05-15-2018 10:48 AM - edited 02-21-2020 07:46 AM
Hello everybody
I have ASA 5540 and its configured for VPN over SSL only. it has been working for 2 years smooth, but since 3 days ago something weird is happening on most of my ios clients who are using cisco anyconnect on their IPhone and IPad. they are receiving " time out error ". Androids are using openconnect , windows and mac are using cisco anyconnect and they are working fine too, its happening on most of ios users.
ping to ASA, trace route ( MTR ) are fine.
any idea ?
best Regards
Yashar
Solved! Go to Solution.
05-19-2018 10:40 AM - edited 05-19-2018 12:22 PM
Dear Martin
I have set the GP on SSL and L2TP/IPSec tunnel only.
lets check again , maybe the way I have set port number is not correct. could you please let me know how should I set port number for authentication ( ex: srv.myvipport.com:800) ? I did on port setting ( screen shot "port-no" ) .
05-21-2018 05:26 AM
That port only applies to IPSEC.
I would recommend looking at the real time logs and then get someone to login, but from that error it suggests to me it's not deeming the connection to be from an SSL client.
Martin
05-21-2018 06:58 AM - edited 05-21-2018 11:20 AM
Dear Martin,
Yes, its for IPSec and because of that I have created IPSec profile and GP related to it with a tunnel type of IPSec , l2tp/IPSec.
as I monitored Radius Server ( accounting ) here is the debug log :
User-Name = "aliyashar"
User-Password = "aliyashar"
NAS-Port = 9850880
Called-Station-Id = "ASA IP"
Calling-Station-Id = "Accounting IP"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "Accounting IP"
NAS-IP-Address = "ASA IP"
Cisco-AVPair = "ip:source-ip=Accounting "
Vendor-3076-Attr-146 = 0x6970736563
Vendor-3076-Attr-150 = 0x00000002
as you see ASA is sending password same as username.I set the password same as username and tried again,now, accounting accept the user authentication ( radius log: AuthOK), but user receives error and ASA resend request again and again to accounting.
when I set IPSec "ON" for connection in anyconnects advance setting authentication will be successful ( user/pass format will be sent correctly ). IPSec is filtered as 443 has been blocked already.
the best way to bypassing the filtering is sending authentication request from a different port as I did ( srv.mydomain.com:800 ) and with out adding port number connection to ASA goes timeout, when I add port it reaches to authentication step and choosing profile, but error in authorization mechanism .
Thank You
05-22-2018 12:03 PM
Hello All
I have fixed the problem. I was changing the ports though the wizard and it was not working, but I went through command line, and its working now.
webvpn
no enable outside
port 800
enable outside
anyconnect enable
tunnel-group-list enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide