Solved: webvpn context Company

davidsonyo · ‎07-26-2016

Hey all,

We have upgraded our anyconnect VPN to version 4.2.030013 ever since we can not connect to sites which has version 3.1.05182. Users can not connect to these sites this is the error massage they get:

"Connection attempt failed. Please try again."

2016.07.26.
     9:06:38    Ready to connect.
     9:10:09    Contacting XXXXXXXXXX.ddns.net.
     9:10:23    Connection attempt has failed.
     9:10:33    Connection attempt has failed.
     9:10:43    Connection attempt has failed.
     9:10:53    Connection attempt has failed.

But if we use older version than 4.X it works fine.

Is anyone familiar with this issue? As far as I know Anyconnect should be compatible backward with any version almost.

Thanks in advance.

David.

Dina Odeh · ‎07-28-2016

Yes Anyconnect 4 no longer support RC4.

Change it to more strongest ciphers like AES and SHA.

Let me know please if this helped.

View solution in original post

nalini.panjalingam · ‎07-26-2016

Yes I have this problem too. With Version 4 and above I can't print now but before this with Ver 3++ I can print. I tried to uninstall and reinstall but still it auto updates. Any way to downgrade with it auto updating?

Dina Odeh · ‎07-26-2016

Hi David,

At what phase VPN failed, is it failed on SSL phase for example.

Try to collect these logs from ASA at the time of the issue:

#logging class ssl monitored debu

#logging class svc monitr debu

#logging class webvpn moni debu

#logging class auth monit deb

#terminal monitor

You will see the logs on the screen upon failed connection. Collect them please and attach them here.

Once you are done you can remove the logs above.

davidsonyo · ‎07-27-2016

Hello Dina,

The problem exists on the Cisco ISR router which has version 3.1.05182 of anyconnect.

I have run this command "debug webvpn" but the out put has no useful info in it:

Jul 27 09:22:00.380 CET: WV: Tunneled data packet was sent
Jul 27 09:22:00.380 CET: WV: sslvpn process rcvd context queue event
Jul 27 09:22:00.408 CET: WV: sslvpn process rcvd context queue event
Jul 27 09:22:00.432 CET: WV: sslvpn process rcvd context queue eventl
All possible debugging has been turned off
C2901_Internet#
Jul 27 09:22:00.432 CET: WV: Entering APPL with Context: 0x314CB268,
      Data buffer(buffer: 0x3153AB80, data: 0xD9E1ED8, len: 85,
      offset: 0, domain: 0)
Jul 27 09:22:00.432 CET: WV: Tunneled data packet was sent
Jul 27 09:22:00.464 CET: WV: sslvpn process rcvd context queue event
Jul 27 09:22:00.496 CET: WV: sslvpn process rcvd context queue event
Jul 27 09:22:00.496 CET: WV: Entering APPL with Context: 0x314CB268,
      Data buffer(buffer: 0x3153AB80, data: 0xD9E09D8, len: 85,
      offset: 0, domain: 0)

Then I ran "debug webvpn data":

Jul 27 09:18:39.916 CET: WV-SSL-REC-PARSER: Sev 3:sslvpn_sslrecord_parser(),line 214:Process received 112-byte new packet
Jul 27 09:18:39.916 CET: WV-SSL-REC-PARSER: Sev 4:sslvpn_sslrecord_header(),line 130:Dump received 5-byte SSL header: 16 03 02 00 6B
Jul 27 09:18:39.916 CET: WV-SSL-REC-PARSER: Sev 1:sslvpn_sslrecord_header(),line 189:Incorrect SSL header format: 16 03 02 00 6B

debug webvpn count:

Jul 27 09:22:44.376 CET: WV-COUNT: Allocating context 0x314CA4E8
Jul 27 09:22:49.328 CET: WV-COUNT: Context cleanup invoke: 0x314CA4E8,
Jul 27 09:22:49.328 CET: WV-COUNT: Freed context 0x314CA4E8
Jul 27 09:22:49.568 CET: WV-COUNT: Allocating context 0x314CA4E8
Jul 27 09:22:54.448 CET: WV-COUNT: Context cleanup invoke: 0x314CA4E8,
Jul 27 09:22:54.448 CET: WV-COUNT: Freed context 0x314CA4E8
Jul 27 09:22:54.504 CET: WV-COUNT: Allocating context 0x314CA4E8
Jul 27 09:22:54.560 CET: WV-COUNT: Allocating context 0x314CA728

If we use older client than 4.X it works nice and easy.

Thanks.

David.

Dina Odeh · ‎07-28-2016

Could you share the VPN confg part from router please.

Try to change the SSL ciphers and see if this help.

davidsonyo · ‎07-28-2016

webvpn context Company_Context2
title "Company SSL VPN Service"
ssl authenticate verify all
!
login-message "Please Enter your Credential:"
!
policy group Company_GP
   functions svc-enabled
   svc address-pool "vpnpool" netmask 255.255.255.0
   svc default-domain "company.net"
   svc keep-client-installed
   svc split include acl split_acl
   svc dns-server primary 10.111.XXX.2
   svc dns-server secondary 10.111.XXX.3
default-group-policy Company_GP
aaa authentication list comanyvpn
gateway company_GW2
inservice
!

webvpn gateway company_GW
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint company_trustpoint
inservice

webvpn install svc flash0:/webvpn/anyconnect-win-3.1.05182-k9.pkg sequence 1

So to what it should be changed ?

I guess the ssl encryption rc4-md5 should be changed.

Anything else ?

Thanks in advance.

David.

Dina Odeh · ‎07-28-2016

Yes Anyconnect 4 no longer support RC4.

Change it to more strongest ciphers like AES and SHA.

Let me know please if this helped.

davidsonyo · ‎07-28-2016

Yes, It did work! Thank you very much for your help.

David.

Anyconnect 4.2 not working with older site versions.