequent Contributor
Frequent Contributor

We could bet that an IOS update hit your clients.

Any chance to test with an older IOS VPN client version?

 

Also you can consider updating your "VPN server" and hopefully that will match latest Apple IOS vpn client.

Hello Florin

 

I tried Legacy anyconnect and same issue. for updating ASA needs contact and I cant download the latest version software. can you help me on IOS if you have the latest one. the one I have is ASA 5540 version 9.1(7).

 

 

That I can't do. Let's see what other have to say about this issue though.

As I have study on clients during these few days :

 

1- Anyconnect new version and Legacy is not working on ios only.

2- Anyconnect on windows /Mac and openconnect on android are connecting easy through the same internet that IOS cannot.

3- this problem is happening only for those who are trying to connect from IRAN.

 

Possibilities:

I thought maybe providers/government has restricted connection to my IP address, but if its restricted why the others are able to connect through same internet with different os; so its not possible my IP is restricted.

they filtered Anyconnect Application to make socket to outside, but why only IOS ? if there is any be restriction on application layer , it should be applied to all cisco apps.

 

confusing... 

 

do you think changing SSL certs and domain name / IP block helps ?

 

Thank You

Yashar 

It is most likely as Florin has already mentioned, an iOS software update that has been released for the Apple devices.  Do you have an Apple device that has not installed the latest update yet?

--
Please remember to select a correct answer and rate helpful posts

mine is 11.3.1 and connects easy, but the difference is I am not in IRAN. as I checked with few of clients they have 11.2.1 and cant connect.these people with latest version and previous version of IOS were able to connect 4 days ago. 

 

here is error when connection doesn't establish.

At this stage, you could also debug SSL VPN when client attempts to connect. Maybe there's an error there. Otherwise Cisco TAC should be the last line of defense.

Hello 

 

Yes, I did debug and the cert was completely current, but I found out the SSL connection/signature is resetting every 30 seconds by providers, seems they have filtered my domain name. I ordered for as  a new SSL cert and domain name. Im going to swap out the cert and IP block and lets see what happens .

I will update the result here.

 

Thank You

Best Regards

Yashar

Hello everybody,

I have changed the ASA IP and swapped out the cert, but still those who are using anyconnect on ios ( new and legacy version ) are not able to connect.
guys, is it possible Cisco Anyconnct app to be filtered from opening socket outside ?
is there any alternative app/solution ?

It seems to me the issue is Iran has blocked access to your network.

 

Can you check if port 443 is open and also if you can access the clientless VPN?

 

Martin

 

Dear Martin 

 

Port #443 is blocked by provider ( as I found out ) to solving this problem :

1- I have changed " IPSec Client Service Port " port from 443 to any other numbers (ex: 999)

2- in Anyconnect setting I changed server address from srv.mydomain.com to srv.mydomain.com:999

 

now clients passes the first step to choosing profile and entering username/password as they couldn't reach to this step before, but I Im facing with another problem :

* when client enter username/password, they receive error " login denied, unauthorized connection mechanisrm, contact your administrator " 

 

any idea ?

I debugged radius packets on Billing server and saw the ASA is sending username and password, but instead of password, username again.

totally confused, same radius setting is working fine current profile which is set with srv.mydomain.com

Thought so.

 

That issue you now have is it would appear the GP is not setup for the correct tunnelling protocol (i.e. SSL VPN Client) in this case.

 

Can you clarify?

 

Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers