cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
728
Views
0
Helpful
5
Replies
Highlighted
Beginner

FlexVPN notworking for Anyconnect 4.9

we have FlexVPN server running on a CSR 1000v provide Anyconnect VPN for our customer users, most of the users are running 4.3 or 4.5 Anyconnect VPN no issues. I am planing to upgrade our Anyconnect version to 4.9 for users. but when I test Anyconnect4.9. it doesn't work.

 

on the Windows10 computer, I am getting "The IPSec VPN connection was terminated due to an authentication failure or timeout. Please contact your network administrator."

on the CSR, I can see the Crypto session is ACTIVE, and on my ACS log is also seeing authentication success. 

 

but when I try from a Anyconnect 4.5 WIndows, everything works fine.

 

are there anything special for Anyconnect 4.9?

 

Thanks,

5 REPLIES 5
Highlighted
VIP Mentor

Hi,

 

My first thought is that some IKEv2 algorithms have been depreciated in AnyConnect 4.9

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html

 

Are you sure an IKEv2 and IPSec SA was created correctly for an AnyConnect 4.9 client?

Provide the output of "show crypto ikev2 sa" and "show crypto ipsec sa" of a computer using AnyConnect 4.9

Provide your crypto configuration for review.

 

HTH

Highlighted

hi Rob,

 

Please check the attachment, I just can't find what do I do wrong.

 

Thanks,

 

Highlighted

You certainly appear to have established IKEv2 and IPSec SA, but no traffic being sent/received.
I can see nothing obviously wrong in your configuration, regardless if it's working for older anyconnect clients, then it might be a bug with AC 4.9. I suggest you log a call with TAC.
Highlighted
Cisco Employee

Hi Zhiqiang.yan,

Based on the outputs you shared it seems to be that the Anyconnect actually connects but then terminates the session, that's why you see the SA up on the router and on the client side, the VPN Software seems as disconnected.

Also, a DART could give us some details about the disconnection on the client side.

Would you be able to get this info when you try to connect?

debug crypto ikev2
debug crypto ikev2 packet
debug crypto ikev2 internal
debug crypto ikev2 error

 

Rate if it helps.

 

Regards,
Josue Brenes
TAC - VPN Engineer.

 

Highlighted

hi Josue,

Do I need to setup a version on CSR to match the clients? I don't think I have that before, My production CSR has these two lines, our clients use 4.3/4.5 and I use 4.8 from a Windows10, they are all working just fine.

crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-3.1.12020-k9.pkg sequence 1
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.2.00096-k9.pkg sequence 2

 

I actually have this on my LAB CSR but it doesn't help. I think this command is for web VPN, I am doing Anyconnect IPSec. or did I use a wrong .pkg file?

crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.9.00086-webdeploy-k9.pkg sequence 1

 

I agree, the connection must be terminated for some reason. I actually ran wireshark on the Win10 client, I don't see a reset.

 

Thanks,

Content for Community-Ad