07-29-2014 11:48 AM - edited 02-21-2020 07:45 PM
I have setup a new ASA 5515 with asa911-smp-k8 but my AnyConnect 3.1 can't complete the SSL connection. On the ASA side all I get is a message the SSL handshake is started with client outside...for TLSv1 session and then a No matching connection for ICMP error message with Original payload is my pc and the ASA outside interface. On the PC side I et a timed out message back from AnyConnect
I basically cloned an ASA5510 with 8.4 to create this ASA. The 5510 works perfectly but the 5515 does not.
07-29-2014 12:14 PM
When you say you cloned the 5510 I'm guessing that means you pulled the VPN-relevant running configuration bits and put them onto the 5515-X.
Did you also copy over the remote access VPN profile file from the 5510's flash? That's an XML file that downloads to the client when first establishing a connection to tell them various relevant parameters for the connection.
07-29-2014 12:52 PM
Yes, I made sure that all of the parts of the existing 5510 setup were in this ASA with the new subnets etc. There is only one XML file in the flash and that is for a Dynamic Access Policy restricting those users who are not allowed access. I have not installed that yet because I did not want to start restricting access until it is working. My Motto is "Only break one thing at a time"
What is happening here is I am using LDAP for validation and it tests properly on the ASA to the DC but none of that even starts. It is as if the initial connection gets to the ASA from AnyConnect but the reply back to complete the SSL never gets back to the PC so it is timing out. My only option now is to assume there is a bug in this IOS and get the latest version. The reason I was using this ASA is it has 8.4 that has the new NAT rules and I wanted to make sure I got it right and did not introduce and other errors.
07-29-2014 01:19 PM
"Only break one thing at a time" is a great motto. I think of it with my engineer's hat and try not to solve a single multivariable equation if I can avoid it.
Two things that also come to mind is did you ensure your have the 3DES-AES license active and have you set ssl encryption to use strong ciphers (ssl encryption aes128
I've seen a number of 5500-X ship without either of those bits. Either of those could potentially cause problems similar to what you describe.
07-29-2014 01:36 PM
All of the license are identical between the two ASAs. There is one wording difference. The 5510 says VPN-3DES-AES and the 5515 says Encryption-3DES-AES. The 3DES-AES license is enabled and on the SSL encryption line, I did not have that on either ASA and when added to the 5515 it still times out.
I didn't mention that this is in one of our company plants in Brazil if that makes any difference. I tried to do a file transfer for a couple different IOS and they run all the way through and after they complete the transfer I get a invalid http response message and the transfer does not complete properly.
07-29-2014 02:03 PM
Have you generated a persistent self-signed identity certificate on the new ASA and bound it to both the outside interface and the connection profile?
If you're doing a file transfer are you using ASDM to the outside interface or something? That could be a problem distinct from the VPN. When upgrading past 9.1, you need to first go to 9.1(2) or else the file transfer won't work correctly (either via https using ASDM or ftp copy from the CLI).
07-29-2014 02:11 PM
I am using the ASDM to the inside interface of the ASA and I did find on the internet the bug report on the upgrading issue with 9.1(1) so I am reloading the ASA right now.
I have not generated a persistent self-signed identity certificate before. The 5510 with 8.4 had the Smart Call Home turned on so there was a certificate installed for that and later we added a certificate for our DNS name but that was after it had the initial configuration working.
How is this done?
07-29-2014 02:17 PM
There's a good configuration example on setting up an identity certificate here.
To bind it to the remote access VPN Connection Profile you need to also go under Configuration > Remote Access VPN > Network (Client) Access - AnyConnect Connection Profiles and choose the Device Certificate button and then apply the certificate you've created.
07-30-2014 02:35 PM
I have created the certificate but this did not change the situation.
07-31-2014 06:15 AM
I noticed something and that is my only clue left.
I had the site give me a second public IP address so I could see if there might be an issue with a duplicate IP address. When I tried to connect with AnyConnect, I typed in the old IP address first by mistake and then the new one. Both gave me the same timed out error, so then I just typed a random IP address and got the same error on the PC.
The ASA only shows one line in the logs that it is starting an SSL session and later closes it out. I don't think any reply after the initial connection is getting back to the PC to continue with the connection. To try to make another test, I have been trying to connect with https to the public I address and that times out also.
What would be the common denominator here? What could stop the initial reply if I had a bug in the configuration?
Here is all I get in the Log:
6|Jul 31 2014|13:10:34|302014|184.176.212.150|1089|177.86.100.12|443|Teardown TCP connection 3118 for outside:184.176.212.150/1089 to identity:177.86.100.12/443 duration 0:00:12 bytes 1734 TCP Reset-O |
6|Jul 31 2014|13:10:22|725001|184.176.212.150|1089|||Starting SSL handshake with client outside:184.176.212.150/1089 for TLSv1 session. |
6|Jul 31 2014|13:10:22|302021|177.86.100.10|0|177.86.100.12|0|Teardown ICMP connection for faddr 177.86.100.10/0 gaddr 177.86.100.12/0 laddr 177.86.100.12/0 |
6|Jul 31 2014|13:10:22|302020|177.86.100.10|0|177.86.100.12|0|Built inbound ICMP connection for faddr 177.86.100.10/0 gaddr 177.86.100.12/0 laddr 177.86.100.12/0 |
6|Jul 31 2014|13:10:22|302013|184.176.212.150|1089|177.86.100.12|443|Built inbound TCP connection 3118 for outside:184.176.212.150/1089 (184.176.212.150/1089) to identity:177.86.100.12/443 (177.86.100.12/443)
I am 184.176.212.150 and the ASA is 177.86.100.12 with 177.86.100.10 the default gateway.
Thanks, |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide