03-06-2023 07:08 AM
Hi,
We are testing upgrading from a very old version of Cisco Anyconnect (4.6)
To a Newer 4.10 version due to DH group limitations.
When testing the newer version, the client no longer connects as Ikev2 IPSec connection and looks to be "Anyconnect-Parent SSL-Tunnel DTLS-Tunnel.
Is there a knowledgeable person that can explain to me if this is a good expected result and if this is the path forward for the anyconnect client? Sorry I'm still learning.
Solved! Go to Solution.
03-06-2023 08:38 AM
03-09-2023 06:44 AM
@Rob Ingramso I Can run wireshark from the tablet running the new anyconnect version. I see my packets for isakmp.
As far as I can tell, the anyconnect client if offering proposals that would match policies that I have configured on the ASA. But in the debug on the ASA it says that there are no matching policies.
Wireshark dump for Packet#1 inbound------------
Frame 1: 726 bytes on wire (5808 bits), 726 bytes captured (5808 bits) on interface \Device\NPF_{837B6A94-4726-4512-B2CF-BE6CDDD6E290}, id 0
Raw packet data
Internet Protocol Version 4, Src: 10.255.201.127, Dst: ****EXT_FW_IP****
User Datagram Protocol, Src Port: 49231, Dst Port: 500
Internet Security Association and Key Management Protocol
Initiator SPI: 73926dbbdcd87ed8
Responder SPI: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
0010 .... = MjVer: 0x2
.... 0000 = MnVer: 0x0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08 (Initiator, No higher version, Request)
.... 1... = Initiator: Initiator
...0 .... = Version: No higher version
..0. .... = Response: Request
Message ID: 0x00000000
Length: 698
Payload: Security Association (33)
Next payload: Key Exchange (34)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 276
Payload: Proposal (2) # 1
Next payload: Proposal (2)
Reserved: 00
Payload length: 124
Proposal number: 1
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 13
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 192
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 00c0
Key Length: 192
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 128
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0080
Key Length: 128
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): NONE (0)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 256-bit random ECP group (19)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 521-bit random ECP group (21)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 3072 bit MODP group (15)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 4096 bit MODP group (16)
Payload: Proposal (2) # 2
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 148
Proposal number: 2
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 16
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 192
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 00c0
Key Length: 192
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 128
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0080
Key Length: 128
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 256-bit random ECP group (19)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 521-bit random ECP group (21)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 3072 bit MODP group (15)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 4096 bit MODP group (16)
Payload: Key Exchange (34)
Next payload: Nonce (40)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 72
DH Group #: 256-bit random ECP group (19)
Reserved: 0000
Key Exchange Data: 0bf188fded5652a0b9bdbb95fc1e30047e438c115e4a4250e84548788e323927703e924a…
Payload: Nonce (40)
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 24
Nonce DATA: acbfcb18d161616a9acf5364ff6c25b3ff015c84
Payload: Vendor ID (43) : Cisco Delete Reason Supported
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 23
Vendor ID: 434953434f2d44454c4554452d524541534f4e
Vendor ID: Cisco Delete Reason Supported
Payload: Vendor ID (43) : Cisco Copyright
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 59
Vendor ID: 434953434f28434f505952494748542926436f7079726967687420286329203230303920…
Vendor ID: Cisco Copyright
Payload: Vendor ID (43) : Unknown Vendor ID
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 24
Vendor ID: 434953434f2d414e59434f4e4e4543542d454150
Vendor ID: Unknown Vendor ID
Payload: Vendor ID (43) : Cisco GRE Mode Supported
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 19
Vendor ID: 434953434f2d4752452d4d4f444503
Vendor ID: Cisco GRE Mode Supported
Payload: Vendor ID (43) : Unknown Vendor ID
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 20
Vendor ID: 434953434f2d4e47452d4c4556454c03
Vendor ID: Unknown Vendor ID
Payload: Vendor ID (43) : Unknown Vendor ID
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 26
Vendor ID: 434953434f2d414e59434f4e4e4543542d5354524150
Vendor ID: Unknown Vendor ID
Payload: Vendor ID (43) : Unknown Vendor ID
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 29
Vendor ID: 434953434f2d414e59434f4e4e4543542d53545241502d4448
Vendor ID: Unknown Vendor ID
Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 28
Protocol ID: IKE (1)
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 7bdff21b24706294e62413f825ad71b4636371a9
Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 28
Protocol ID: IKE (1)
SPI Size: 0
Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
Notification DATA: 9b8b8ca9efa7c1fe6a6ffd506a0ada4909e963f8
Payload: Vendor ID (43) : Cisco Fragmentation
Next payload: Configuration (47)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 20
Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d3
Vendor ID: Cisco Fragmentation
Payload: Configuration (47)
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 14
Type: CFG_REQUEST (1)
Reserved: 000000
Config Attribute (t=28728,l=2): PRIVATE USE
0... .... .... .... = Format: Type/Length/Value (TLV)
Type: PRIVATE USE (28728)
Length: 2
Value: 0240
Payload: Notify (41) - REDIRECT_SUPPORTED
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 8
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: REDIRECT_SUPPORTED (16406)
Notification DATA: <MISSING>
04-19-2023 07:46 AM
@Rob Ingram @MHM Cisco World @Marvin Rhoads My issue is now resolved. I needed to disable Anyconnect Essentials as explained in this forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide