Re: ASA Anyconnect VPN TLS1.3 issue

abideen.shaikh · ‎09-15-2022

HI All,

I am having issues connecting to cisco anyconnect in lab environment getting TLS failures my config, license and error logs are given below. I have confgured one of the interface as outside and enabled webvpn there. Tried using both web browser as well as anyconnect client getting same error message. Hardware used is FPR2110 with ASA image 9.16.

webvpn

anyconnect image flash:/anyconnect-win-4.10.05095-webdeploy-k9.pkg

enable outside

anyconnect enable

sysopt connection permit-vpn

http redirect OUTSIDE 80

ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

group-policy ANYCONNECT_POLICY internal

group-policy ANYCONNECT_POLICY attributes

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

dns-server value 8.8.8.8

webvpn

anyconnect keep-installer installed

anyconnect ask none default anyconnect

anyconnect dpd-interval client 30

exit

tunnel-group MY_TUNNEL type remote-access

tunnel-group MY_TUNNEL general-attributes

default-group-policy ANYCONNECT_POLICY

address-pool VPN_POOL

exit

tunnel-group MY_TUNNEL webvpn-attributes

group-alias SSL_USERS enable

webvpn

tunnel-group-list enable

==================================================================

Error logs are given below

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.3 State:before SSL initialization

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.3: Received Handshake record from remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2: Sending SSL/TLS Header record to remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2: Sending Alert record to remote client

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3: Received SSL/TLS Header record from remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3: Received Handshake record from remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2 State:error

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2: Sending SSL/TLS Header record to remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2 State:error

SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2: Sending Alert record to remote client

SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2 State:error

===========================================================================

License details are given below

FPR-ASA-1(config)# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 1500 : 1500 : NONE
Other VPN (Available by Default) : ENABLED : 1500 : 1500 : NONE
AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : ENABLED
VPN-3DES-AES : DISABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
All : Peak : Eff. :
In Use : In Use : Limit : Usage
---------------------------------
AnyConnect Premium : : 0 : 0 : 1500 : 0%
Other VPN : : 0 : 0 : 1500 : 0%
---------------------------------------------------------------------------

Rob Ingram · ‎09-15-2022

@abideen.shaikh it looks like you do not have the 3DES/AES license, you will need this to connect using SSL/TLS.

VPN-3DES-AES : DISABLED

You can go to the smart licensing portal and download this 3DES/AES license for free and install on the firewall.

abideen.shaikh · ‎09-15-2022

Thanks Rob ill give it a try and update.

RachelGomez161999 · ‎09-25-2022

1. Repair the installation
In the Windows Search bar, type Control and open Control Panel.cisco vpn windows 10 not working
Click Uninstall a program in the bottom left corner.cisco vpn windows 10 not working
Click on the Cisco System VPN client and choose Repair.
Follow the instructions until the installation is repaired.
Let’s start by repairing the installation. Lots of third-party applications tend to break after a major update is administered. That’s why it is always recommended to reinstall them after the update is installed.

Even better, if you want to avoid one of the numerous update/upgrade errors, uninstalling is a viable choice.

However, if you’ve not uninstalled Cisco VPN prior to an update, instead of reinstallation, you should try out repairing the present installation first.

If you’re not sure how to repair the Cisco VPN, follow the steps we provided above.

2. Allow VPN to freely communicate through Firewall
In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall.
Click Change settings.
Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall.
If that’s not the case, click Allow another app and add it.cisco vpn windows 10 not working
Check both Private and Publicrong> network boxes.
Confirm changes and open the Cisco VPN.
System updates can, quite frequently, change the system settings and preferences to default values. This misdeed, of course, can affect Windows Defender settings as well.

If that’s the case, chances are that lots of third-party apps that require free traffic through the Firewall won’t work. Including the Cisco VPN client.

That’s why we encourage you to check the settings and confirm that the app is indeed allowed in Windows Firewall settings.

3. Tweak the Registry
Right-click on the Start button and open Device Manager.
Expand Network adapters.network adapters
Right-click on Virtual Adapter and update it.
Restart your PC.
Like many other integrating VPN solutions, Cisco VPN comes with the specific associated Virtual Network Adapter. The failure of this device is another common occurrence, and it’s accompanied by the error code 442.

The first thing you can do if this error occurs is checking the Virtual Adapter driver in the Device Manager.

Now, if that fails to resolve the issue, you can try a Registry tweak which seems to address it fully. This requires administrative permission, in order to make changes to Registry.

Furthermore, we strongly suggest treading carefully since untaught meddling with Registry can result in a system failure.

Follow these steps to tweak Registry and repair Cisco VPN:

Type Regedit in the Windows Search bar and open Registry Editor.
Copy-paste the following path in the address bar:
HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtAcisco vpn windows 10 not working
Right-click on the DisplayName registry entry and choose Modify.
Under the Value Data section, make sure that the only body of text which stands is the Cisco Systems VPN Adapter.
For the 64bit version, the text is the Cisco Systems VPN Adapter for 64-bit Windows.
Save changes and try running Cisco VPN again.

Regards,

Rachel Gomez