Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2512
Views
5
Helpful
4
Replies

ASA5506x Cant access Anyconnect webpage to download the client

Go to solution
peat
Level 1
Level 1

‎02-16-2021 03:52 AM

It used to work but now it wont load the page so I cant install Anyconnect clients on new machines.  This is with all browsers tried (chrome, edge, firefox).

If I go to the public ip, the domain name url or the internal fw IP, I get a warning saying your connection isnt private (first odd thing as there is a ssl cert on the fw),  so I click continue and then get the webpage saying "Can't reach this page, it looks like xx.xx.xx.xx closed the connection"

 

Im pretty sure I'm not missing anything in the my config.

"webvpn
enable WAN
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 2
anyconnect enable"

 

Machines with the client currently installed can connect to the vpn fine.   

Interestingly when on ASDM if I go to the "show running configuration in a new window" that page wont load either.

 

what could this issue be?  is it a cert issue or a ssl/tls issue? or something completely different.

 

ASDM version : 7.15(1)

Firmware version : 9.6(4)3   (I'm trying to upgrade that but want to fix this issue first)

Anyconnect image version : 4.6.0.1103 (windows and mac)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
peat
Level 1
Level 1
In response to peat

‎03-08-2021 05:42 AM

Just for info a CA SSL cert fixed the remaining issue.

View solution in original post

4 Replies 4

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎02-16-2021 04:05 AM

Please share the following

 

show run all ssl

show run webvpn

show run http

show asp table socket | in 443

 

Also.

run the debug command "debug webvpn anyconnect 255" and attempt to connect again share the logs.

 

and


capture the packets on the outside interface while attempting to connect:

capture capture_name interface interface_name match tcp host <your clients public IP> host <ASA interface IP> eq 443

capture asp type asp-drop all

 

and then share the output of

show cap capture_name

show cap asp

 

Thank you,

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
peat
Level 1
Level 1
In response to Dinesh Moudgil

‎02-17-2021 06:53 AM

HI Dinesh,

Please see attached.

 

There wasn't any results from debug webvpn though.

I've also rebooted the firewall and updated to 9.8(4) but that didnt make any difference.

capasp.txt
Preview file
19 KB
webvpn.txt
Preview file
2 KB
0 Helpful

Go to solution
peat
Level 1
Level 1

‎02-18-2021 06:07 AM

Ok have an update.

We found that if we use a windows 7 machine with internet explorer we could get to the anyconnect firewall download page.

This also worked on a macbook air on Sierra and using safari.   Using chrome on either wouldn't work.

 

From there i downloaded anyconnect 4.6 onto the mac and it connected fine.   Trying anyconnect 4.9 on the mac and it doesnt work.

(4.9 does work on windows 10 machines)

Ive removed some old crypto maps that I thought might be stopping Chrome and the newer anyconnect from working but thats not made a difference.  

We are also going to get a CA SSL cert.  Hopefully that might help as I am assuming newer browsers are just not allowing self signed certs anymore?

 

0 Helpful

Go to solution
peat
Level 1
Level 1
In response to peat

‎03-08-2021 05:42 AM

Just for info a CA SSL cert fixed the remaining issue.

Top