Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2925
Views
0
Helpful
11
Replies

Cisco Anyconnect and iPhone and iPad

HelmutEichberger
Level 1
Level 1

‎10-29-2013 01:05 AM - edited ‎02-21-2020 07:17 PM



Here is what I have

Netgear DGN2000 wireless router/ADSl modem at home.
iPhone 5 iOS 7.0.3
3. iPad 2 ioS 6.1.3
4.Cisco AnyConnect app installed and I think correctly configured on ip5 and ipad2
5.FileBrowser app installed on ip5 and ipad2

Here is my problem.

Using the wifi network at work using a SONY laptop WIN8 and Cisco VPN client installed I can establish a VPN connection and browse drives at the remote location using Windows Explorer
ip5 connected to work wifi network can establish VPN connection using AnyConnect app and with FileBrowser app I can browse drives at the remote location
ip5 using cellular data I can establish VPN connection using AnyConnect app and can browse with FileBrowser
with ipad 2 tethered to ip5 via bluetooth I can use hotspot on the phone and ipad 2 can establish VPN connection using AnyConnect app and I can browse with FileBrowser app
at an Apple store I can use ip5 & ipad 2 on the Apple wifi network to establish VPN connection using AnyConnect app and I can browse with FileBrowser app
on the home wifi network I cannot establish a VPN connection with either ip5 or ipad 2. The AnyConnect app when you turn it on and enter password says "connecting" and the VPN logo flashes momentarily at the top of ip5 or ipad 2 screen and then disappears and the AnyConnect app then says "reconnecting". In the diagnostics log there is a warning that "connection" attempt has failed" and "Please respond to Server Certificate acceptance request" but that does not seem to arise when I successfully connect as mentioned above.
Cisco VPN client ports are UDP 500, UDP 4500 for IPsec/NATT, TCP for IPsec/TCP is configurable (whatever that means) and IPsec/UDP is UDP 500, UDP X (configurable)
at first I thought that my router did not have the right ports open but the Sony laptop can establish a VPN connection on the network using the Cisco VPN client no problems

The diagnostics log looks like shown in the photo




I hope some of you experts can help
iPhone 5, iOS 7

Labels:
Preview file
167 KB
0 Helpful
11 Replies 11

Karsten Iwen
VIP
VIP

‎10-29-2013 01:24 AM

That description seem like your router tries to intercept the IPsec packets, perhaps to process them by the router. Are there VPNs configured directly on the router? if yes, then just turn them off to see if that changes anything. Is that a really old router? If yes, then look for settings like IPSec-pass-through and turm that *off*.

And if all of these doesn't help, there is still the possibility to use SSL for the connection which should work without problems.


Sent from Cisco Technical Support iPad App

0 Helpful

HelmutEichberger
Level 1
Level 1
In response to Karsten Iwen

‎10-29-2013 01:43 AM

Thanks for your reply . Yes it is a somewhat old router . There are no VPNs configured on the router but I do have several VPN profiles on the ip5 and iPad 2. Those VPNs work. I browsed the router and there are no settings like IPsec mentioned. How do I enable secure socket layer SSL? Is that a setting that I establish in the AnyConnect app?

Sent from Cisco Technical Support iPad App

0 Helpful

Michael Muenz
Level 5
Level 5

‎10-29-2013 01:33 AM

Sounds like your Netgear doesn't like UDP packets on port 443. Try disabling DTLS and use plain SSL like Karsten said.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

HelmutEichberger
Level 1
Level 1
In response to Michael Muenz

‎10-29-2013 01:48 AM

For the services and rules on the router to do with ports I can only choose either TCP or UDP packets or TCP/UDP. There is no option to choose anything other that those for any of the ports including for port 443. I know what DTLS stands for but I don't think I have ever seen it in my router settings. Like I said in reply to Karsten. How do I set up SSL?

Sent from Cisco Technical Support iPad App

0 Helpful

Michael Muenz
Level 5
Level 5
In response to HelmutEichberger

‎10-29-2013 01:50 AM

TCP = SSL

UDP = DTLS

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

HelmutEichberger
Level 1
Level 1
In response to Michael Muenz

‎10-30-2013 01:51 AM

Well I bought a new Netgear router (D6300). I have the same problem. I have never had so much trouble setting up a router in my life. It i supposed to make any printer and air printer (not). How do I set up the thing so I can use Any Connect? I have tried lots of permutations for port forwarding and/ or port triggering and I still cannot CONNECT using VPN. I GIVE UP!

Sent from Cisco Technical Support iPad App

0 Helpful

Michael Muenz
Level 5
Level 5
In response to HelmutEichberger

‎10-30-2013 02:15 AM

Do you have the vpn gateway under control?

I would disable all portforwardings and DMZ stuff, just plan NAT and test again.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

HelmutEichberger
Level 1
Level 1
In response to Michael Muenz

‎10-30-2013 02:27 AM

No it is not under control. I tried port forwarding and port triggering. I rang Netgear for support. They were very helpful (not). They suggested port triggering and said that if that doesn't work I should contact Cisco. Just a cop out by them. When you say plan (plain?) NAT. The only NAT mention I can find is NAT filtering and I can disable SIP ALG whatever that is. There is NAT address translation and it is enabled. DMZ is not enabled.

Karsten, what is ASA? Connect with IPsec in AnyConnect is off.

Sent from Cisco Technical Support iPad App

0 Helpful

Michael Muenz
Level 5
Level 5
In response to HelmutEichberger

‎10-30-2013 02:31 AM

Sorry, plain! Disable all features and functions around inspection, triggering, forwarding and ALG.

If this doesn't work you have to install a sniffer and check the traffic.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

Karsten Iwen
VIP
VIP
In response to HelmutEichberger

‎10-30-2013 02:18 AM 

I GIVE UP!

http://www.youtube.com/watch?v=oHg5SJYRHA0

1) Can you router provide any log from the connection? Does it drop anything?

2) Can you do a debug on the ASA while you connect?

3) In the AnyConnect-App, which protocol is used there, SSL or IPSec? Also try that what is not selected. Of course the ASA has to be configured for that also.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Daniel marcotte
Level 1
Level 1

‎11-06-2013 06:55 AM

I had the same problem, solution was simple. Change the DHCP address range that your home router give. If it give an ip in the range 192.168.0.xxx change it for 192.168.1.xxx.

Check that your iphone received an ip in the new range.

In my case with a particular router, giving an ip in the same range as my work ip range make the VPN not working.

Work ip range : 192.168.0.xxx

home ip range need to be something else than 192.168.0.xxx

It appen with only one home router in my life. The same situation (same ip range home/work) with other router work!!!!

0 Helpful
Customers Also Viewed These Support Documents