Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
40
Helpful
3
Replies

AnyConnect VPN Fails.

abdulameer84
Level 1
Level 1

‎02-25-2022 03:49 AM

Annyconnect VPN fails after cipher selection.

 

%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/49509 for TLS session.
%ASA-6-725003: SSL client outside:188.51.166.124/49509 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/49509
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: no renegotiation
%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49509
%ASA-6-725007: SSL session with client outside:188.51.166.124/49509 terminated.
%ASA-6-302014: Teardown TCP connection 7713 for outside:188.51.166.124/49509 to identity:192.168.100.2/4443 duration 0:00:02 bytes 1066 TCP FINs
%ASA-7-609002: Teardown local-host outside:188.51.166.124 duration 0:00:02
%ASA-7-609002: Teardown local-host identity:192.168.100.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:188.51.166.124
%ASA-7-609001: Built local-host identity:192.168.100.2
%ASA-6-302013: Built inbound TCP connection 7714 for outside:188.51.166.124/49510 (188.51.166.124/49510) to identity:192.168.100.2/4443 (192.168.100.2/4443)
%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/49510 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:188.51.166.124/49510 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client outside:188.51.166.124/49510
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/49510
%ASA-6-113012: AAA user authentication Successful : local database : user = ameerkat
%ASA-6-113003: AAA group policy for user ameerkat is being set to VPNGroupPolicy1
%ASA-6-113011: AAA retrieved user specific group policy (VPNGroupPolicy1) for user = ameerkat
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = ameerkat
%ASA-6-113008: AAA transaction status ACCEPT : user = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.grouppolicy = VPNGroupPolicy1
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.class = VPNGroupPolicy1
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username1 = ameerkat
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User ameerkat, Addr 188.51.166.124: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
%ASA-6-734001: DAP: User ameerkat, Addr 188.51.166.124, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-6-113039: Group <VPNGroupPolicy1> User <ameerkat> IP <188.51.166.124> AnyConnect parent session started.
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: no renegotiation
%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49510
%ASA-6-302013: Built inbound TCP connection 7715 for outside:188.51.166.124/21165 (188.51.166.124/21165) to identity:192.168.100.2/4443 (192.168.100.2/4443)
%ASA-6-725001: Starting SSL handshake with client outside:188.51.166.124/21165 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:188.51.166.124/21165 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client outside:188.51.166.124/21165
%ASA-6-725007: SSL session with client outside:188.51.166.124/49510 terminated.
%ASA-6-725002: Device completed SSL handshake with client outside:188.51.166.124/21165
%ASA-6-302014: Teardown TCP connection 7715 for outside:188.51.166.124/21165 to identity:192.168.100.2/4443 duration 0:00:00 bytes 13953 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 188.51.166.124/21165 to 192.168.100.2/4443 flags FIN ACK on interface outside

 

Any input is highly appreciated.

 

Thanks

Ameer 

Labels:
3 Replies 3

Rob Ingram
VIP
VIP

‎02-25-2022 03:56 AM

@abdulameer84 the errors indicate "%ASA-6-725006: Device failed SSL handshake with client outside:188.51.166.124/49510"

 

What AnyConnect client version are you running on your computer?

What Operating System are you running?

 

Please run "show ssl" from the CLI of the ASA and provide for review.

 

Can you produce a DART report from the AnyConnect client computer and upload for review

abdulameer84
Level 1
Level 1
In response to Rob Ingram

‎02-25-2022 04:24 AM

I have same setup in two location. I will take alll details from MLZ location and update.

MHM Cisco World
VIP
VIP

‎02-25-2022 05:19 AM

only one thing keep not clear for me 
TCP port for the outside use by any connect is 443 not 4443,
I think this is issue here since the TCP is reset for outside.

Customers Also Viewed These Support Documents