Solved: ASA Anyconnect - Connection attempt failed.

oscardenizjensen · ‎02-13-2024

Hej
I am trying to configure Anyconnect on a ASA FPR-1120 version 9.16. I am getting this error when I try to connect "Connection attempt has failed due to server communication"

We had to use a non-default port and had to change http server port to 470. So I configured webvpn port to 470 as well, otherwise it was giving an error

When I try to connect from anyconnect client, I add the ":470" at the end of the Outside interface of the FW.

I do not see any hits on the ACL when I try an access attempt. However, from what I understand if "sysopt connection permit-vpn" is enabled, then anything coming to VPN bypassed Interface ACL

I am trying to figure out what mistake I am making

Config:

Spoiler

sysopt connection permit-vpn


ssl trust-point OSCAR-CERT Internet
crypto ca trustpoint OSCAR-CERT
 enrollment self
 subject-name CN=mfw01
 keypair OSCAR-ANYCONNECT
 crl configure


ip local pool OSCAR-ADDRESS-POOL 10.250.3.27-10.250.3.29 mask 255.255.252.0


http server enable 470


webvpn
 port 470
 enable Internet
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/anyconnect-win-4.10.08025-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.10.08025-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.10.08025-webdeploy-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
 
 
tunnel-group OSCAR-ANYCONNECT type remote-access
tunnel-group OSCAR-ANYCONNECT general-attributes
 address-pool OSCAR-ADDRESS-POOL
 default-group-policy GroupPolicy_OSCAR-ANYCONNECT
tunnel-group OSCAR-ANYCONNECT webvpn-attributes
 group-alias OSCAR-ANYCONNECT enable
 
 
group-policy GroupPolicy_OSCAR-ANYCONNECT internal
group-policy GroupPolicy_OSCAR-ANYCONNECT attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value TEST
 
access-list SPLIT-TUNNEL standard permit 10.250.0.0 255.255.252.0 


object network OSCAR-ASSIGNED-ADDRESSES
 subnet 10.250.3.24 255.255.255.248
object network OSCAR-ALLOWED-SUBNETS
 subnet 10.250.0.0 255.255.252.0
 
 
nat (IPSL-LAB-01,Internet) source static OSCAR-ALLOWED-SUBNETS OSCAR-ALLOWED-SUBNETS destination static OSCAR-ASSIGNED-ADDRESSES OSCAR-ASSIGNED-ADDRESSES no-proxy-arp route-lookup


access-list Internet_access_in extended permit object tcp_470 object TEST-HOST object FW-INTERNET

object service tcp_470
 service tcp destination eq 470

access-group Internet_access_in in interface Internet

sysopt connection permit-vpn ssl trust-point OSCAR-CERT Internet crypto ca trustpoint OSCAR-CERT enrollment self subject-name CN=mfw01 keypair OSCAR-ANYCONNECT crl configure ip local pool OSCAR-ADDRESS-POOL 10.250.3.27-10.250.3.29 mask 255.255.252.0 http server enable 470 webvpn port 470 enable Internet http-headers hsts-server enable max-age 31536000 include-sub-domains no preload hsts-client enable x-content-type-options x-xss-protection content-security-policy anyconnect image disk0:/anyconnect-win-4.10.08025-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.10.08025-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.10.08025-webdeploy-k9.pkg 3 anyconnect enable tunnel-group-list enable cache disable error-recovery disable tunnel-group OSCAR-ANYCONNECT type remote-access tunnel-group OSCAR-ANYCONNECT general-attributes address-pool OSCAR-ADDRESS-POOL default-group-policy GroupPolicy_OSCAR-ANYCONNECT tunnel-group OSCAR-ANYCONNECT webvpn-attributes group-alias OSCAR-ANYCONNECT enable group-policy GroupPolicy_OSCAR-ANYCONNECT internal group-policy GroupPolicy_OSCAR-ANYCONNECT attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value TEST access-list SPLIT-TUNNEL standard permit 10.250.0.0 255.255.252.0 object network OSCAR-ASSIGNED-ADDRESSES subnet 10.250.3.24 255.255.255.248 object network OSCAR-ALLOWED-SUBNETS subnet 10.250.0.0 255.255.252.0 nat (IPSL-LAB-01,Internet) source static OSCAR-ALLOWED-SUBNETS OSCAR-ALLOWED-SUBNETS destination static OSCAR-ASSIGNED-ADDRESSES OSCAR-ASSIGNED-ADDRESSES no-proxy-arp route-lookup access-list Internet_access_in extended permit object tcp_470 object TEST-HOST object FW-INTERNET object service tcp_470 service tcp destination eq 470 access-group Internet_access_in in interface Internet

Rob Ingram · ‎02-13-2024

@oscardenizjensen you do have the 3DES/AES license right? Without it crypto features are disabled. Run "show version" to confirm.

If not the license is free https://integratingit.wordpress.com/2023/12/23/asa-3des-license/

View solution in original post

Rob Ingram · ‎02-13-2024

@oscardenizjensen the command "sysopt connection permit-vpn" is only relevant for when the anyconnect users are connected, it bypasses the interface ACLs.

You don't need "http server enable 470" for anyconnect VPN connections, that is for ASDM access. Normally you'd use a separate port (different to webvpn port for anyconnect).

The interface ACL "Internet_access_in" is not going to do anything to allow/restrict AnyConnect connections, those ACLs are for traffic going "through" the ASA, not "to" the ASA itself - so you would not see hits on that ACL.

Turn on SSL debugs and provide the output for review please.

oscardenizjensen · ‎02-13-2024

Thanks for explaining these, quiet insightful.

Then I do not understand why I get an error when I try to configure it without non-default port configured
mfw01(config-webvpn)# enable Internet
ERROR: Port 443 on Internet can not be configured due to conflict
INFO: WebVPN and DTLS are disabled on 'Internet'.

I did below but I do not see any outputs when I try to connect from anyconnect client
debug webvpn anyconnect
terminal monitor

Rob Ingram · ‎02-13-2024

@oscardenizjensen do you have a NAT to the outside internet interface on 443?

You need to enable logging to the console or buffer

MHM Cisco World · ‎02-13-2024

MHM

oscardenizjensen · ‎02-13-2024

I used IP:470 and IP from Anyconnect client on my home PC. Same error is given

MHM Cisco World · ‎02-13-2024

MHM

oscardenizjensen · ‎02-13-2024

I have changed the port to 471 to not contradict with https server.

MHM Cisco World · ‎02-13-2024

MHM

Rob Ingram · ‎02-13-2024

@oscardenizjensen you do have the 3DES/AES license right? Without it crypto features are disabled. Run "show version" to confirm.

If not the license is free https://integratingit.wordpress.com/2023/12/23/asa-3des-license/

oscardenizjensen · ‎02-13-2024

Thanks. this was the problem. Once I got activated the 3DES/AES license, Anyconnect connection succeded.

oscardenizjensen · ‎02-15-2024

I have one more question. Is this a license that needs to be manually enabled each time the license expires or does it auto renews since it is a free license?