Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
1
Replies

ASAv and AnyConnect Some Websites don't work

jf1134
Level 1
Level 1

‎05-16-2023 09:20 AM

We have a ASAv and our users use AnyConnect versions anywhere between 4.7 and 4.10 Some users not all, have issues going to random sites. It doesn't happen to everyone just random users on occasion. A lot of times the users that are on 4.7 if we upgrade them to 4.10 fixes the issue. It's setup as a split tunnel. The weird thing is it's been working fine and now all of a sudden it doesn't. 

 

 

Labels:
0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎06-02-2023 07:58 AM

Based on the information provided, it appears that the issue is likely related to the AnyConnect client version. There could be a compatibility issue, bug, or configuration discrepancy between the different client versions and the ASA configuration. Here are some steps to troubleshoot and potentially resolve the issue:

1. **Upgrade clients to the latest version**: Since upgrading from 4.7 to 4.10 seems to resolve the issue for some users, it is recommended to have all users upgrade to the latest AnyConnect version (preferably 4.10.x). This should help maintain consistency and compatibility with the ASAv.

2. **Check for ASAv configuration changes**: Review the ASA configuration logs to see if there have been any recent changes that might have affected AnyConnect clients. If you find any changes, evaluate if they could be causing the issue and revert or modify them if necessary.

3. **Review AnyConnect logs**: Collect and analyze the AnyConnect logs from the affected clients. These logs can provide valuable information on potential issues or misconfigurations. Look for any error messages, timeouts, or other anomalies in the logs. You can also enable DART (Diagnostic AnyConnect Reporting Tool) to gather more detailed logs and diagnostic information from the clients.

4. **Check DNS resolution**: Since users are having issues accessing random websites, it is important to verify if there are any DNS resolution problems. Use the ASDM to check the DNS configuration on the ASA and ensure that it is correctly configured to provide the appropriate DNS servers to the clients. You can also have the affected users run 'nslookup' or 'ping' to test the DNS resolution of the problematic websites.

5. **Verify split-tunnel configuration**: Review the split-tunnel configuration on the ASA and ensure that it is correctly set up. Verify that the networks intended to be tunneled are included and that other traffic is excluded.

6. **Test with SSL/TLS settings**: If the issue persists, consider testing with different SSL/TLS settings on the ASA and the AnyConnect clients. There might be a compatibility issue with some of the SSL/TLS versions or cipher suites.

7. **Open a TAC case**: If the issue still remains unresolved, consider opening a case with Cisco TAC for further assistance and troubleshooting.

Remember to always backup your configuration before making any changes.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents