If you are like me having - Cisco Community

5590

Views

0

Helpful

4

Replies

I've been trying and trying and trying to get Anyconnect setup on our network without avail. The client is not getting an IP address at all however if I use a local pool, the client gets an IP address.

ASA Version: 8.4(1)

Here are excerpts from my configuration:-

webvpn

enable wan

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 2

anyconnect enable

group-policy Remote internal

group-policy Remote attributes

wins-server none

dns-server value 192.168.5.130

dhcp-network-scope 192.168.19.0

vpn-tunnel-protocol ikev2 ssl-client

default-domain value nissvg.local

address-pools none

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

default-group-policy Remote

dhcp-server 192.168.19.254

Whenever I try to connect, this is the "debug webvpn anyconnect" message that I get:

webvpn_cstp_parse_request_field()

...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 2.5.2019'

Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 2.5.2019'

Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 2.5.2019'

webvpn_cstp_parse_request_field()

...input: 'Cookie: webvpn=693056328@135168@1299699402@596BF7F02CAA984CED647AC30412E1ED672EC4FD'

Processing CSTP header line: 'Cookie: webvpn=693056328@135168@1299699402@596BF7F02CAA984CED647AC30412E1ED672EC4FD'

Found WebVPN cookie: 'webvpn=693056328@135168@1299699402@596BF7F02CAA984CED647AC30412E1ED672EC4FD'

WebVPN Cookie: 'webvpn=693056328@135168@1299699402@596BF7F02CAA984CED647AC30412E1ED672EC4FD'

IPADDR: '693056328', INDEX: '135168', LOGIN: '1299699402'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-Version: 1'

Processing CSTP header line: 'X-CSTP-Version: 1'

Setting version to '1'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-Hostname: Hayneslaptop'

Processing CSTP header line: 'X-CSTP-Hostname: Hayneslaptop'

Setting hostname to: 'Hayneslaptop'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-Accept-Encoding: deflate;q=1.0'

Processing CSTP header line: 'X-CSTP-Accept-Encoding: deflate;q=1.0'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-MTU: 1406'

Processing CSTP header line: 'X-CSTP-MTU: 1406'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-Address-Type: IPv4'

Processing CSTP header line: 'X-CSTP-Address-Type: IPv4'

webvpn_cstp_parse_request_field()

...input: 'X-DTLS-Master-Secret: FC20896797F5885299D9EE5D13CC6E418EBA5057670AAD9909A7C1F98B5B61952B079326364E26F32C9BE8C83EE2FA41'

Processing CSTP header line: 'X-DTLS-Master-Secret: FC20896797F5885299D9EE5D13CC6E418EBA5057670AAD9909A7C1F98B5B61952B079326364E26F32C9BE8C83EE2FA41'

webvpn_cstp_parse_request_field()

...input: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'

Processing CSTP header line: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'

webvpn_cstp_parse_request_field()

...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'

Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'

Validating address: 0.0.0.0

CSTP state = WAIT_FOR_ADDRESS

webvpn_cstp_accept_address: 0.0.0.0/0.0.0.0

webvpn_cstp_accept_address: no address?!?

CSTP state = HAVE_ADDRESS

No address available for SVC connection.webvpn_cstp_send_error: 503 Service Unavailable

CSTP state = ERROR

Not calling vpn_remove_uauth: never added!

Called vpn_remove_uauth: failed!

webvpn_svc_np_tear_down: no ACL

webvpn_svc_np_tear_down: no IPv6 ACL

I really would appreciate some help in getting this problem resolved. What am I missing here? I don't remember having this much problem with the site-to-site configuration.

Let me know if you need any additional information to help you help me.

Thanks in advance!

4 Replies 4

Hi Felix,

Looks like the below command is missing in the config:

vpn-addr-assign dhcp

Try adding the above as per the documentation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnadd.html#wp999516

Regards,
Srilatha Vemula

If you are like me having this problem and reading this unsolved problems after that many years, be aware that the NAT statement for the anyconnect needs to append route-lookup, specially if you are using post 8.4 version and carrying out old configs. The 0.0.0.0 gives away that the CSTP subsystem is trying any or all interfaces, and not the specific one from where the DHCP server sent its offer.

Hi franciscofossa,

Please could you post the config line you've modified to fix this. I'm not sure which NAT statement you're referring to.

Thanks

Stuart

Beside the command missing above, I noticed that the nat statement for anyconnect needed a little tweak when you update from version 8.x to 9.x in ASA. This was undocumented.

Probably you will get the same result if you create anyconnect vpn after the upgrade with the asdm wizard.

For anyconnect to work, you will need at least the following nat:

In our case it would look like this:

nat (outside,inside) source static CiscoAnyConnect CiscoAnyConnect destination static NetworkInside NetworkInside route-lookup

CiscoAnyConnect is just a network group for the IPs from Anyconnect, and NetworkInside is the group of Lans I want this users to be able to reach when in vpn. The wizard should build this on its own, but I don't do wizards.

Notice the key "route-lookup" keyword after the nat statement. Without it, my VPN clients had the same problem. apparently it is needed for the CSTP subsystem to find a route for the DHCP server (which is probably in your inside) before building up the tunnel.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community