cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7235
Views
0
Helpful
45
Replies

anyconnect client profile configuration

DAK007
Level 1
Level 1

I All,

 

i have a problem to configure my any-connect vpn remote access. there is my router when i try it show connection attempt has timed out please verify internet connectivity. I'm able to ping my outside interface from outside

Cisco router 1001-X show run is in the attached file

 

URGENT please !

 

1 Accepted Solution

Accepted Solutions

hi RJI,

 

no it is working fine.

access-list any any is not recommended by cisco for vpn so i have added a deny statement on the nat inside and it works fine .

 

thank you for all

View solution in original post

45 Replies 45

Hi,
Does the router have a valid certificate issued by the PKI Trustpoint IKEv2-TP?
Same with the client computer, does it have a valid certificate issued by the same trustpoint?
Can you run the debug "debug crypto ikev2" when you attempt to connect to the vpn and upload here.

thanks for reply.

 

Cisco engineer wad connected and says that the ISP block port 4500 or Something like that which block the traffic to be retransmetted from my Pocket wifi huawei.

so i cannot connect to anyconnect from house, is there any way to resole this problem?

 

in attached file the debug after trying to connect from my Pocket wifi

Well if your ISP blocks udp/4500 then you need to ask your ISP to un-block that port, if they will not you won't be able to run an IPSec VPN. Alternatively you could run an SSL-VPN on tcp 443 (and udp/443 if ASA) assuming that's not blocked by the ISP as well, but I do not believe the ASR supports SSL-VPN.

yes ASR do not support SSL-VPN the this is more than 1000 clients need to connect to the platform.
how can I check if port 4500 is block by ISP

I have checked on www.grc.com and the port is on Stealth mode seems that it is block by the ISP.
what to do in that case, the port is block from which side ?
if it is from my side it means that it has to be open for all the 1000 Citizen or it is block only form the ASR side ?
I need to know also if I have the right to ask to the ISP to open that specific port I don't know if it is common

I don't know why the ISP would be blocking the port, if they are then yes, you will need to request they open it. It's a standard IPSec VPN port.

Do you have an ACL on the WAN interface of the router or a firewall in front of the router? You will need to permit udp/500 and udp/4500 to the router.

in my architecture, I have the ASR 1001-X in front and after the ASA that why i want to enable the anyconnect on the ASR router.

for now and for testing purpose I have anabled all tcp and UDP packets

Hi RJI,

I can connect to anyconnect login popup when connected from the lan to the router, but unable to connect to anyconnect from outside.

can you help please since 2 days trying to troubleshoot

What is the purpose of this nat command "ip nat outside source list 100 pool CEPICIRemote" on the outside interface? - you don't seem to have the pool CEPICIRemote pool defined, not in the original configuration you provided. Remove it see what happens, if that fails please provide the output of a debug of ikev2.

So there is no device in front of the ASR blocking traffic?

I have ermoved the commande ip nat outside source list 100 pool CEPICIRemote.

 

now i'm connected directly with one cable from my laptop to the router interface gi0/0/0/0(wan) , i'm using an interface in the same ip range.

 

the debug crypto ikev2 show this

 

Initiator SPI : 7AE84DA0D639B8BE - Responder SPI : 208CD8FCB1A92505 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

Oct 8 12:59:00.687: IKEv2:(SESSION ID = 58,SA ID = 1):Packet is a retransmission
Oct 8 12:59:00.687: IKEv2-ERROR:: Packet is a retransmission
Oct 8 12:59:16.658: IKEv2-ERROR:(SESSION ID = 58,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
Oct 8 12:59:16.658: IKEv2:(SESSION ID = 58,SA ID = 1):Auth exchange failed
Oct 8 12:59:16.659: IKEv2-ERROR:(SESSION ID = 58,SA ID = 1):: Auth exchange failed
Oct 8 12:59:16.659: IKEv2:(SESSION ID = 58,SA ID = 1):Abort exchange
Oct 8 12:59:16.659: IKEv2:(SESSION ID = 58,SA ID = 1):Deleting SA

 

when i connect with an IP in the LAN network connected to the inside interface of the router anyconnect work fine, but when I simulate an outside connection connected to the outside interface using an ip in the same range of my public IP , it's fails

Can you run a packet capture on the outside interface when it fails AND another packet capture on the inside interface when it suceeds and upload here please

the files are joined to this msg

Ok, interesting to compare the debugs...but I was looking for a packet capture so I can see the output in wireshark. You can run a packet capture on the router, please upload here.