Anyconnect VPN Client "Session disconnect", "Reason: User Requested" & "Router Alert"

bcr · ‎05-15-2020

Hello,

I am trying to connect from a workstation (RDP) to an "ASAv" via IPSec VPN.The VPN stops at the end of its establishment.

I have error messages.

Ayconnect :

Ready to connect.
Contacting ASA(IPsec) IPv4.
User credentials entered.
Establishing VPN session...
The AnyConnect Downloader is performing update checks...
Checking for profile updates...
Checking for product updates...
Checking for customization updates...
Performing any required updates...
The AnyConnect Downloader updates have been completed.
Establishing VPN - Examining system...
 Establishing VPN - Activating VPN adapter...
Establishing VPN session...
Establishing VPN - Configuring system...
Establishing VPN...
Connected to ASA(IPsec) IPv4.
Disconnect in progress, please wait...
Ready to connect.
Contacting ASA(IPsec)IPv4.
User credentials entered.

ASAv:

Group = XXXXXXXXXX, Username = YYYY, IP = AA.AA.AA.AA, Session disconnected. Session Type: IKEv2, Duration: 0h:00m:30s, Bytes xmt: 0, Bytes rcv: 11107, Reason: User Requested

%ASA-6-106012: Deny IP from LL.LL.LL.LL to MM.MM.MM.MM, IP options: "Router Alert"
%ASA-7-710006: IGMP request discarded from LL.LL.LL.LL to OUTSIDE:MM.MM.MM.MM

Thanks.

Cordially,
bcr.

Marvin Rhoads · ‎05-15-2020

Can you r share the VPN configuration on the ASA?

The "router alert" syslog message is cosmetic and shouldn't be related to your disconnect.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum58573/?rfs=iqvred

bcr · ‎05-15-2020

Hello,

Thank you for your reply.

Here is the configuration made in the 'ASA'.

ASA-1# show running-config
: Saved

.....

ip local pool raIPSecPool 192.168.1.2-192.168.1.22 mask 255.255.255.0

!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.11.54.85 255.255.255.0 standby 10.11.54.210
!
interface GigabitEthernet0/1
 description LAN Failover Interface
!
interface GigabitEthernet0/2
 description STATE Failover Interface
!
interface GigabitEthernet0/3
 nameif OUTSIDE
 security-level 0
 ip address 10.11.37.75 255.255.255.0 standby 10.11.37.76
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no management-only
 nameif management
 security-level 0
 no ip address
!
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
 name-server 159.50.76.10
object network NETWORK_OBJ_30.30.30.0_27
 subnet 30.30.30.0 255.255.255.224
access-list splitIPvm remark IP VM de test
access-list splitIPvm standard permit host 10.11.54.208
pager lines 23
logging enable
logging timestamp rfc5424
logging buffer-size 20000000
logging monitor debugging
logging history informational
logging asdm informational
logging facility 23
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu management 1500

......

no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_30.30.30.0_27 NETWORK_OBJ_30.30.30.0_27 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 10.254.37.1 1
route INSIDE 10.0.0.0 255.0.0.0 10.254.54.1 1
route INSIDE 159.0.0.0 255.0.0.0 10.254.54.1 1
route INSIDE 0.0.0.0 0.0.0.0 10.254.54.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.0.0.0 INSIDE
http 159.0.0.0 255.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ipsec_asav_localtrust
 enrollment self
 subject-name CN=ASA-1
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 0509
    308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
    3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
    6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
    6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
    31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
    1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
    61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
    00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
    4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
    172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
    c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
    d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
    aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
    5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
    d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
    92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
    adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
    13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
    3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
    31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
    8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
    a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
    03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
    921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
    130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
    1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
    30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
    30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
    696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
    41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
    065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
    03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
    fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
    7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
    78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
    fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
    074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
    2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
    557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
    4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
    f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
    a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
    a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
    ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
    b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
    f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
  quit
crypto ca certificate chain ipsec_asav_localtrust
 certificate 9b65bb5e
    308202e8 308201d0 a0030201 0202049b 65bb5e30 0d06092a 864886f7 0d01010b
    05003036 31163014 06035504 03130d41 53412d50 4f432d43 49532d31 311c301a
    06092a86 4886f70d 01090216 0d415341 2d504f43 2d434953 2d31301e 170d3230
    30353133 30353130 33345a17 0d333030 35313130 35313033 345a3036 31163014
    06035504 03130d41 53412d50 4f432d43 49532d31 311c301a 06092a86 4886f70d
    01090216 0d415341 2d504f43 2d434953 2d313082 0122300d 06092a86 4886f70d
    01010105 00038201 0f003082 010a0282 010100d5 56a86bba 0f6b8d05 9d3675a0
    6a01b8e6 d647488a dd97495c 328c008c 7c24eb1b e3e72824 e3154670 b337d97d
    f75a3d4f 7c394f29 44a59096 af4986c8 8c090122 c691c25b 54803624 b7a7efbd
    f3a61296 97bb53a0 571951eb b68a5a79 e47fcc56 41bfdc3f 38c77f91 f626d046
    8616fecc c5b2a7a6 41b5295c a3771cc1 485fcbe0 0ee4859e d3e42dde 5590b063
    1413698d 40d5d036 8df50963 c28024b2 d8006526 87cf8372 1bfdb757 9e9222d5
    f256271e 979a42b1 03e8c3ca e81dbbc9 aaeb3d8e 1c9052c8 9976eaa3 0b939686
    a315d36b a67ff36e 237509ac 2d96d09f 647acf81 7b15e57b ac121f79 60eb3979
    a13e7fe4 47edfce6 947dbb23 393402ff 74a8e702 03010001 300d0609 2a864886
    f70d0101 0b050003 82010100 6af21f6c a945c1c4 ead73ca7 d653aa6b 3b65a467
    f989391f 32916f29 0c99e79f 31fbb731 2169dc97 301f3069 9b568e3f fc00d5c7
    2298a901 98ff9e0a f19a878f 15796ab3 ad3f910f 47e1504e 1e869e0d 1591164c
    e76f10dd d2e3d0fa 0835a8d4 6e3f16a9 a11d329b a050678c 0a6b771c 1f6fd9bb
    337bed8e b849df28 3e5b2b1d 0229f4f7 456a1a89 d65c6862 803a69cf 8f72a4c0
    e523ed81 2d5ff23d 813c2480 b447c00e 27e6b05b 0ca1678d fac2b429 72948ccd
    d0baca15 cd442cbc d61855c5 87c3a517 eec38a68 49cc2bb2 790631f5 95c04d79
    09828c42 b7bc1847 4563d5c5 70f70df5 0843528f 3f7e0a04 5be029fb 7f490dd6
    1a9a9c2e 90960ab6 9fa630b1
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ipsec_asav_localtrust
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh 159.0.0.0 255.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 1
 anyconnect profiles RemoteAccessIPSec_client_profile disk0:/RemoteAccessIPSec_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_RemoteAccessIPSec internal
group-policy GroupPolicy_RemoteAccessIPSec attributes
 dns-server value 159.50.76.10
 dhcp-network-scope 192.168.1.0
 vpn-tunnel-protocol ikev2
 split-tunnel-policy excludespecified
 split-tunnel-network-list value splitIPvm
 address-pools value raIPSecPool
 webvpn
  anyconnect profiles value RemoteAccessIPSec_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username asav password ***** pbkdf2 privilege 15
username user1 password ***** pbkdf2
username user1 attributes
 vpn-group-policy GroupPolicy_RemoteAccessIPSec
 vpn-tunnel-protocol ikev2
username user2 password ***** pbkdf2
username user2 attributes
 vpn-group-policy GroupPolicy_RemoteAccessIPSec
 vpn-tunnel-protocol ikev2
tunnel-group RemoteAccessIPSec type remote-access
tunnel-group RemoteAccessIPSec general-attributes
 address-pool raIPSecPool
 default-group-policy GroupPolicy_RemoteAccessIPSec
tunnel-group RemoteAccessIPSec webvpn-attributes
 group-alias RemoteAccessIPSec enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname priority state
call-home reporting anonymous prompt 1
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:9df59e448c8e0d1b1e66f7a8e2065f98
: end

It is a test LAB to verify the operation before deploying.

Thank you.