02-25-2022 03:49 AM
Annyconnect VPN fails after cipher selection.
%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/49509 for TLS session.
%ASA-6-725003: SSL client outside:188.51.166.124/49509 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/49509
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: no renegotiation
%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49509
%ASA-6-725007: SSL session with client outside:188.51.166.124/49509 terminated.
%ASA-6-302014: Teardown TCP connection 7713 for outside:188.51.166.124/49509 to identity:192.168.100.2/4443 duration 0:00:02 bytes 1066 TCP FINs
%ASA-7-609002: Teardown local-host outside:188.51.166.124 duration 0:00:02
%ASA-7-609002: Teardown local-host identity:192.168.100.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:188.51.166.124
%ASA-7-609001: Built local-host identity:192.168.100.2
%ASA-6-302013: Built inbound TCP connection 7714 for outside:188.51.166.124/49510 (188.51.166.124/49510) to identity:192.168.100.2/4443 (192.168.100.2/4443)
%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/49510 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:188.51.166.124/49510 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client outside:188.51.166.124/49510
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/49510
%ASA-6-113012: AAA user authentication Successful : local database : user = ameerkat
%ASA-6-113003: AAA group policy for user ameerkat is being set to VPNGroupPolicy1
%ASA-6-113011: AAA retrieved user specific group policy (VPNGroupPolicy1) for user = ameerkat
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = ameerkat
%ASA-6-113008: AAA transaction status ACCEPT : user = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.grouppolicy = VPNGroupPolicy1
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.class = VPNGroupPolicy1
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username1 = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
%ASA-6-734001: DAP: User ameerkat, Addr 188.51.166.124, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-6-113039: Group <VPNGroupPolicy1> User <ameerkat> IP <188.51.166.124> AnyConnect parent session started.
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: no renegotiation
%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49510
%ASA-6-302013: Built inbound TCP connection 7715 for outside:188.51.166.124/21165 (188.51.166.124/21165) to identity:192.168.100.2/4443 (192.168.100.2/4443)
%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/21165 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:188.51.166.124/21165 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client outside:188.51.166.124/21165
%ASA-6-725007: SSL session with client outside:188.51.166.124/49510 terminated.
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/21165
%ASA-6-302014: Teardown TCP connection 7715 for outside:188.51.166.124/21165 to identity:192.168.100.2/4443 duration 0:00:00 bytes 13953 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 188.51.166.124/21165 to 192.168.100.2/4443 flags FIN ACK on interface outside
Any input is highly appreciated.
Thanks
Ameer
02-25-2022 03:56 AM
@abdulameer84 the errors indicate "%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49510"
What AnyConnect client version are you running on your computer?
What Operating System are you running?
Please run "show ssl" from the CLI of the ASA and provide for review.
Can you produce a DART report from the AnyConnect client computer and upload for review
02-25-2022 04:24 AM
I have same setup in two location. I will take alll details from MLZ location and update.
02-25-2022 05:19 AM
only one thing keep not clear for me
TCP port for the outside use by any connect is 443 not 4443,
I think this is issue here since the TCP is reset for outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide