Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
1
Replies

Some AnyConnect Clients Cannot Connect to ASA 5505

remitprosupport
Level 1
Level 1

‎07-29-2011 09:32 AM - edited ‎02-21-2020 05:29 PM

Hello all. I have an ASA 5505 that has had a working configuration with several AnyConnect clients using dual authentication for weeks now. My normal process for adding new users has been to configure the user in both authentication databases and the onboard certificate authority, have the user connect to the outside IP of our firewall with IE, download the P12 cert after entering their OTP and then connecting once the cert's imported to download AnyConnect.

I had to add a new user a couple days ago and curiously IE (8) on their computer could not connect to the outside interface of our firewall, as if the laptop had no internet connectivity. I could telnet to port 443 from a command-line, and could even hit it with Firefox (which I ended up doing to download the P12 cert...). I can hit other SSL-enabled and standard websites from IE as well as Firefox. In addition, because AnyConnect seems to rely on the same mechanism to connect as IE does, AnyConnect can't connect either.

I then tested using a previously working laptop fully configured with AnyConnect and a certificate and now it can't connect. There are other previously working laptops that still work, which only makes the issue more clouded.

In watching the logs on the firewall, when one of these non-working computers attempts to connect they hit the firewall, a connection is opened and the SSL handshake is started, but it's never finished and the connection is torn down. Working computers complete the handshake as expected and a tunnel is opened.

I've checked IE forums for this issue and none of the fixes found therein seem to apply or work. Since this issue seems to only affect IE and AnyConnect's ability to connect to my firewall I have to assume the issue is there.

I haven't rebooted my firewall to flush memory, but absent another recommendation I think that's my next step. Thanks in advance...

Dan

Labels:
0 Helpful
1 Reply 1

remitprosupport
Level 1
Level 1

‎07-29-2011 09:37 AM

Just answered my own question. I decided to look at the Advanced/SSL Settings page and noticed the SSL version for the security applicance as a "Server" was set to TLSv1 only. I know I configured it that way at the time, but why working AnyConnect clients stopped being able to negotiate at that level is a mystery. If I find out what changed (likely an IE update) I'll be sure to post the results.

0 Helpful
Customers Also Viewed These Support Documents