we have FlexVPN server running on a CSR 1000v provide Anyconnect VPN for our customer users, most of the users are running 4.3 or 4.5 Anyconnect VPN no issues. I am planing to upgrade our Anyconnect version to 4.9 for users. but when I test Anyconnect4.9. it doesn't work.
on the Windows10 computer, I am getting "The IPSec VPN connection was terminated due to an authentication failure or timeout. Please contact your network administrator."
on the CSR, I can see the Crypto session is ACTIVE, and on my ACS log is also seeing authentication success.
but when I try from a Anyconnect 4.5 WIndows, everything works fine.
are there anything special for Anyconnect 4.9?
My first thought is that some IKEv2 algorithms have been depreciated in AnyConnect 4.9
Are you sure an IKEv2 and IPSec SA was created correctly for an AnyConnect 4.9 client?
Provide the output of "show crypto ikev2 sa" and "show crypto ipsec sa" of a computer using AnyConnect 4.9
Provide your crypto configuration for review.
Based on the outputs you shared it seems to be that the Anyconnect actually connects but then terminates the session, that's why you see the SA up on the router and on the client side, the VPN Software seems as disconnected.
Also, a DART could give us some details about the disconnection on the client side.
Would you be able to get this info when you try to connect?
debug crypto ikev2
debug crypto ikev2 packet
debug crypto ikev2 internal
debug crypto ikev2 error
Rate if it helps.
TAC - VPN Engineer.
Do I need to setup a version on CSR to match the clients? I don't think I have that before, My production CSR has these two lines, our clients use 4.3/4.5 and I use 4.8 from a Windows10, they are all working just fine.
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-3.1.12020-k9.pkg sequence 1
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.2.00096-k9.pkg sequence 2
I actually have this on my LAB CSR but it doesn't help. I think this command is for web VPN, I am doing Anyconnect IPSec. or did I use a wrong .pkg file?
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.9.00086-webdeploy-k9.pkg sequence 1
I agree, the connection must be terminated for some reason. I actually ran wireshark on the Win10 client, I don't see a reset.