Solved: I was wrong, the 2 ICMP

charlie-hall · ‎08-04-2017

I am implementing AnyConnect ver 4.5 on a ASA running 9.4 code, using IKEv2, I turned off SSL. It works well except at a co-workers home. She uses a new Linksys router (waiting on the model number). The connection fails because the ASA does not see the 2nd IKE_AUTH packet which is a fragment of the 1st IKE_AUTH packet. See attached - laptop_Connected_To_Linksys & in_front_of_asa for Wireshark captures.

The laptop can tether to 2 different Cell phones & carriers and Guest wireless at the office and AnyConnect works perfectly.

This laptop is running Win 7 64-bit and the old Cisco VPN Client IKEv1 work perfectly behind this same Linksys router.

I have changed ASA the so Anyconnect uses SSL and the this laptop works when connected to the Linksys router.

We have connected the laptop to the Linksys router both wireless and wired with the same results, works with Anyconnect SSL and old VPN client IKE1, just not with the IKEv2 protocol.

I thought about increasing the MTU size on the client since the IKE_Auth message length is 622 and the Fragmented packet length is 194.

I could switch to SSL but I think IKEv2 is more robust.

Any Ideas?

Thanks

Charlie

charlie-hall · ‎08-23-2017

I switched Anyconnect to SSL from IKEv2, and it works everytime behind the Linksys. Gave up on IKEv2.

View solution in original post

software_onbekend · ‎08-11-2017

Hi,

Some Linksys devices have the option to enable VPN pass through option.

Is this option set at the Linksys Router?

charlie-hall · ‎08-14-2017

The VPN passthrough option is on. Cisco's old VPN client IKEv1 works fine with this router.

Working with Linksys to see if their latest F/W 1.0.7.18120, released July 6, 2017 was made available to the routers and if there were any changes to VPN passthru for IKEv2.

We updated to AnyConnect ver. 4.5.01.044 last week and AC with IKEv2 worked, downgraded back to Anyconnect ver. 4.5.00058 and it also worked. I did not make any changes on the ASA and I am currently running 9.6.3-1 on the ASA.

charlie-hall · ‎08-17-2017

The Anyconnect Client 4.5.01.044 IKEv2 has stopped working again behind this Linksys EA7300 router, same problem, 2nd IKE_Auth packet does not make it to the ASA.

Mohammad Alhyari · ‎08-13-2017

Can you attach the capture from the client. Look for any icmp errors received.

charlie-hall · ‎08-14-2017

There are 2 ICMP packets from the Linksys WAN (public IP) to the private IP address.

both are Destination unreachable messages. These messages are not being generated by the ASA.

Mohammad Alhyari · ‎08-14-2017

Interesting, Can you please share those two packets. What are the two original packets corresponding to those?

charlie-hall · ‎08-15-2017

I was wrong, the 2 ICMP packets are from another public IP, not the Linksys WAN interface and the Linksys was blocking it.

Mohammad Alhyari · ‎08-15-2017

Hi Charlie,

Can i see the captures?

Moh,

charlie-hall · ‎08-16-2017

HI Moh,

I have attached a filtered capture and the public IP address was changed to 10.10.10.1.

Thanks

Charlie

Mohammad Alhyari · ‎08-21-2017

Hi,

Please update to the latest client available on the site and give it a try.

Moh,

charlie-hall · ‎08-23-2017

I switched Anyconnect to SSL from IKEv2, and it works everytime behind the Linksys. Gave up on IKEv2.

AnyConnect Client 4.5 IKE_Auth Fails when behind new Linksys Router