Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
1
Replies

Cisco AnyConnect IP Phones Authentication Failed

fgasimzade
Level 4
Level 4

‎10-14-2021 05:54 AM

Hello everyone,

We have replaced our Cisco ASA with another one, copied config and SSL certificate. Now some phones get connected, others showing VPN Authentication Failed

This is what I see in the phone logs:

 

7369: NOT 16:44:11.691433 VPNC: vpnc_tun_set_mtu: eth0 i/f mtu -> 1384
7370: NOT 16:44:11.692085 VPNC: vpnc_tun_set_mtu: setting tun i/f mtu -> 1290
7371: NOT 16:44:11.692802 VPNC: vpnc_tun_set_mtu: tun i/f mtu -> 1290
7372: NOT 16:44:11.693498 VPNC: set_mtu: tun MTU set to 1290 (old 1290)
7373: WRN 16:44:11.695347 VPNC: vpnc_configure: SSLv2 and SSLv3 are unsupported because of the vulnerability, use TLSv1 as default
7374: NOT 16:44:11.696522 VPNC: protocol_handler: got set ssl command
7375: NOT 16:44:11.697144 VPNC: protocol_handler: current ssl -> TLSv1
7376: NOT 16:44:11.697736 VPNC: protocol_handler: new ssl -> TLSv1
7377: NOT 16:44:11.699693 VPNC: create_ssl_ctx: use TLSv1 or SSLv3
7378: DBG 16:44:11.702298 VPNU: State AppsUp --> AppsUp
7379: DBG 16:44:11.702897 VPNU: SM wakeup - chld=0 tmr=0 io=1 res=0
7380: DBG 16:44:11.703507 VPNU: State AppsUp --> AppsUp
7381: DBG 16:44:11.741398 VPNU: SM wakeup - chld=0 tmr=0 io=1 res=0
7382: NOT 16:44:11.743249 VPNC: protocol_handler: got set cipher command
7383: NOT 16:44:11.743895 VPNC: protocol_handler: current cipher -> AES256-SHA:AES128-SHA
7384: NOT 16:44:11.744502 VPNC: protocol_handler: new cipher -> AES256-SHA:AES128-SHA
7385: NOT 16:44:11.746469 VPNC: create_ssl_ctx: use TLSv1 or SSLv3
7386: DBG 16:44:11.748338 VPNU: State AppsUp --> AppsUp
7387: DBG 16:44:11.749023 VPNU: SM wakeup - chld=0 tmr=0 io=1 res=0
7388: DBG 16:44:11.749670 VPNU: State AppsUp --> AppsUp

7399: NOT 16:44:11.804485 VPNC: vpn_start: vpnc_configure success
7400: NOT 16:44:11.805063 VPNC: vpn_start: activating vpn
7401: NOT 16:44:11.805613 VPNC: vpn_set_auto: auto -> auto
7402: NOT 16:44:11.806150 VPNC: vpn_set_active: de-activated -> activated
7403: NOT 16:44:11.806744 VPNC: clear_login: clearing login
7404: NOT 16:44:11.807307 VPNC: set_login_state: LOGIN: 3 (FAILED) --> 0 (NONE)
7405: NOT 16:44:11.807916 VPNC: set_login_state: VPNC : 3 (LoginFailed) --> 0 (Idle)
7406: NOT 16:44:11.820423 VPNC: vpnc_control: sending login cmd
7407: NOT 16:44:11.821291 VPNC: set_login_timer: timer set --> 300 sec
7408: NOT 16:44:11.822371 VPNC: protocol_handler: got login command
7409: NOT 16:44:11.823249 VPNC: set_login_state: LOGIN: 0 (NONE) --> 1 (TRYING)
7410: NOT 16:44:11.823961 VPNC: set_login_state: VPNC : 0 (Idle) --> 1 (LoggingIn)
7411: NOT 16:44:11.824935 VPNC: do_login: URL -> https://85.x.x.x/
7412: NOT 16:44:11.827522 VPNC: parse_url: host <85.x.x.x> resolved -> <85.x.x.x>
7413: NOT 16:44:11.828255 VPNC: do_login: tcp_connect
7414: NOT 16:44:11.829352 VPNC: tcp_connect: binding sock to eth0 IP 192.168.157.23
7415: NOT 16:44:11.830367 VPNC: tcp_connect: connecting to 85.x.x.x:443
7416: INF 16:44:11.831206 using if_tun mtu (1290) to set MaxSeg size
7417: NOT 16:44:11.833582 VPNC: tcp_connect: connected to: 85.x.x.x:443, fd 13
7418: NOT 16:44:11.834570 VPNC: do_login: create_ssl_connection
7419: NOT 16:44:11.835864 VPNC: create_ssl_connection: have client cert/pkey
7420: NOT 16:44:11.836544 VPNC: create_ssl_connection: SSL_connect in non-block mode
7421: NOT 16:44:11.838737 VPNC: ssl_state_cb: TLSv1: SSL_connect: before/connect initialization
7422: NOT 16:44:11.840790 VPNC: ssl_state_cb: TLSv1: SSL_connect: SSLv3 write client hello A
7423: ERR 16:44:12.040864 VPNC: ssl_state_cb: TLSv1: SSL_connect: failed in SSLv3 read server hello A
7424: ERR 16:44:12.041615 VPNC: create_ssl_connection: SSL_connect ret 0 error 5
7425: ERR 16:44:12.042453 VPNC: SSL: SSL_connect: SSL_ERROR_SYSCALL (error 5)
7426: ERR 16:44:12.043136 VPNC: SSL: SSL_connect: no additional error details
7427: ERR 16:44:12.043985 VPNC: create_ssl_connection: SSL setup failure
7428: ERR 16:44:12.045918 VPNC: do_login: create_ssl_connection failed
7429: NOT 16:44:12.047221 VPNC: vpn_stop: de-activating vpn
7430: NOT 16:44:12.048103 VPNC: vpn_set_auto: auto -> auto
7431: NOT 16:44:12.048741 VPNC: vpn_set_active: activated -> de-activated
7432: NOT 16:44:12.049777 VPNC: set_login_state: LOGIN: 1 (TRYING) --> 3 (FAILED)
7433: NOT 16:44:12.050602 VPNC: set_login_state: VPNC : 1 (LoggingIn) --> 3 (LoginFailed)
7434: NOT 16:44:12.051271 VPNC: vpnc_send_notify: notify type: 1 [LoginFailed]
7435: NOT 16:44:12.052098 VPNC: vpnc_send_notify: notify code: 45 [VpnCodeSslFatalErr]
7436: NOT 16:44:12.052800 VPNC: vpnc_send_notify: notify desc: [ssl handshake error]
7437: NOT 16:44:12.053630 VPNC: vpnc_send_notify: sending signal 28 w/ value 13 to pid 13
7438: ERR 16:44:12.054358 VPNC: protocol_handler: login failed

 

I even got one phone, that eventually get connected after these errors, but some other are not

Any ideas?

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎10-14-2021 05:58 AM - edited ‎10-14-2021 05:59 AM

@fgasimzade it could be the ASA is configured to only accept TLSv1.1 or 1.2 minimum. Run "show ssl" on the ASA and confirm whether TLSv1 is enabled, if not use the command "ssl server-version ...." to configure. This post would provide some information on how to change the ssl ciphers.

0 Helpful
Customers Also Viewed These Support Documents