02-28-2022 08:58 AM
Hello,
I'm trying to configure a new Firepower 1010 as VPN Gateway with AnyConnect.
The FPR-1010 is running with ASA 9.13(1) and has been successfully registered with Smart Account:
asa-test01(config)# show version Cisco Adaptive Security Appliance Software Version 9.13(1)2 SSP Operating System Version 2.7(1.107) Device Manager Version 7.13(1) Compiled on Tue 22-Oct-19 19:47 PDT by builders System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.7.1.107.SPA" Config file at boot was "startup-config" asa-test01 up 3 days 2 hours Hardware: FPR-1010, 6696 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores) Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11) Driver version : 4.1.0 Number of accelerators: 6 1: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 10 3: Int: Not licensed : irq 0 4: Ext: Management1/1 : address is 6887.c671.cd81, irq 0 5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0 License mode: Smart Licensing Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 60 Inside Hosts : Unlimited Failover : Disabled Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 0 Carrier : Disabled AnyConnect Premium Peers : 75 AnyConnect Essentials : Disabled Other VPN Peers : 75 Total VPN Peers : 75 AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Enabled Advanced Endpoint Assessment : Enabled Shared License : Disabled Total TLS Proxy Sessions : 160 Cluster : Disabled Serial Number: XXXXXXXXXXX Configuration register is 0x1
asa-test01(config)# show license summary Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Account: ALL-CONNECT DATA COMMUNICATIONS GMBH Virtual Account: DEFAULT Export-Controlled Functionality: ALLOWED Last Renewal Attempt: None Next Renewal Attempt: Aug 27 2022 12:55:02 CEST License Authorization: Status: AUTHORIZED Last Communication Attempt: SUCCEEDED Next Communication Attempt: Feb 28 2022 23:55:11 CET License Usage: License Entitlement tag Count Status ----------------------------------------------------------------------------- Firepower 1000 ASA S... (FIREPOWER_1000_ASA_STA...) 1 AUTHORIZED Cisco Firepower 1K S... (FPR1K-ASA-ENC) 1 AUTHORIZED
The AnyConnect webdeploy package 4.10.04071 was successfully uploaded to the FPR-1010 via TFTP.
The FPR-1010 is behind a VDSL router which forwards the following ports to the ASA.
AnyConnect is working via HTTPS port 8443 since the VDSL-Router WebGUI is listening on TCP/443.
The VPN configuration for AnyConnect is the same as on older ASA models (5506-X, 5508-X).
But on the FPR-1010 on connection attempts fails after entering username and password with the following error:
The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentification. The following message was received from the secure gateway: Other error
In the log I can find the following messages:
%ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:x.x.x.x/57169 to 10.8.0.1/8443 %ASA-6-725016: Device selects trust-point STAR_server-connect.net_2021 for client outside:x.x.x.x/57169 to 10.8.0.1/8443 %ASA-6-725002: Device completed SSL handshake with client outside:x.x.x.x/57169 to 10.8.0.1/8443 for TLSv1.2 session %ASA-4-722003: IP <x.x.x.x> Error authenticating SVC connect request. %ASA-6-725007: SSL session with client outside:x.x.x.x/57169 to 10.8.0.1/8443 terminated %ASA-6-302014: Teardown TCP connection 1353 for outside:x.x.x.x/57169 to identity:10.8.0.1/8443 duration 0:00:00 bytes 6769 TCP Reset-O from identity %ASA-6-106015: Deny TCP (no connection) from x.x.x.x/57169 to 10.8.0.1/8443 flags FIN ACK on interface outside %ASA-7-710005: TCP request discarded from x.x.x.x/57169 to outside:10.8.0.1/8443 %ASA-6-302013: Built inbound TCP connection 1354 for outside:x.x.x.x/57173 (x.x.x.x/57173) to identity:10.8.0.1/8443 (10.8.0.1/8443) %ASA-6-716002: Group <actestwebvpn> User <test1> IP <x.x.x.x> WebVPN session terminated: User Requested. %ASA-4-113019: Group = actestwebvpn, Username = test1, IP = x.x.x.x, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:00m:03s, Bytes xmt: 52, Bytes rcv: 0, Reason: User Requested %ASA-6-725001: Starting SSL handshake with client outside:x.x.x.x/57173 to 10.8.0.1/8443 for TLS session
What could cause this "Error authenticating SVC connect request"?
If you need more information or detailed configuration information please let me know.
02-28-2022 02:38 PM
@acdc here is what that error message says:-
Error Message %ASA-4-722003: IP IP_address Error authenticating SVC connect request.
Explanation The user took too long to download and connect.
Recommended Action Increase the timeouts for session idle and maximum connect time.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html#con_4778707
03-01-2022 12:20 AM
Hello Rob,
this could not the cause for the error, the connection errors appears 1 or 2 seconds after entering the user credentials.
03-03-2022 02:10 AM
What is your authentication method for the profile? Can you test that from the firewall to validate it is working?
03-03-2022 02:21 AM
Hello Marvin,
we are using local auth
aaa authentication ssh console LOCAL
03-21-2022 06:48 AM
@acdc That's your authentication method for ssh. What's the auth method for the tunnel-group and group-policy used by AnyConnect?
Your later posting re licensing should be moot as the "show version" output you originally included indicates you have 75 AnyConnect licenses assigned via Smart licensing on this Firepower 1010 running ASA software.
04-04-2022 02:20 AM
Here the group-policy and tunnel-group settings:
group-policy actestwebvpn internal group-policy actestwebvpn attributes vpn-tunnel-protocol ikev2 ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value actestdialin default-domain value all-connect.net address-pools value vpnpool webvpn anyconnect keep-installer installed anyconnect dpd-interval client 60 anyconnect profiles value actest_client_profile type user tunnel-group actestwebvpn type remote-access tunnel-group actestwebvpn general-attributes address-pool vpnpool default-group-policy actestwebvpn tunnel-group actestwebvpn webvpn-attributes radius-reject-message group-alias actestwebvpn enable group-url https://asa-test01.server-connect.net:8443/actestwebvpn enable without-csd
For authentification the local username database is used.
03-21-2022 04:28 AM
With older ASA models (e. g. 5506-X, 5508-X) it is possible to connect via AnyConnect without separate purchased license, at least 2 simultan connections are possible.
Has this changed with Firepower 1000 series?
03-21-2022 04:38 AM
@acdc with the FTD image you do not get 2 anyconnect licenses.
You need to purchase AnyConnect licenses separately, the minimum quantity is for 25 users.
03-21-2022 05:35 AM
AnyConnect Licensing Frequently Asked Questions (FAQ) this document can help you and put you in right direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide