Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

Cisco Any Connect partial VPN connectivity issues

James Cotterill
Level 1
Level 1

‎01-21-2016 02:32 PM

Hi,

I have recently replaced my perimeter firewalls and I loaded them with the latest ASA software (9.5.2). Since replacing the firewalls I am experiencing weird issues with our Any Connect VPN. We are in a position where some of our users cannot connect from their home networks via VPN, but if they tether to a mobile phone network they can. From their local network they can ping and trace route to our firewall endpoint and some can even use personal devices to the VPN from their local network. Then there are other users who can connect and experience no issues. These users are all using windows 8 or the latest Apple Mac devices and the connectivity worked before the upgrade. The only way I can restore access is by installing the old firewalls and leaving the ASA software at 9.0.1. Even if we upgrade those firewalls we experience the same issue.

If a user attempts to connect using the Any Connect software, they are presented with the username request box and then the VPN will drop with no error. If the user then attempts to reach the site via the browser the page will not appear and the browser will just keep trying as if is looping. If at this point the users tethers to their mobile phone, the connection works straight away. I have recreated the VPN configuration and altered webvpn settings to no avail. I cannot pin point a fault with the ISP, the users local network or the firewall itself as some people work and others do not.

Has anyone else experienced an issue similar to this and been able to fix this?

Due to security vulnerabilities and compliance issues we cannot revert to the legacy firewalls. I suspect there is some configuration cache in the Any Connect configuration or a registry setting, but cannot find anything so any help is appreciated.

thanks

James Cotterill

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-21-2016 03:25 PM

9.5(2) is bleeding edge new.  I would be tempted to drop back to a gold star release like 9.2(4), or 9.3(3) if you want something a bit newer.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-21-2016 03:26 PM

If you want to stick with 9.5(2), did you also go to a new version of AnyConnect at the same time when you did the upgrade?

Personally I would downgrade the ASA code.

0 Helpful

James Cotterill
Level 1
Level 1
In response to Philip D'Ath

‎01-21-2016 03:37 PM

Hi Philip,

Thanks for the quick response. Yes we have upgraded the AnyConnect and also tried a few of the earlier versions as well, but this has not worked either.

Downgrading the ASA software is our next option, but we were hoping to see if we can diagnose the issue as the firewall works perfectly well and also enables us to remove SSL v3 in light of recent vulnerabilities.

I believe we attempted to upgrade the legacy firewalls (Cisco ASA5510)  to 9.4(2), but we experienced the same issue. I will downgrade the new firewalls (Cisco ASA5515x with firepower) to 9.3(3) and see what happens

thanks

James

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to James Cotterill

‎01-21-2016 03:45 PM

I had a lot of issues with 9.4(x).  Avoid that release.

I'm about 80% confident 9.3(3) has SSLv3 disabled by default.

0 Helpful
Customers Also Viewed These Support Documents