Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13708
Views
5
Helpful
9
Replies

Cisco Anyconnect connects but does not receive traffic

Go to solution
khoda
Level 1
Level 1

‎01-12-2019 04:13 PM - edited ‎02-21-2020 09:32 PM

Hi,

 

Cisco AnyConnect 4.6 connects successfully, yet there is no incoming traffic. The sent bytes increase while the received bytes stay at 36395. Other devices on the same network using the same version of the software do not have this issue. The message history is as follows:

 

1:03:11 AM Contacting ***.***.***.
1:03:16 AM User credentials entered.
1:03:16 AM Establishing VPN session...
1:03:16 AM The AnyConnect Downloader is performing update checks...
1:03:16 AM Checking for profile updates...
1:03:16 AM Checking for product updates...
1:03:16 AM Checking for customization updates...
1:03:16 AM Performing any required updates...
1:03:16 AM The AnyConnect Downloader updates have been completed.
1:03:16 AM Establishing VPN session...
1:03:16 AM Establishing VPN - Initiating connection...
1:03:16 AM Establishing VPN - Examining system...
1:03:16 AM Establishing VPN - Activating VPN adapter...
1:03:20 AM Establishing VPN - Configuring system...
1:03:21 AM Establishing VPN...
1:03:21 AM Connected to ***.***.***.

 

I am new to this, so I appreciate if you could please let me know which information I can provide that would be helpful in resolving the issue.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
khoda
Level 1
Level 1
In response to Francesco Molino

‎01-15-2019 04:20 AM

Thanks for the info. I contacted IT and they recommended checking the Cisco network adapter settings. The problem was the following two items in the adapter properties:
- Azzouzi HotSpot LightWeight Filter
- SoftEther Lightweight Network Protocol

By disabling them the VPN works without any issue.

Thanks for the help.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-12-2019 06:28 PM

Hi,

Can you provide your configuration to check nothing is missing?
When you say other devices on the same network don't have issues, do you mean these devices are also connected over anyconnect?
Depending on this answer, we will see to do some tests and get some captures.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
khoda
Level 1
Level 1
In response to Francesco Molino

‎01-13-2019 12:50 PM

Thanks for the response. By no issue on other devices, I mean the other devices on the same network as the device with the connection issue connect over anyconnect without any problems. This should point out that there is a problem in the client machine rather than the connection configuration?
Would you please specify which configuration file are you looking for? I download the anyconnect application provided and it was supposed to configure itself. I did not change any configurations after installation. If it helps, these are the setup instruction provided for connection: https://innsida.ntnu.no/wiki/-/wiki/English/Install+VPN

Sometimes I get this warning: "The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again."
And when I try again it connects without receiving traffic. a restart does not change anything.

The only file I found that might have related info is the log file at C:\Users\*\.cisco\vpn\log

I am using windows 10.
0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to khoda

‎01-30-2020 05:58 AM

I had this, it was an overlapping subnet

 

AnyConnect Error: Unable To Verify IP Forwarding Table Modifications

 

Pete

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-12-2019 08:52 PM

Hi,

Start with the following:

* Obtain the IP allocated to the VPN user from the pool using the command

sh vpn-sessiondb anyconnect filter name **********

Session Type: AnyConnect

Username : ************************ Index : 18877
*Assigned IP : 10.10.10.15 * Public IP
:************************
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256
DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256
DTLS-Tunnel: (1)SHA1
Bytes Tx : 147625 Bytes Rx : 72382
Group Policy : ******* Tunnel Group : ISE-TG
Login Time : ***************************
Duration : 0h:01m:03s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : *************************
Security Grp : none

* Capture traffic from ASA using this IP to see whether traffic is coming
to ASA or not

capture cap circular-buffer include-decrypted interface test match ip host
10.10.10.15 any

If the traffc is coming then you need to see where its getting dropped
(start with nat exempt). If the traffic isn't coming then check on the
local machine whats allowing traffic from leaving such as AV clients.
0 Helpful

Go to solution
khoda
Level 1
Level 1
In response to Mohammed al Baqari

‎01-13-2019 01:09 PM

How can I do this on windows?
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to khoda

‎01-13-2019 06:17 PM

You need to do this on your firewall.
Do you have access to your asa?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
khoda
Level 1
Level 1
In response to Francesco Molino

‎01-14-2019 02:02 PM

I don't have access to the ASA. I just use the client application. Turning the firewall completely off on the problematic client machine did not help.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to khoda

‎01-14-2019 08:48 PM

If you're not able to reach any hosts sitting inside, you may need to contact your IT guy managing the asa.
You can get more deep troubleshooting files install anyconnect DART. Can you share the debug file from this application to see if that's a client issue otherwise you need to check with your IT guys.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
khoda
Level 1
Level 1
In response to Francesco Molino

‎01-15-2019 04:20 AM

Thanks for the info. I contacted IT and they recommended checking the Cisco network adapter settings. The problem was the following two items in the adapter properties:
- Azzouzi HotSpot LightWeight Filter
- SoftEther Lightweight Network Protocol

By disabling them the VPN works without any issue.

Thanks for the help.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents