cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1561
Views
4
Helpful
31
Replies

Cisco RA VPN Issue only on mobile devices

justclash4
Level 1
Level 1

Hi there,

We have a weird issue. We can connect to our RA VPN with cisco secure client on Windows, MacOS and Linux but can not connect to that on both Android and IOS devices.

I turned on debug level for VPN troubleshooting and checked debug logs.

When connecting to RA VPN with a laptop, FTD sends username and password to AAA servers after TLS handshake and everything works well. But when connecting to RA VPN with mobile device, debug logs are different. I attached the screenshots of both situations.

Environment: FMCv standalone 7.2.8 - FTDv standalone 7.2.8

Thank you for your assistance

2 Accepted Solutions

Accepted Solutions

the step have latency is ISE internal Steps not relate to client 
But if wifi client have less Authc timeout or FTD than other wired OS then this client will failed to authc 
to be sure 
check debug detail for both case see if both case have same latency 
if Yes 
then as I suggest before increase the authc timeout in FTD profile 
and try upgrade the ISE 

Screenshot 2024-08-20 at 7.28.30 PM.png

View solution in original post

I installed Patch-9 on our ISE 3.1 and then issue has been resolved.

View solution in original post

31 Replies 31

what auth you use for this RA VPN ?
MHM

Radius Authentication with Cisco ISE

Can yoh share 

Debug webvpn anyconnect 255

For both cases 

MHM

I ran that command, How should I export that for you?
Did you see the attached screenshots?

Screenshots is OK 

And last screenshots ypu share debug is mix from anyconnect and aaa traffic I need to debug only anyconnect 

MHM

This is when using mobile device. VPN logging in debug mode. and that debug command executed.

Normal situation will be attached in next comment

Normal connection with a laptop.

the AAA server group failed 
show aaa-server <<- check this command see if there is reject or timeout 
also do capture on interface direct to AAA servers see if FTD send packet or not to AAA 

MHM

I just captured packets in both situations.
In a normal connection from desktop client, one radius request sent from ftd to ise and on radius response received from ise.

but when connecting with a mobile device, radius requests sent to ise but no response received.
the username and password that I am using on both clients are same.

Also, I did perform show aaa-server and all of them are ACTIVE

share show aaa-server <<-

also if you use condition in ISE match specific OS then ISE will not reply, this mostly issue with policy set in ISE 

MHM

Attached.

I just checked the policy set that our RA VPN is using on ISE. there is no OS related configuration. Is there any thing that I should check in ISE?

it issue of ISE 

there are timeout count and  accept count 

timeout count is high

can I see policy-set of ISE 

MHM

Thanks for checking. Its attached.