Cisco Firepower 1010 AnyConnect connection failure

acdc · ‎02-28-2022

Hello,

I'm trying to configure a new Firepower 1010 as VPN Gateway with AnyConnect.

The FPR-1010 is running with ASA 9.13(1) and has been successfully registered with Smart Account:

asa-test01(config)# show version

Cisco Adaptive Security Appliance Software Version 9.13(1)2
SSP Operating System Version 2.7(1.107)
Device Manager Version 7.13(1)

Compiled on Tue 22-Oct-19 19:47 PDT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.7.1.107.SPA"
Config file at boot was "startup-config"

asa-test01 up 3 days 2 hours

Hardware: FPR-1010, 6696 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Number of accelerators: 6

1: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 10
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 6887.c671.cd81, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 60
Inside Hosts : Unlimited
Failover : Disabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 0
Carrier : Disabled
AnyConnect Premium Peers : 75
AnyConnect Essentials : Disabled
Other VPN Peers : 75
Total VPN Peers : 75
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 160
Cluster : Disabled

Serial Number: XXXXXXXXXXX
Configuration register is 0x1

asa-test01(config)# show license summary

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: ALL-CONNECT DATA COMMUNICATIONS GMBH
Virtual Account: DEFAULT
Export-Controlled Functionality: ALLOWED
Last Renewal Attempt: None
Next Renewal Attempt: Aug 27 2022 12:55:02 CEST

License Authorization:
Status: AUTHORIZED
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Feb 28 2022 23:55:11 CET

License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
Firepower 1000 ASA S... (FIREPOWER_1000_ASA_STA...) 1 AUTHORIZED
Cisco Firepower 1K S... (FPR1K-ASA-ENC) 1 AUTHORIZED

The AnyConnect webdeploy package 4.10.04071 was successfully uploaded to the FPR-1010 via TFTP.

The FPR-1010 is behind a VDSL router which forwards the following ports to the ASA.

TCP/22 (SSH)
ESP
UDP/500 (IPSec-Handshake)
UDP/4500 (IPSec Nat-T)
UDP/10000 (IPSec-Comm)
TCP/8443 (AnyConnect HTTPS)

AnyConnect is working via HTTPS port 8443 since the VDSL-Router WebGUI is listening on TCP/443.

The VPN configuration for AnyConnect is the same as on older ASA models (5506-X, 5508-X).

But on the FPR-1010 on connection attempts fails after entering username and password with the following error:

The secure gateway has rejected the connection attempt.
A new connection attempt to the same or another secure gateway is needed, which requires re-authentification.
The following message was received from the secure gateway:
Other error

In the log I can find the following messages:

%ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:x.x.x.x/57169 to 10.8.0.1/8443
%ASA-6-725016: Device selects trust-point STAR_server-connect.net_2021 for client outside:x.x.x.x/57169 to 10.8.0.1/8443
%ASA-6-725002: Device completed SSL handshake with client outside:x.x.x.x/57169 to 10.8.0.1/8443 for TLSv1.2 session
%ASA-4-722003: IP <x.x.x.x> Error authenticating SVC connect request.
%ASA-6-725007: SSL session with client outside:x.x.x.x/57169 to 10.8.0.1/8443 terminated
%ASA-6-302014: Teardown TCP connection 1353 for outside:x.x.x.x/57169 to identity:10.8.0.1/8443 duration 0:00:00 bytes 6769 TCP Reset-O from identity
%ASA-6-106015: Deny TCP (no connection) from x.x.x.x/57169 to 10.8.0.1/8443 flags FIN ACK on interface outside
%ASA-7-710005: TCP request discarded from x.x.x.x/57169 to outside:10.8.0.1/8443
%ASA-6-302013: Built inbound TCP connection 1354 for outside:x.x.x.x/57173 (x.x.x.x/57173) to identity:10.8.0.1/8443 (10.8.0.1/8443)
%ASA-6-716002: Group <actestwebvpn> User <test1> IP <x.x.x.x> WebVPN session terminated: User Requested.
%ASA-4-113019: Group = actestwebvpn, Username = test1, IP = x.x.x.x, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:00m:03s, Bytes xmt: 52, Bytes rcv: 0, Reason: User Requested
%ASA-6-725001: Starting SSL handshake with client outside:x.x.x.x/57173 to 10.8.0.1/8443 for TLS session

What could cause this "Error authenticating SVC connect request"?
If you need more information or detailed configuration information please let me know.

Rob Ingram · ‎02-28-2022

@acdc here is what that error message says:-

Error Message %ASA-4-722003: IP IP_address Error authenticating SVC connect request.

Explanation The user took too long to download and connect.

Recommended Action Increase the timeouts for session idle and maximum connect time.

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html#con_4778707

acdc · ‎03-01-2022

Hello Rob,

this could not the cause for the error, the connection errors appears 1 or 2 seconds after entering the user credentials.

Marvin Rhoads · ‎03-03-2022

What is your authentication method for the profile? Can you test that from the firewall to validate it is working?

acdc · ‎03-03-2022

Hello Marvin,

we are using local auth

aaa authentication ssh console LOCAL

Marvin Rhoads · ‎03-21-2022

@acdc That's your authentication method for ssh. What's the auth method for the tunnel-group and group-policy used by AnyConnect?

Your later posting re licensing should be moot as the "show version" output you originally included indicates you have 75 AnyConnect licenses assigned via Smart licensing on this Firepower 1010 running ASA software.

acdc · ‎04-04-2022

Here the group-policy and tunnel-group settings:

group-policy actestwebvpn internal
group-policy actestwebvpn attributes
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value actestdialin
 default-domain value all-connect.net
 address-pools value vpnpool
 webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 60
  anyconnect profiles value actest_client_profile type user


tunnel-group actestwebvpn type remote-access
tunnel-group actestwebvpn general-attributes
 address-pool vpnpool
 default-group-policy actestwebvpn
tunnel-group actestwebvpn webvpn-attributes
 radius-reject-message
 group-alias actestwebvpn enable
 group-url https://asa-test01.server-connect.net:8443/actestwebvpn enable
 without-csd

For authentification the local username database is used.

acdc · ‎03-21-2022

With older ASA models (e. g. 5506-X, 5508-X) it is possible to connect via AnyConnect without separate purchased license, at least 2 simultan connections are possible.

Has this changed with Firepower 1000 series?

Rob Ingram · ‎03-21-2022

@acdc with the FTD image you do not get 2 anyconnect licenses.

You need to purchase AnyConnect licenses separately, the minimum quantity is for 25 users.

Sheraz.Salim · ‎03-21-2022

AnyConnect Licensing Frequently Asked Questions (FAQ) this document can help you and put you in right direction.

please do not forget to rate.