Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4365
Views
0
Helpful
1
Replies

Anyconnect 2.4 and ASA 8.2.1: Unable to connect

polygon
Level 1
Level 1

‎02-02-2010 08:32 AM - edited ‎02-21-2020 04:28 PM

Everything is configured as written in the config guides. I have also tried configuring AnyConnect through ASDM, but no success. I had a previously working config for ASA 8.0 and older AnyConnect version, but that is not working either.

I get the following error message while debuging on the ASA:

Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 192.168.10.1/255.255.255.0
webvpn_cstp_accept_ipv6_address: No IPv6 Address
CSTP state = HAVE_ADDRESS
SVC: NP setup
np_svc_create_session(0x36000, 0xD5291340, TRUE)
webvpn_svc_np_setup
SVC ACL Name: NULL
SVC ACL ID: -1
SVC ACL ID: -1
vpn_put_uauth success!
SVC IPv6 ACL Name: NULL
SVC IPv6 ACL ID: -1
SVC: adding to sessmgmt
SVC: Sending response
Unable to initiate NAC, NAC might not be enabled or invalid policy
CSTP state = CONNECTED
webvpn_rx_data_cstp
webvpn_rx_data_cstp: got message
SVC message: t/s=3/16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).

and in the Windows Event logs:

Function: CSslTunnelTransport::postSocketConnectProcessing

File: .\SslTunnelTransport.cpp

Line: 1360

Opened SSL socket from 127.0.0.1 to 200.100.50.1

Function: CVpnMgr::OnVpnTunnelInitiateComplete

File: .\VpnMgr.cpp

Line: 3966

Invoked Function: CTlsTunnelMgr::initiateTunnel

Return Code: -32571377 (0xFE0F000F)

Description: NETINTERFACE_ERROR_INTERFACE_NOT_AVAILABLE

Function: CVpnMgr::main

File: .\VpnMgr.cpp

Line: 1484

Invoked Function: CVpnMgr::initiateTunnel

Return Code: -32899056 (0xFE0A0010)

Description: VPNMGR_ERROR_TERMINATING

The VPN client has sent a close message to the gateway:

Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).

I have tried to connect from different machines, and I also tried this on an other ASA, but without success.

This is my latest config:

hostname ciscoasa 
enable password ******* encrypted 
passwd ******* encrypted 
names 
name 200.100.50.1 internet_ip description External IP 
name 192.168.10.0 VPN 
! 
interface Vlan1 
  nameif office 
  security-level 90 
  ip address 192.168.0.254 255.255.255.0 
! 
interface Vlan2 
  nameif internet 
  security-level 0 
  pppoe client vpdn group ADSL 
  ip address pppoe setroute 
! 
interface Ethernet0/0 
  switchport access vlan 2 
! 
...
same-security-traffic permit inter-interface 
same-security-traffic permit intra-interface 
access-list internet_access_in extended permit tcp any host internet_ip eq 443 
access-list office_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN 255.255.255.0 
...
mtu office 1500 mtu 
internet 1500 
ip local pool IPPOOL 192.168.10.1-192.168.10.10 mask 255.255.255.0 
no failover 
...
global (internet) 1 interface 
nat (office) 0 access-list office_nat0_outbound 
nat (office) 1 192.168.0.0 255.255.255.0 
access-group internet_access_in in interface internet 
...
dynamic-access-policy-record DfltAccessPolicy 
eou allow none 
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable 
http 192.168.0.0 255.255.255.0 office 
http 0.0.0.0 0.0.0.0 internet 
http redirect internet 80 
...
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800 
crypto ipsec security-association lifetime kilobytes 4608000 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 
crypto map internet_map interface internet 
crypto ca trustpoint ASDM_TrustPoint0 
  enrollment self 
  subject-name CN=200.100.50.1,O=XY,C=HU 
  ip-address internet_ip 
  id-usage ssl-ipsec code-signer 
  crl configure 
crypto ca trustpoint LOCAL-CA-SERVER 
  keypair LOCAL-CA-SERVER 
  crl configure 
  crypto ca server publish-crl internet 80 
  crypto ca certificate chain ASDM_TrustPoint0 
    certificate 5b29684b
      ****
   quit 
crypto ca certificate chain LOCAL-CA-SERVER 
   certificate ca 01
      ****
   quit 
crypto isakmp enable internet 
crypto isakmp policy 5 
  authentication pre-share 
  encryption aes-256 
  hash sha 
  group 5 
  lifetime 86400 
crypto isakmp policy 10 
  authentication pre-share 
  encryption 3des hash 
  sha group 5 
  lifetime 86400 
crypto isakmp policy 30 
  authentication pre-share 
  encryption 3des 
  hash sha group 2 
  lifetime 86400 
telnet 192.168.0.0 255.255.255.0 office 
telnet timeout 5 
ssh 192.168.0.0 255.255.255.0 office 
ssh 0.0.0.0 0.0.0.0 internet 
ssh timeout 60 
console timeout 0 
vpdn group ADSL request dialout pppoe 
vpdn group ADSL localname Something@fixip 
vpdn group ADSL ppp authentication pap 
vpdn username Something@fixip password ********* 
dhcpd auto_config internet 
! 
ntp server 148.6.0.1 source internet prefer 
ntp server 192.33.96.102 source internet prefer 
ntp server 87.229.111.33 
ntp server 217.20.135.253 
ssl trust-point ASDM_TrustPoint0 
ssl trust-point ASDM_TrustPoint0 internet 
webvpn 
  enable internet 
  svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1 
  svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2 
  svc enable 
group-policy DfltGrpPolicy attributes 
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn 
  address-pools value IPPOOL 
  webvpn
   svc ask none default svc 
username Demo password ***** encrypted privilege 15 
! 
! 
prompt hostname context


We are using ASA5510 and Windows XP SP3 (Hungarian) clients.

We also have ESET Smart Security installed, but I tried to disable it before connecting. It doesn't seem to count however.

Anyone can help me?

Thanks

Message was edited by: polygon

Labels:
0 Helpful
1 Reply 1

john-caruso
Level 1
Level 1

‎02-20-2010 06:08 PM

I had the same problem.  No contract..no TAC help.  Just backed down to the anyconnect that did not mention DART, which was anyconnect-win-2.3.2016-k9.pkg.

I wanted to use 2.4.1012 for its Retain VPN on Windows Logoff feature, but just setted for the anyconnect-gina-win-2.3.2016-pre-deploy-k9 for that anyconnect version.

0 Helpful
Customers Also Viewed These Support Documents