I have ASA 5540 and its configured for VPN over SSL only. it has been working for 2 years smooth, but since 3 days ago something weird is happening on most of my ios clients who are using cisco anyconnect on their IPhone and IPad. they are receiving " time out error ". Androids are using openconnect , windows and mac are using cisco anyconnect and they are working fine too, its happening on most of ios users.
ping to ASA, trace route ( MTR ) are fine.
any idea ?
Solved! Go to Solution.
As I have study on clients during these few days :
1- Anyconnect new version and Legacy is not working on ios only.
2- Anyconnect on windows /Mac and openconnect on android are connecting easy through the same internet that IOS cannot.
3- this problem is happening only for those who are trying to connect from IRAN.
I thought maybe providers/government has restricted connection to my IP address, but if its restricted why the others are able to connect through same internet with different os; so its not possible my IP is restricted.
they filtered Anyconnect Application to make socket to outside, but why only IOS ? if there is any be restriction on application layer , it should be applied to all cisco apps.
do you think changing SSL certs and domain name / IP block helps ?
Yes, I did debug and the cert was completely current, but I found out the SSL connection/signature is resetting every 30 seconds by providers, seems they have filtered my domain name. I ordered for as a new SSL cert and domain name. Im going to swap out the cert and IP block and lets see what happens .
I will update the result here.
I have changed the ASA IP and swapped out the cert, but still those who are using anyconnect on ios ( new and legacy version ) are not able to connect.
guys, is it possible Cisco Anyconnct app to be filtered from opening socket outside ?
is there any alternative app/solution ?
Port #443 is blocked by provider ( as I found out ) to solving this problem :
1- I have changed " IPSec Client Service Port " port from 443 to any other numbers (ex: 999)
2- in Anyconnect setting I changed server address from srv.mydomain.com to srv.mydomain.com:999
now clients passes the first step to choosing profile and entering username/password as they couldn't reach to this step before, but I Im facing with another problem :
* when client enter username/password, they receive error " login denied, unauthorized connection mechanisrm, contact your administrator "
any idea ?