Community Ask Me Anything - Secure Remote Workers - Page 3

ciscomoderator · ‎03-20-2020

You can ask your question on your own language:

Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.

This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.

To participate in this event, please use the button below to ask your questions

Ask questions from Friday, March 20 to Friday, April 3, 2020

Featured experts

Divya Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.

Jonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding technologies. For more than 20 years, Jonny has obtained experience in customer-facing disciplines for global hi-tech organizations. He also has rich experience in presenting breakout sessions and proctoring labs at Cisco Live events along with representing Cisco at numerous customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

Aditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past seven years in Security domains such as Firewall, VPN and AAA. Aditya has delivered trainings on ASA and VPN technologies. He holds a Bachelor's degree in Information Technology. Additionally, he is a CCIE in Security (CCIE#58938). He has been a consistent contributor on Cisco Support Community and has delivered multiple sessions at Cisco Live.

Due to the anticipated volume for this high in-demand event, Divya, Aditya, Jonny might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Riverbears ITTeam · ‎03-24-2020

Cisco ASA 5508-X cannot have more than 5 sessions at any given time.

we have purchased licensing for 100 users, i've attached our running configs in the files, if anyone is able to help point us in the right direction we would greatly appreciate it.

we have upped our allocated bandwidth from 300 Mbps to 1GB in an effort to allow more users on but we're still only able to get 5 at any given time.

Result of the command: "show vpn-sessiondb summary"

---------------------------------------------------------------------------

VPN Session Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concur : Inactive

----------------------------------------------

AnyConnect Client : 2 : 321 : 7 : 1

SSL/TLS/DTLS : 2 : 321 : 7 : 1

Clientless VPN : 0 : 20 : 3

Browser : 0 : 20 : 3

Site-to-Site VPN : 2 : 1093 : 2

IKEv2 IPsec : 2 : 1093 : 2

---------------------------------------------------------------------------

Total Active and Inactive : 5 Total Cumulative : 1434

Device Total VPN Capacity : 100

Device Load : 5%

---------------------------------------------------------------------------

Result of the command: "show vpn-sessiondb detail"

---------------------------------------------------------------------------

VPN Session Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concur : Inactive

----------------------------------------------

AnyConnect Client : 2 : 321 : 7 : 1

SSL/TLS/DTLS : 2 : 321 : 7 : 1

Clientless VPN : 0 : 20 : 3

Browser : 0 : 20 : 3

Site-to-Site VPN : 2 : 1093 : 2

IKEv2 IPsec : 2 : 1093 : 2

---------------------------------------------------------------------------

Total Active and Inactive : 5 Total Cumulative : 1434

Device Total VPN Capacity : 100

Device Load : 5%

---------------------------------------------------------------------------

Tunnels Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concurrent

----------------------------------------------

IKEv2 : 2 : 1093 : 2

IPsecOverNatT : 2 : 1094 : 2

Clientless : 0 : 20 : 3

AnyConnect-Parent : 3 : 321 : 7

SSL-Tunnel : 2 : 325 : 6

DTLS-Tunnel : 2 : 309 : 6

---------------------------------------------------------------------------

Totals : 11 : 3162

---------------------------------------------------------------------------

Divya Nair · ‎03-24-2020

Hi,

Can you confirm using the output of show vpn-session license-summary if you see 100 as the installed limit?

An example of the output on ASA 5506 is as below (see red line):

ASA5506-X(config)# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 50 : 50 : NONE
AnyConnect Essentials : DISABLED : 50 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 10 : 10 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : ENABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

Are you seeing any Syslogs when the 6th connection comes in? You might need to increase logging to debugging temporarily for this purpose. I reviewed your config and there was nothing wrong that stood out.

Riverbears ITTeam · ‎03-24-2020

Confirming our output below.

we do show that 100 is installed limit

Result of the command: "show vpn-session license-summary"

---------------------------------------------------------------------------

VPN Licenses and Configured Limits Summary

---------------------------------------------------------------------------

Status : Capacity : Installed : Limit

-----------------------------------------

AnyConnect Premium : ENABLED : 100 : 100 : 100

AnyConnect Essentials : DISABLED : 100 : 0 : 100

Other VPN (Available by Default) : ENABLED : 100 : 100 : 100

Shared License Server : DISABLED

Shared License Participant : DISABLED

AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)

Advanced Endpoint Assessment : ENABLED(Requires Premium)

AnyConnect for Cisco VPN Phone : ENABLED

VPN-3DES-AES : ENABLED

VPN-DES : ENABLED

---------------------------------------------------------------------------

VPN Licenses Usage Summary

---------------------------------------------------------------------------

All : Peak : Eff. :

In Use : In Use : Limit : Usage

---------------------------------

AnyConnect Premium : : 4 : 8 : 100 : 4%

Anyconnect Client : : 4 : 7 : 100 : 4%

Clientless VPN : : 0 : 3 : 100 : 0%

Other VPN : : 2 : 3 : 100 : 2%

L2TP Clients

Site-to-Site VPN : : 2 : 2 : 100 : 2%

---------------------------------------------------------------------------

Result of the command: "show vpn-session license-summary"

---------------------------------------------------------------------------

VPN Licenses and Configured Limits Summary

---------------------------------------------------------------------------

Status : Capacity : Installed : Limit

-----------------------------------------

AnyConnect Premium : ENABLED : 100 : 100 : 100

AnyConnect Essentials : DISABLED : 100 : 0 : 100

Other VPN (Available by Default) : ENABLED : 100 : 100 : 100

Shared License Server : DISABLED

Shared License Participant : DISABLED

AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)

Advanced Endpoint Assessment : ENABLED(Requires Premium)

AnyConnect for Cisco VPN Phone : ENABLED

VPN-3DES-AES : ENABLED

VPN-DES : ENABLED

---------------------------------------------------------------------------

VPN Licenses Usage Summary

---------------------------------------------------------------------------

All : Peak : Eff. :

In Use : In Use : Limit : Usage

---------------------------------

AnyConnect Premium : : 4 : 8 : 100 : 4%

Anyconnect Client : : 4 : 7 : 100 : 4%

Clientless VPN : : 0 : 3 : 100 : 0%

Other VPN : : 2 : 3 : 100 : 2%

L2TP Clients

Site-to-Site VPN : : 2 : 2 : 100 : 2%

---------------------------------------------------------------------------

Aditya Ganjoo · ‎03-24-2020

Please share the output of show run vpn-sessiondb, also could you share logs when you see this issue?

Regards,

Aditya

Riverbears ITTeam · ‎03-25-2020

hello,

here is the output you requested:

TBROG-FW-01# show run vpn-sessiondb
vpn-sessiondb max-other-vpn-limit 100
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 100
TBROG-FW-01#

can you advise what logs you're wanting to see? I have below my latest successful attempt from external ip 71.195.58.236. any other attempts after our 6th connection i can no longer see any logs generated.

6|Mar 25 2020|08:10:05|722022|||||Group <GroupPolicy_VPN> User <USER> IP <71.195.58.236> UDP SVC connection established without compression
5|Mar 25 2020|08:10:05|722033|||||Group <GroupPolicy_VPN> User <USER> IP <71.195.58.236> First UDP SVC connection established for SVC session.
6|Mar 25 2020|08:10:05|725002|71.195.58.236|59949|||Device completed SSL handshake with client Outside:71.195.58.236/59949 to 50.234.X.XX/443 for DTLSv0.9 session
6|Mar 25 2020|08:10:05|725003|71.195.58.236|59949|||SSL client Outside:71.195.58.236/59949 to 50.234.2.58/443 request to resume previous session
6|Mar 25 2020|08:10:05|725001|71.195.58.236|59949|||Starting SSL handshake with client Outside:71.195.58.236/59949 to 50.234.X.XX/443 for DTLS session
6|Mar 25 2020|08:10:05|725001|71.195.58.236|59949|||Starting SSL handshake with client Outside:71.195.58.236/59949 to 50.234.X.XX/443 for DTLS session
4|Mar 25 2020|08:10:01|722051|||||Group <GroupPolicy_VPN> User <USER> IP <71.195.58.236> IPv4 Address <192.168.99.150> IPv6 address <::> assigned to session
6|Mar 25 2020|08:10:01|722055|||||Group <GroupPolicy_VPN> User <USER> IP <71.195.58.236> Client Type: Cisco AnyConnect VPN Agent for Windows 4.2.03013
6|Mar 25 2020|08:10:01|722022|||||Group <GroupPolicy_VPN> User <USER> IP <71.195.58.236> TCP SVC connection established without compression

Divya Nair · ‎03-25-2020

Hi,

Can you send us the following when trying to connect the 6th client:

debug webvpn 255
debug webvpn anyconnect 255
DART bundle after the failed 6th connection.

Riverbears ITTeam · ‎03-25-2020

i believe that is outside of my scope of abilities or i am not familiar with how to generate and access those logs.

is there a guide that i could follow to get this log output?

Divya Nair · ‎03-25-2020

Hi,

For the debugs, you will need to login to the ASA CLI and enable the following commands just before you attempt the 6th connection:

ASA5506-X# debug webvpn anyconnect 255

ASA5506-X# debug webvpn 255

DART is essentially a diagnostics module that can be used to collate client-side logs into one location. The following link walks through the steps to set it up - https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

However, if it is easier for you, then opening a TAC case might be better so that the engineer can intiate a remote session to troubleshoot.

Aditya Ganjoo · ‎03-25-2020

That's strange. Could you bump the logging level to debug and then test the 6th connection?

Also, did you test with different usernames?

I would have asked for other debugs like debug webvpn anyconnect 255 and then test it but I am not sure about the resource usage on the Firewall.

Regards,

Aditya

HansMartinMosner74305 · ‎03-25-2020

Hello, I'm using AnyConnect 4.3.05017 (Windows 7) to connect to a corporate network at the moment (COVID-19...) and I'm affected by a known problem for which there is apparently no solution:

While AnyConnect is active, it is not possible to install other routes into the routing table. However, as part of my work, I need to access a VirtualBox virtual machine which is accessible through virtual network adapters. Whenever I start the virtual machine, AnyConnect removes the routing table entry. These are the event data entries:

A routing table change notification has been received. Starting automatic correction of the routing table.

Routing table - fixed - deleted route
Destination Netmask Gateway IfAddr IfName IfIndex LL Metric
192.168.66.0 255.255.255.0 0.0.0.0 192.168.66.1 VirtualBox Host-Only Network 16 Y 1

Automatic correction of the routing table has been successful.

I understand that keeping control of the routing table is a security feature, but in this case (and several others reported on the internet) it makes it impossible for me to do my assigned work. What can be done? Is there a configuration option either on the client or server side that could be utilized to fix this misbehavior?

Aditya Ganjoo · ‎03-25-2020

Did you try using Split-Exclude Tunneling: With this method, you are telling the device to specify what traffic you aren't going to send through the tunnel?

Regards,

Aditya

HansMartinMosner74305 · ‎03-25-2020

Thank you, this is likely to be helpful!

Apparently, local LAN access is disabled in the ASA, so I cannot enable it in the client (as I'm just a developer, not network admin). But I can ask the administrators to enable that functionality according to the info at https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html, this will most likely result in a working configuration.

Aditya Ganjoo · ‎03-25-2020

Sure keep us posted.

Modérateur Cisco · ‎03-25-2020

Hello

I have a donation of a Dual telepresence and I would like to use it but I do not have a username or password.

Can you help me? I have an unregistered IP address

* This question is a translation of a post originally created in French by FranckBourasseau50897. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Divya Nair · ‎04-06-2020

Hi,

This looks like a question for the Collaboration team at https://community.cisco.com/t5/collaboration-voice-and-video/ct-p/4691-collaboration-voice-video

This AMA is for Remote Access VPN, but folks should be able to help in the link above.