Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
0
Helpful
6
Replies

Cannot get AnyConnect working on a Firepower 1010

Chess Norris
Level 4
Level 4

‎12-21-2020 01:57 AM

Hi,

 

I have a really strange problem with AnyConnect that I'm trying to solve.

Having configured multiple AnyConnect on both ASA and firepower FTD before, I am not sure why I cannot get AnyConnect on a new Firepower 1010 to work. In fact I cannot connect to it at all. Looking at the FTD logs, I can see that the public address I'm connecting from get's blocked. This is the kind of behaviour I would expect if webvpn is not enable on the outside interface (which it is) or if there is some control-plane ACL blocking the traffic (but I have not configured any control-plane ACL). I've attached a screenshot of the traffic getting blocked and also relevant AnyConnect information. I'm running FTD version 6.7 at the moment, but I've also tried with 6.6 

Thanks

/Chess

Please let me know if you have any idea of what's going on.

Labels:
Preview file
32 KB
Preview file
3 KB
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎12-21-2020 02:36 AM - edited ‎12-21-2020 03:10 AM

Hi @Chess Norris 

There is no Control Plane ACL on FTD.

 

The screenshot you provided indicates that traffic destined to 10.46.0.0 which is the network address of your INSIDE network (this overlaps with your RAVPN IP Pool), which was blocked.The screenshot indicates the traffic was going from outside to inside. When connecting to the FTD to establish a VPN, this would be to the outside interface only - not from outside to inside.

 

You'll be connecting to the outside IP address of the FTD, so you'd not expect to see any traffic to 10.46.0.x until you've received an IP address. And this traffic would be from OUTSIDE on 10.46.0.248-254 to INSIDE on 10.46.0.x

 

Can you provide more information of the configuration of the FTD and the configuration of AnyConnect profile etc.

0 Helpful

Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎12-21-2020 04:21 AM

@Rob Ingram 

Thanks for your input,

It should not be a problem to use a part of the inside network as a VPN pool as far as I know. I've used it before on the ASA.

I have an LAB ASA beside me and the VPN configuration is similar (except that the FTD VPN wizard seems to add more options),

I am connecting with the AnyConnect client directly to the IP address of the outside interface of the FTD.

Trying to telnet to the address on port 443 fails as well.

I have attached the full FTD configuration (except public IP's) I can also add that I tried to enable webvpn on the inside interface and that worked without any issues. No problem to connect with AnyConnect there. 

Preview file
18 KB
0 Helpful

Rob Ingram
VIP
VIP

‎12-21-2020 04:41 AM

No problem, just an observation. Most people used a separate network for the RAVPN pool.

 

Why do you have TLS only enabled on the outside interface? DTLS has better performance.

What error do you receive in AnyConnect?

Does it even prompt for authentication?

If so any logs on RADIUS server?

If you open a web browser and enter the FQDN/IP address do you even get the FTD login prompt?

Turn on webvpn debugs, try connecting and upload the output.

0 Helpful

Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎12-21-2020 05:56 AM

I was experience disconnects/reconnects when having DTLS enabled so that's why I don't use it (Not sure if it's the ISP that are blocking the DTLS traffic) No, I don't get any authentication prompt and I cannot access the web page at all. It's like the webvpn isn't enabled on the outside interface even though it says so. As soon as I enable webvpn on the outside interface, the access should work without the need to add a a rule to the ACL allowing https traffic to the outside interface, so this is what confusing me. Like I say, I have configured many SSL VPNs before without any issues. If the VPN on the ASA didn't work, I would suspect that my ISP blocking SSL traffic as well, but SSL VPN on the ASA works without any issue. 

I will enable debugs for the webvpn when I am back home, but I am not sure it will show anything since I don't even get the authentication prompt and the traffic being blocked. 

0 Helpful

Rob Ingram
VIP
VIP

‎12-21-2020 06:45 AM

Run the debug or a packet capture on the outside interface to determine whether tcp/443 is reaching the FTD, either would indicate whether the issue lies with the FTD or a device in front of the FTD is blocking traffic.

0 Helpful

Chess Norris
Level 4
Level 4

‎12-25-2020 04:41 AM

@Rob Ingram 

I am now able to get the authentication prompt after testing different configurations. Not really sure exactly what fixed it thought 

However, I got a new issues. My firepower FTD can’t reach the ISE radius server. Both the ISE and the FMC server are located at a remote office and the 1010 FTD is located at my home.

I am running a L2L VPN tunnel between my home and the remote office and everything else is working and I have no problem reaching the FMC and ISE GUI from my clients.

I have test the connection with the “test aaa-server authentication” command and I am getting “ERROR: Authentication Server not responding: No active server found”  Any ideas?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents