Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
3
Replies

AnyConnect Fails on ASA5585

MWynkoop
Level 1
Level 1

‎03-26-2021 04:06 PM

Anyconnect gets stuck on "Establishing VPN session...". DART logs attached. Does anyone have any idea what might be going on here? The ASDM shows the SSLVPN sessions are created and IPs are assigned from the IP Pool. 

Any help would be greatly appreciated! I've looked at about every ASA Anyconnect blogpost and lab paper I can find. 

Labels:
DARTBundle_0326_1650.zip
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎03-26-2021 07:34 PM

Can we see 

show vpn session dB detail 

0 Helpful

MWynkoop
Level 1
Level 1
In response to MHM Cisco World

‎04-08-2021 01:31 PM

Update: I was able to make some progress by setting Windows NPS the Connection Request Profile to "Accept users without validating credentials". This is obviously not ideal as it allows literally any user. 

 

Here's the output:

 

asa/context# show vpn-sessiondb detail
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 33 : 598 : 35 : 0
SSL/TLS/DTLS : 33 : 598 : 35 : 0
Site-to-Site VPN : 3 : 644 : 4
IKEv2 IPsec : 2 : 607 : 2
IKEv1 IPsec : 1 : 37 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 36 Total Cumulative : 1242
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 37 : 2
IKEv2 : 2 : 607 : 2
IPsec : 3 : 674 : 7
AnyConnect-Parent : 33 : 598 : 35
SSL-Tunnel : 30 : 967 : 33
DTLS-Tunnel : 29 : 1080 : 33
---------------------------------------------------------------------------
Totals : 98 : 3963
---------------------------------------------------------------------------

asa/context#

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎04-09-2021 12:46 PM

Hi,

Firstly, it is never a good idea to provide detailed info to public forums. DART contains bunch of information as such and you should be very careful what you want to publish.

Now, inside DART we can see that your TLS connection was actually successfully established at one point in time. But, about 60s later, your tunnel is being torn down with message:

Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).

I also saw following message in the log:

Software update checks will not be performed (Client-software package is not configured on headend).

A silly question, but have you uploaded AnyConnect SW on ASA? Could you please paste relevant configuration here (with altered sensitive data) - webvpn, tunnel-group and group-policy?

Regards

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents