Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
1
Replies

AnyConnect VPN on ASA5512X, can't bind to interface. Config Attached. What am I doing wrong?

neilrmessick
Level 1
Level 1

‎10-08-2014 11:04 AM - edited ‎02-21-2020 07:52 PM

I have a ASA5512X base license. Running though the Wizard to setup AnyConnect. When it applies the config I get. .
 

[ERROR] crypto ikev2 enable VPN client-services port 443

IkeReceiverInit, unable to bind to port

 

I've tried about a dozen ways to get this command to take.. and am getting no where. I setup new interfaces with unused IP's, I changed port numbers, to moved ASDM off 443, I ran the above command on different port numbers.. no matter what I do, I get the same message. Any idea what I am doing wrong? 

config is below..


ASA Version 9.1(1)
!
ip local pool VPN_pool 192.168.252.10-192.168.252.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif Inside
 security-level 100
 ip address 192.168.2.4 255.255.255.0
!
interface GigabitEthernet0/1
 nameif ComcastMetroE
 security-level 1
 ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
 nameif VPN
 security-level 100
 ip address 192.168.252.2 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!

interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.250.2 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name messicks.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network public_range
 subnet x.x.x.x 255.255.255.240
object network web_server_177
 host x.x.x.x
object network web_server_inside
 host x.x.x
object network voice
 subnet 192.168.4.0 255.255.255.0
object network All192
 subnet 192.168.0.0 255.255.0.0
object network Exchange
 host 192.168.2.5
object network Exchange_public
 host x.x.x
object network NETWORK_OBJ_192.168.252.0_24
 subnet 192.168.252.0 255.255.255.0
object network NETWORK_OBJ_192.168.252.0_26
 subnet 192.168.252.0 255.255.255.192
object network AS400
 host 192.168.2.201
object network AS400_public_179
 host x.x.x
object network AMAX_WAN
 host x.x.x
object network SpamTitan
 host 192.168.2.10
object network SpamTitan_public_180
 host x.x.x
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list ComcastMetroE_access extended permit tcp any4 object SpamTitan eq smtp
access-list ComcastMetroE_access remark allow AMAX WAN to AS400 FTP
access-list ComcastMetroE_access extended permit tcp any4 object AS400 eq ftp
access-list ComcastMetroE_access extended permit tcp any4 object Exchange object-group DM_INLINE_TCP_1
access-list ComcastMetroE_access extended permit tcp any4 object web_server_inside object-group DM_INLINE_TCP_0
access-list tcp_bypass extended permit tcp 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu ComcastMetroE 1500
mtu Inside 1500
mtu DMZ 1500
mtu VPN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network web_server_inside
 nat (Inside,ComcastMetroE) static web_server_177
object network Exchange
 nat (Inside,ComcastMetroE) static Exchange_public
object network AS400
 nat (Inside,ComcastMetroE) static AS400_public_179
object network SpamTitan
 nat (Inside,ComcastMetroE) static SpamTitan_public_180
!
nat (Inside,ComcastMetroE) after-auto source dynamic any interface
access-group ComcastMetroE_access in interface ComcastMetroE
!
router rip
 network 192.168.250.0
 version 2
!
router eigrp 1
 eigrp stub connected
 network 192.168.250.0 255.255.255.0
 passive-interface ComcastMetroE
!
route ComcastMetroE 0.0.0.0 0.0.0.0 x.x.x 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
route management 192.168.2.0 255.255.255.0 192.168.250.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 management
http 192.168.250.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
sysopt noproxyarp ComcastMetroE
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2
56 AES192 AES 3DES DES
crypto map ComcastMetroE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
P
crypto map ComcastMetroE_map interface ComcastMetroE
crypto map VPN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN_map interface VPN
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 subject-name CN=192.168.2.4,CN=ASA5512X
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 subject-name CN=192.168.250.2,CN=ASA5512X
 crl configure
crypto ca trustpool policy

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet 192.168.2.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
vpn-addr-assign local reuse-delay 180
dhcpd dns 192.168.2.17 192.168.2.5
dhcpd domain messicks.local
!
dhcpd dns 192.168.2.17 192.168.2.5 interface VPN
dhcpd domain messicks.local interface VPN
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 VPN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 ComcastMetroE
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 management vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 management
webvpn
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel M
ac OS X"
xxxx
!
class-map ComcastMetroE-class
 match any
class-map inspection_default
 match default-inspection-traffic
class-map tcp_bypass
 match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map ComcastMetroE-policy
 class ComcastMetroE-class
  police input 26214000 13104
  police output 26214000 13104
  user-statistics accounting
policy-map tcp_bypass
 class tcp_bypass
  set connection timeout idle 0:10:00
  set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy ComcastMetroE-policy interface ComcastMetroE
service-policy tcp_bypass interface Inside
prompt hostname context
no call-home reporting anonymous

ASA5512X#                                 
 

 

Labels:
0 Helpful
1 Reply 1

rvarelac
Level 7
Level 7

‎10-14-2014 11:08 AM

Hi

 

 

 

If this on a production environment , clear the translations will kill the sessions for a few seconds , if you wants to avoid this run the command after hours.

 

Tho check how many people is using the translations you can use the command "Show xlate"

 

Hope this helps

Do not forget to rate helpful posts

 

- Randy-

0 Helpful
Customers Also Viewed These Support Documents