Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
10
Helpful
5
Replies

ASA stuck Anyconnect connection

Go to solution
peter.matuska1
Level 1
Level 1

‎09-27-2022 04:42 AM

Hi,

I have configured Anyconnect VPN with auth and authz towards ISE. IP address is assigned in the authz profile. The problem is when the internet is lost on the PC or PC goes to sleep and after the connectivity is back or PC wakes up then the anyconnect doesn't reconnect. In this state the VPN is disconnected on the PC but the session exists on the ASA so user hits connect again but the connection fails with this log on the ASA (among others): No address available for SVC connection. I think the reason is that the session is still on the ASA and the ASA sees the ISE sent the same IP address to this new connection and that is why ASA reject the connection. The only way is to clear the old connection manually from ASA (ISE cannot be used since the acct stop was sent during this new connection attempt). The idle-timeout is 60min and cannot be changed.

The question is how to terminate the "old" session and connect the new one for the same user?

 

thank you

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎09-28-2022 02:42 AM

I think you can fix this issue by setting the users simultaneous logins to 1. By doing so, when AnyConnect tries to reconnect, the firewall will clear the previous session before establishing the new one.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎09-27-2022 10:39 AM

just to clear issue 
the anyconnect can not reconnect because ?
IP get from ASA 
or 
ISE auth timeout 

0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1
In response to MHM Cisco World

‎09-27-2022 11:11 PM

I don't know why it cannot reconnect after network connectivity is restored but I know that it cannot connect again because of the IP address getting from ISE (I think).

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-28-2022 02:42 AM

I think you can fix this issue by setting the users simultaneous logins to 1. By doing so, when AnyConnect tries to reconnect, the firewall will clear the previous session before establishing the new one.

Go to solution
peter.matuska1
Level 1
Level 1
In response to Aref Alsouqi

‎09-28-2022 10:46 PM

that's it. I always thought that it only doesn't allow the connection which exceeds the configured number.

thank you

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 06:42 AM

You welcome. That wouldn't be the case in this scenario you are running into.

0 Helpful
Customers Also Viewed These Support Documents