Hello Florin

I tried Legacy anyconnect and same issue. for updating ASA needs contact and I cant download the latest version software. can you help me on IOS if you have the latest one. the one I have is ASA 5540 version 9.1(7).

As I have study on clients during these few days :

1- Anyconnect new version and Legacy is not working on ios only.

2- Anyconnect on windows /Mac and openconnect on android are connecting easy through the same internet that IOS cannot.

3- this problem is happening only for those who are trying to connect from IRAN.

Possibilities:

I thought maybe providers/government has restricted connection to my IP address, but if its restricted why the others are able to connect through same internet with different os; so its not possible my IP is restricted.

they filtered Anyconnect Application to make socket to outside, but why only IOS ? if there is any be restriction on application layer , it should be applied to all cisco apps.

confusing... 

do you think changing SSL certs and domain name / IP block helps ?

Thank You

Yashar 

It is most likely as Florin has already mentioned, an iOS software update that has been released for the Apple devices.  Do you have an Apple device that has not installed the latest update yet?

mine is 11.3.1 and connects easy, but the difference is I am not in IRAN. as I checked with few of clients they have 11.2.1 and cant connect.these people with latest version and previous version of IOS were able to connect 4 days ago. 

here is error when connection doesn't establish.

Hello 

Yes, I did debug and the cert was completely current, but I found out the SSL connection/signature is resetting every 30 seconds by providers, seems they have filtered my domain name. I ordered for as  a new SSL cert and domain name. Im going to swap out the cert and IP block and lets see what happens .

I will update the result here.

Thank You

Best Regards

Yashar

Hello everybody,

I have changed the ASA IP and swapped out the cert, but still those who are using anyconnect on ios ( new and legacy version ) are not able to connect.
guys, is it possible Cisco Anyconnct app to be filtered from opening socket outside ?
is there any alternative app/solution ?

It seems to me the issue is Iran has blocked access to your network.

Can you check if port 443 is open and also if you can access the clientless VPN?

Martin

Dear Martin 

Port #443 is blocked by provider ( as I found out ) to solving this problem :

1- I have changed " IPSec Client Service Port " port from 443 to any other numbers (ex: 999)

2- in Anyconnect setting I changed server address from srv.mydomain.com to srv.mydomain.com:999

now clients passes the first step to choosing profile and entering username/password as they couldn't reach to this step before, but I Im facing with another problem :

* when client enter username/password, they receive error " login denied, unauthorized connection mechanisrm, contact your administrator " 

any idea ?

I debugged radius packets on Billing server and saw the ASA is sending username and password, but instead of password, username again.

totally confused, same radius setting is working fine current profile which is set with srv.mydomain.com

Thought so.

That issue you now have is it would appear the GP is not setup for the correct tunnelling protocol (i.e. SSL VPN Client) in this case.

Can you clarify?

Martin