Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
0
Helpful
5
Replies

FlexVPN notworking for Anyconnect 4.9

zhiqiang.yan
Level 1
Level 1

‎07-16-2020 11:40 AM

we have FlexVPN server running on a CSR 1000v provide Anyconnect VPN for our customer users, most of the users are running 4.3 or 4.5 Anyconnect VPN no issues. I am planing to upgrade our Anyconnect version to 4.9 for users. but when I test Anyconnect4.9. it doesn't work.

 

on the Windows10 computer, I am getting "The IPSec VPN connection was terminated due to an authentication failure or timeout. Please contact your network administrator."

on the CSR, I can see the Crypto session is ACTIVE, and on my ACS log is also seeing authentication success. 

 

but when I try from a Anyconnect 4.5 WIndows, everything works fine.

 

are there anything special for Anyconnect 4.9?

 

Thanks,

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-16-2020 11:59 AM

Hi,

 

My first thought is that some IKEv2 algorithms have been depreciated in AnyConnect 4.9

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html

 

Are you sure an IKEv2 and IPSec SA was created correctly for an AnyConnect 4.9 client?

Provide the output of "show crypto ikev2 sa" and "show crypto ipsec sa" of a computer using AnyConnect 4.9

Provide your crypto configuration for review.

 

HTH

0 Helpful

zhiqiang.yan
Level 1
Level 1
In response to Rob Ingram

‎07-16-2020 12:33 PM

hi Rob,

 

Please check the attachment, I just can't find what do I do wrong.

 

Thanks,

 

Preview file
2 KB
Preview file
5 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to zhiqiang.yan

‎07-16-2020 12:54 PM

You certainly appear to have established IKEv2 and IPSec SA, but no traffic being sent/received.
I can see nothing obviously wrong in your configuration, regardless if it's working for older anyconnect clients, then it might be a bug with AC 4.9. I suggest you log a call with TAC.
0 Helpful

Josue Brenes
Cisco Employee
Cisco Employee

‎07-16-2020 04:26 PM - edited ‎07-16-2020 06:00 PM

Hi Zhiqiang.yan,

Based on the outputs you shared it seems to be that the Anyconnect actually connects but then terminates the session, that's why you see the SA up on the router and on the client side, the VPN Software seems as disconnected.

Also, a DART could give us some details about the disconnection on the client side.

Would you be able to get this info when you try to connect?

debug crypto ikev2
debug crypto ikev2 packet
debug crypto ikev2 internal
debug crypto ikev2 error

 

Rate if it helps.

 

Regards,
Josue Brenes
TAC - VPN Engineer.

 

0 Helpful

zhiqiang.yan
Level 1
Level 1
In response to Josue Brenes

‎07-16-2020 05:40 PM

hi Josue,

Do I need to setup a version on CSR to match the clients? I don't think I have that before, My production CSR has these two lines, our clients use 4.3/4.5 and I use 4.8 from a Windows10, they are all working just fine.

crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-3.1.12020-k9.pkg sequence 1
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.2.00096-k9.pkg sequence 2

 

I actually have this on my LAB CSR but it doesn't help. I think this command is for web VPN, I am doing Anyconnect IPSec. or did I use a wrong .pkg file?

crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.9.00086-webdeploy-k9.pkg sequence 1

 

I agree, the connection must be terminated for some reason. I actually ran wireshark on the Win10 client, I don't see a reset.

 

Thanks,

0 Helpful
Customers Also Viewed These Support Documents