Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3154
Views
40
Helpful
21
Replies

Cisco AnyConnect unable to connect with Apple devices

wynneitmgr
Level 3
Level 3

‎08-26-2020 10:56 AM

Up until a couple weeks ago we had no issues connecting Apple devices (iPhones and iPads) to our VPN using Cisco AnyConnect. It seems now we cannot connect unless we are on a PC or Android device (tablet or smartphone). So all VPN connections are working fine except on Apple. Does anybody know of anything going on recently with Cisco and Apple? Thank you for any help.

 

VPN1.jpeg

Labels:
0 Helpful
21 Replies 21

Rob Ingram
VIP
VIP

‎08-26-2020 11:20 AM

Hi,
Have the AnyConnect clients on the apple devices been automatically upgraded recently? On newer anyconnect versions cisco have depreciated support for certain crypto algorithms, which stops devices connecting.

Can you provide the output of:-
- show run ssl
- show run crypto ikev2
- show run crypto ipsec

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 11:23 AM

@Rob Ingram 

Running Cisco AnyConnect Version 4.9.00518

 

Where do you need me to run those scripts?

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎08-26-2020 11:25 AM

Run those commands from the CLI of the ASA and provide the output for review.
0 Helpful

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 11:28 AM

@Rob Ingram 

 

I used PUTTY to login to Firewall. It doesnt like those scripts.

VPN2.png

0 Helpful

wynneitmgr
Level 3
Level 3
In response to wynneitmgr

‎08-26-2020 11:31 AM

@Rob Ingram 

 

Result of the command: "show run ssl"

ssl client-version tlsv1.2
ssl trust-point outside-self outside
ssl trust-point inside-self inside

 

Result of the command: "show run crypto ikev2"

crypto ikev2 policy 1
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 28800
crypto ikev2 policy 2
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 3600
crypto ikev2 policy 11
encryption aes-256 aes-192 aes 3des
integrity sha512 sha384 sha256 sha
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha md5
lifetime seconds 86400
crypto ikev2 policy 12
encryption aes-256 aes-192 aes 3des
integrity sha512 sha384 sha256 sha
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha md5
lifetime seconds 28800
crypto ikev2 policy 13
encryption aes-256 aes-192 aes 3des
integrity sha512 sha384 sha256 sha
group 21 20 19 24 14 5 2
prf sha512 sha384 sha256 sha md5
lifetime seconds 3600
crypto ikev2 enable outside
crypto ikev2 cookie-challenge always

 

Result of the command: "show run crypto ipsec"

crypto ipsec ikev1 transform-set wynnetr esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set AES128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal AES128-SHA
protocol esp encryption aes
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec security-association pmtu-aging infinite

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎08-26-2020 11:31 AM

You are at the wrong prompt, you need to enter "enable"
Rhe prompt would then add # and change to WYNNE-ASA5508-X #

Rob Ingram
VIP
VIP
In response to Rob Ingram

‎08-26-2020 11:42 AM

Are you using SSL or IKEv2/IPSec Remote Access VPN?

 

Run the following debugs from the CLI of the ASA

 

"debug webvpn anyconnect"

"debug crypto ikev2 platform"

"debug crypto ikev2 protocol"

 

And then connect to the VPN from the apple devices, provide the output of the debugs here for review.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 11:48 AM

@Rob Ingram 

 

Do I need to physically plug into the ASA Firewall? It seems the CLI in ASDM doesn't like debug commands.

 

VPN3.jpg

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎08-26-2020 11:50 AM

You can connect with SSH using putty

Once you have run the debugs, make sure you turn off debugging using the command "undebug all"
0 Helpful

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 11:56 AM

@Rob Ingram 

 

I entered the debug commands. I still cannot login to VPN on Apple device. The log on AnyConnect shows the same errors fromt he beginning of this post. Are there logs on ASDM Firewall I need to gather?

VPN4.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎08-26-2020 11:59 AM

Ensure you have logging turned on, use the following commands and the output of the debug will appear.

- logging enable
- logging console notifications
- logging monitor notifications

Once you connect, I expect the connection to fail, but the output in the debug should give an indication where the is might be.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 12:07 PM

@Rob Ingram 

I was able to enable logging but still not seeing any results in Putty. What step did I miss?

 

I could not logon to VPN. There are logs on iPad. There are 3 logs: Messages, Services and App. But it just shows same errors as it did before. 

 

Thank you for your assistance, I appreciate it.

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎08-26-2020 12:12 PM

So you have connected via SSH or console cable?
With all of these commands it should display IKEv2 or SSL connections to the console.

logging enable
logging console notifications
logging monitor notifications
debug webvpn anyconnect
debug crypto ikev2 protocol
debug crypto ikev2 platform

Try connecting from a device that does work and see if you get any debug output then.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎08-26-2020 12:15 PM

@Rob Ingram 

So I just connected to VPN using my Android phone and I see debug info populate on Putty.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents