03-26-2021 04:06 PM
Anyconnect gets stuck on "Establishing VPN session...". DART logs attached. Does anyone have any idea what might be going on here? The ASDM shows the SSLVPN sessions are created and IPs are assigned from the IP Pool.
Any help would be greatly appreciated! I've looked at about every ASA Anyconnect blogpost and lab paper I can find.
03-26-2021 07:34 PM
Can we see
show vpn session dB detail
04-08-2021 01:31 PM
Update: I was able to make some progress by setting Windows NPS the Connection Request Profile to "Accept users without validating credentials". This is obviously not ideal as it allows literally any user.
Here's the output:
asa/context# show vpn-sessiondb detail
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 33 : 598 : 35 : 0
SSL/TLS/DTLS : 33 : 598 : 35 : 0
Site-to-Site VPN : 3 : 644 : 4
IKEv2 IPsec : 2 : 607 : 2
IKEv1 IPsec : 1 : 37 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 36 Total Cumulative : 1242
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 37 : 2
IKEv2 : 2 : 607 : 2
IPsec : 3 : 674 : 7
AnyConnect-Parent : 33 : 598 : 35
SSL-Tunnel : 30 : 967 : 33
DTLS-Tunnel : 29 : 1080 : 33
---------------------------------------------------------------------------
Totals : 98 : 3963
---------------------------------------------------------------------------
asa/context#
04-09-2021 12:46 PM
Hi,
Firstly, it is never a good idea to provide detailed info to public forums. DART contains bunch of information as such and you should be very careful what you want to publish.
Now, inside DART we can see that your TLS connection was actually successfully established at one point in time. But, about 60s later, your tunnel is being torn down with message:
Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).
I also saw following message in the log:
Software update checks will not be performed (Client-software package is not configured on headend).
A silly question, but have you uploaded AnyConnect SW on ASA? Could you please paste relevant configuration here (with altered sensitive data) - webvpn, tunnel-group and group-policy?
Regards
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide