cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2470
Views
0
Helpful
11
Replies

AnyConnect Client 4.5 IKE_Auth Fails when behind new Linksys Router

charlie-hall
Level 1
Level 1

I am implementing AnyConnect ver 4.5 on a ASA running 9.4 code, using IKEv2, I turned off SSL.  It works well except at a co-workers home.  She uses a new Linksys router (waiting on the model number).  The connection fails because the ASA does not see the 2nd IKE_AUTH packet which is a fragment of the 1st IKE_AUTH packet.   See attached - laptop_Connected_To_Linksys & in_front_of_asa for Wireshark captures.

The laptop can tether to 2 different Cell phones & carriers and Guest wireless at the office and AnyConnect works perfectly.

This laptop is running Win 7 64-bit and the old Cisco VPN Client IKEv1 work perfectly behind this same Linksys router.

I have changed ASA the so Anyconnect uses SSL and the this laptop works when connected to the Linksys router.

We have connected the laptop to the Linksys router both wireless and wired with the same results, works with Anyconnect SSL and old VPN client IKE1, just not with the IKEv2 protocol.

I thought about increasing the MTU size on the client since the IKE_Auth message length is 622 and the Fragmented packet length is 194.

I could switch to SSL but I think IKEv2 is more robust.

Any Ideas?

Thanks

Charlie

1 Accepted Solution

Accepted Solutions

charlie-hall
Level 1
Level 1

I switched Anyconnect to SSL from IKEv2, and it works everytime behind the Linksys.   Gave up on IKEv2.

View solution in original post

11 Replies 11

Hi,

Some Linksys devices have the option to enable VPN pass through option.

Is this option set at the Linksys Router?

The VPN passthrough option is on.   Cisco's old VPN client IKEv1 works fine with this router.

Working with Linksys to see if their latest F/W 1.0.7.18120, released July 6, 2017 was made available to the routers and if there were any changes to VPN passthru for IKEv2.  

We updated to AnyConnect ver.  4.5.01.044 last week and AC with IKEv2 worked, downgraded back to Anyconnect ver. 4.5.00058 and it also worked.   I did not make any changes on the ASA and I am currently running 9.6.3-1 on the ASA.

The Anyconnect Client 4.5.01.044 IKEv2 has stopped working again behind this Linksys EA7300 router, same problem, 2nd IKE_Auth packet does not make it to the ASA. 

Mohammad Alhyari
Cisco Employee
Cisco Employee

Can you attach the capture from the client. Look for any icmp errors received.

There are 2 ICMP packets from the Linksys WAN (public IP) to the private IP address.

both are Destination unreachable messages.  These messages are not being generated by the ASA.

Interesting, Can you please share those two packets. What are the two original packets corresponding to those?

I was wrong, the 2 ICMP packets are from another public IP, not the Linksys WAN interface and the Linksys was blocking it.  

Hi Charlie,

Can i see the captures?

Moh,

HI Moh,

I have attached a filtered capture and the public IP address was changed to 10.10.10.1.

Thanks

Charlie

Hi,

Please update to the latest client available on the site and give it a try.

 

Moh,

charlie-hall
Level 1
Level 1

I switched Anyconnect to SSL from IKEv2, and it works everytime behind the Linksys.   Gave up on IKEv2.