Cisco Any Connect

gary rash · ‎02-10-2015

Couldn't find any community to post in so I'll try this. I have an ISA550 with a few PC's connecting using AnyConnect. I have a dynamic IP at the host and use dyndns to keep my domain linked to the current IP. About every 3-6 days when someone tries to connect to the VPN they get a Can't connect check Internet. There is nothing wrong at the host end. To fix the issue I have to reboot the ISA and all is well again for a bit of time. When it won't connect I can't connect to the domain or the IP that my router has at that time.

Any help greatly appreciated as I don't even know where to begin.

nate fitzgerald · ‎02-10-2015

Do you have AnyConnect essentials installed ?? By Default only 2 users are allowed o be connected at a time, unless you purchase the AnyConnect essentials license which will give you 25 users and up depending on the ASA/Firewall platform model. Also is your IP Local pool for VPN large enough, is there a possibility that all of your addresses are being used up, these are just a couple of things that could cause users from being able to connect using AnyConnect if the peer is functioning properly.

You could also run a debug webvpn or debug webvpn svc to determine what is happening when a user is trying to connect to the firewall using AnyConnect.

When the problem occurs, have you tried pinging the external IP address the firewall is receiving at the time the issue occurs ?

gary rash · ‎02-10-2015

Let me see if I can answer all your questions correctly.

I do not have the full Anyconnect package installed but I could if you tell me I should.

The 2 users is not an issue as when this issue happens no one can connect but either way there are only two people

Can you tell me how to run debug webvpn?

I don't think my ISA is set to respond to ping as even right now with the VPN working fine it doesn't respond. Can you tell me how to turn that on?

Thanks for any help or advise you have

nate fitzgerald · ‎02-11-2015

Ok Gary, I am not that familiar with the ISA models, I typically deal with the ASA and PIX firewall platforms, but for pings from the outside to the outside interface, you would need an access-list inbound to allow icmp traffic then you would need to apply that access-list to your outside access-list so for example

1. From config mode create the access-list

access-list INBOUND_ACL extended permit icmp any any

access-list INBOUND_ACL extended permit icmp any any echo

2. assign the access-list to an outside interface.

access-group INBOUND_ACL in interface outside <-------- outside assuming the name of the interface facing the outside world is called outside.

3. test by pinging the outside ip address from outside of you network

ping 1.1.2.2

For debugs I use the CLI for everything so from the command line on the ISA I would assume you can run the command from exec mode " debug webvpn " or " debug webvpn svc " and make sure you have term mon running by entering term mon. That way you can watch the debugs live as they occur.

See what the results are when you VPN in.

Like I said I typically work with and ASA or PIX and never have worked on an ISA so the commands,debugs and names of the interfaces could be completely different

Thanks

gary rash · ‎02-11-2015

Good Morning

I found out where to turn on respond to ICMP ping. It pings fine now but of course the VPN is connecting fine right now. I will test when it goes down next. Thanks.