Solved: Re: ASA5506x Cant access Anyconnect webpage to download the client

peat · ‎02-16-2021

It used to work but now it wont load the page so I cant install Anyconnect clients on new machines. This is with all browsers tried (chrome, edge, firefox).

If I go to the public ip, the domain name url or the internal fw IP, I get a warning saying your connection isnt private (first odd thing as there is a ssl cert on the fw), so I click continue and then get the webpage saying "Can't reach this page, it looks like xx.xx.xx.xx closed the connection"

Im pretty sure I'm not missing anything in the my config.

"webvpn
enable WAN
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 2
anyconnect enable"

Machines with the client currently installed can connect to the vpn fine.

Interestingly when on ASDM if I go to the "show running configuration in a new window" that page wont load either.

what could this issue be? is it a cert issue or a ssl/tls issue? or something completely different.

ASDM version : 7.15(1)

Firmware version : 9.6(4)3 (I'm trying to upgrade that but want to fix this issue first)

Anyconnect image version : 4.6.0.1103 (windows and mac)

peat · ‎03-08-2021

Just for info a CA SSL cert fixed the remaining issue.

View solution in original post

Dinesh Moudgil · ‎02-16-2021

Please share the following

show run all ssl

show run webvpn

show run http

show asp table socket | in 443

Also.

run the debug command "debug webvpn anyconnect 255" and attempt to connect again share the logs.

and

capture the packets on the outside interface while attempting to connect:

capture capture_name interface interface_name match tcp host <your clients public IP> host <ASA interface IP> eq 443

capture asp type asp-drop all

and then share the output of

show cap capture_name

show cap asp

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

peat · ‎02-17-2021

HI Dinesh,

Please see attached.

There wasn't any results from debug webvpn though.

I've also rebooted the firewall and updated to 9.8(4) but that didnt make any difference.

peat · ‎02-18-2021

Ok have an update.

We found that if we use a windows 7 machine with internet explorer we could get to the anyconnect firewall download page.

This also worked on a macbook air on Sierra and using safari. Using chrome on either wouldn't work.

From there i downloaded anyconnect 4.6 onto the mac and it connected fine. Trying anyconnect 4.9 on the mac and it doesnt work.

(4.9 does work on windows 10 machines)

Ive removed some old crypto maps that I thought might be stopping Chrome and the newer anyconnect from working but thats not made a difference.

We are also going to get a CA SSL cert. Hopefully that might help as I am assuming newer browsers are just not allowing self signed certs anymore?

peat · ‎03-08-2021

Just for info a CA SSL cert fixed the remaining issue.