Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10923
Views
5
Helpful
7
Replies

Anyconnect not working

Go to solution
abithbasha
Level 1
Level 1

‎09-15-2017 02:33 AM - edited ‎03-12-2019 04:32 AM

Hi,

 

When I connect Anyconnect, I am getting the below error, please advise

 

13:29:45 Contacting xxxxxxx.
13:29:55 User credentials entered.
13:29:56 Establishing VPN session...
13:29:56 The AnyConnect Downloader is performing update checks...
13:29:56 Checking for profile updates...
13:29:56 Checking for product updates...
13:29:56 Checking for customization updates...
13:29:56 Performing any required updates...
13:29:56 The AnyConnect Downloader updates have been completed.
13:29:57 Establishing VPN session...
13:29:57 Establishing VPN - Initiating connection...
13:30:01 Disconnect in progress, please wait...
13:30:01 The server certificate received or its chain does not meet the requirements based on the configuration. A VPN connection will not be established.
13:30:02 AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
13:30:02 Ready to connect.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abithbasha

‎09-27-2017 07:39 AM

In general it is safe to post configs on these forums. You probably want to disguise sensitive information such as public IP addresses and passwords, but otherwise it should not be an issue.

 

Yes this is a different issue. The key part of the output is this

 Session could not be established: session limit of 2 reached.

It appears that there are already 2 sessions established and you are not allowed more than 2 sessions. This has to do with the licensing for AnyConnect. By default the ASA has licensing for 2 sessions, which would allow you to do some testing while you implement the VPN client. Than as you are ready to put it into use you would need to purchase and install additional licensing for the AnyConnect client. You can verify the number of licenses by looking into the output of show version. You can verify whether there are existing AnyConnect sessions using this command

shovpn-sessiondbanyconnect

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-21-2017 05:19 PM

There is an option in AnyConnect to only accept connection to a head end with a trusted SSL certificate (this is the default behavior) or an option to accept connection to a head end with a non trusted SSL certificate (especially a self signed certificate). Your symptoms suggest that you are attempting to connecto to a head end with a self signed certificate. Can you tell us whether the head end you are connecting to has a certificate signed by a public Certificate Authority or has a self signed certificate?

 

HTH

 

Rick

HTH

Rick

Go to solution
abithbasha
Level 1
Level 1
In response to Richard Burts

‎09-23-2017 10:22 PM

Hi Richard,

 

Thanks,

 

There was no certificates, either from CA or Local, I have now installed the local certificate and asked the user to test and confirm, I missed this certificate step, I will update you once I get reply from the user

 

Thanks for the heads-up

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abithbasha

‎09-25-2017 10:47 AM

It is easy to miss the need to install an SSL certificate. If you use a self signed certificate then AnyConnect will still generate a warning message about the certificate not being really trusted. But if you disable the option in AnyConnect for strict enforcement of certificate then AnyConnect will allow the connection to be established.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
abithbasha
Level 1
Level 1
In response to Richard Burts

‎09-26-2017 08:14 AM

Hi Richard,

 

I am getting different error that earlier, earlier it was different error now it show the below one, it is not even trying now, Shall I attach the config to this message or it is not safe to attach the ASA config to the forum

 

%ASA-4-113029: Group <Shipnet_anyconnect> User <Surendaran.kumar> IP <101.60.8.1> Session could not be established: session limit of 2 reached.
%ASA-4-113038: Group <Shipnet_anyconnect> User <Surendaran.kumar> IP <101.60.8.1> Unable to create AnyConnect parent session.
%ASA-6-302014: Teardown TCP connection 61167 for inside:10.91.20.21/389 to identity:10.91.5.4/54184 duration 0:00:00 bytes 809 TCP Reset-I
%ASA-6-725007: SSL session with client outside:101.60.8.1/45243

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abithbasha

‎09-27-2017 07:39 AM

In general it is safe to post configs on these forums. You probably want to disguise sensitive information such as public IP addresses and passwords, but otherwise it should not be an issue.

 

Yes this is a different issue. The key part of the output is this

 Session could not be established: session limit of 2 reached.

It appears that there are already 2 sessions established and you are not allowed more than 2 sessions. This has to do with the licensing for AnyConnect. By default the ASA has licensing for 2 sessions, which would allow you to do some testing while you implement the VPN client. Than as you are ready to put it into use you would need to purchase and install additional licensing for the AnyConnect client. You can verify the number of licenses by looking into the output of show version. You can verify whether there are existing AnyConnect sessions using this command

shovpn-sessiondbanyconnect

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
abithbasha
Level 1
Level 1
In response to Richard Burts

‎10-02-2017 08:35 AM

Hi Richard,

 

Thanks, I didnt realize about that, yes it is license issue and I will buy the license

 

I have another issue with different firewall, it has licenses but authentication is not working, getting the below error 

6Oct 02 201715:03:49113005    AAA user authentication Rejected : reason = Unspecified : server = 10.47.20.21 : user = ***** : user IP = 86.98.10.198

 

I will log separate post now 

 

Thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abithbasha

‎10-02-2017 11:33 AM

Thanks for confirming that my suggestion that it was a license issue was correct. When you do obtain and install the appropriate license I hope that you will find that AnyConnect works well. Thank you for maring this discussion as solved.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents