Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
0
Helpful
5
Replies

Inconsistant AnyConnect Connection

Joffroi85
Level 1
Level 1

‎05-15-2012 06:07 PM - edited ‎02-21-2020 06:04 PM

I recently set up an ASA 5505 with AnyConnect.  Its a very simple set up.  I have the ASA 5505  (E0/0) that is plugged straight to the ISP private static IP address. I have a computer connect to the console port for configurations.  I also have 1 laptop occasionally plugged to E0/1 for testing.  Everything works great for a while.  I've had the laptop able to browse the web and then I can connect from Android handsets via the AnyConnect APKs.

Port information:

Static IP: 99.66.167.69

Subnet: 255.255.255.248

Gateway: 99.66.167.70

I notice after about 15 minutes, my arp table shows something taking the 99.66.167.66 on the outside internet.  When this happens, I can't browse anymore on the laptop and I can't connect from handsets on AnyConnect.  I'm not sure where the mac-address is from.  If I perform a clear arp, I am able to re-connect with the laptop to the internet. After that, I am able to VPN via AnyConnect.  It doesn't appear that I can connect via AnyConnect until I first initial the laptop connect to get that initial inside / outside arp portion populated. Adding static arp entries doesn't seem to help.

Any ideas?

==============

Current Config:

ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname SA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 99.66.167.69 255.255.255.248
!
ftp mode passive
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.66.167.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 192.168.5.100
 vpn-tunnel-protocol svc
 address-pools value SSLClientPool
username testuser password cd0dmVM0fEWRYugq encrypted
username testuser attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d5fab45fe19eea3f55517353a07e50d0
: end
Labels:
0 Helpful
5 Replies 5

Joffroi85
Level 1
Level 1

‎05-16-2012 12:58 PM

Since this is a very low traffic set up, could it have something to do with my timeout values?

Thanks

0 Helpful

Vishnu Sharma
Level 1
Level 1

‎05-16-2012 03:15 PM

Hi Joffroi,

The configuration looks good to me however I think there is something related to internet connectivity rather than pointing to Inconsistent Anyconnect connection. You said that when arp table shows something taking the 99.66.167.66 on the outside internet the laptop behind the ASA loses connectivity to the internet. So if there is no connectivity to the internet, then the Anyconnect client will not connect for sure. If making Anyconnect connection stable is more important then please apply capture on outside interface of the ASA and check if you are able to see the traffic coming from the anyconnect client on outside interface. To apply capture on outside use commands:

Assuming public ip address of the Anyconnect client is x.x.x.x

create an access list:

access-list cap permit ip host x.x.x.x host 99.66.167.69

access-list cap permit ip host 99.66.167.69 host x.x.x.x

capture capout access-l cap interface outside

to see the traffic coming from the anyconnect client, use command: show cap capout. If you do see the traffic coming then please paste the outputs of the command show cap capout and if you do not see anything then we need to troubleshoot in the direction to fix the connectivity issue.

Let me know your finding.

Thanks,

Vishnu Sharma

0 Helpful

Joffroi85
Level 1
Level 1
In response to Vishnu Sharma

‎05-16-2012 03:21 PM

Thanks for the response. I reach my AnyConnect from the public from the 99.66.167.69 address, so should I just creat a access-list cap permit ip host 99.66.167.69 host 99.66.167.69?

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to Joffroi85

‎05-16-2012 03:26 PM

Try from any other machine that has different public ip. I doubt if this capture with same source and destination would work.

Thanks,

Vishnu Sharma

0 Helpful

Joffroi85
Level 1
Level 1
In response to Vishnu Sharma

‎05-16-2012 03:53 PM

I pulled the IP from a handset I was using with AnyConnect and made the logs. While the connection was established everything worked fine and logs were being captured. After 14 minutes, I lots connection. My handset was in the "reconnecting state".  Below are the end logs before everything stopped and then a little more information.  I just don't know what is causing the connection to get lost.

197: 17:36:08.983530 802.1Q vlan#2 P0 99.66.167.69.443 > 199.87.127.164.37506: . ack 96786377 win 32768

198: 17:36:08.983668 802.1Q vlan#2 P0 99.66.167.69.443 > 199.87.127.164.37506: P 1913045308:1913045341(33) ack 96786377 win 32768

199: 17:36:08.984125 802.1Q vlan#2 P0 199.87.127.164.37506 > 99.66.167.69.443: P 96786377:96786467(90) ack 1913045308 win 17158

200: 17:36:08.984171 802.1Q vlan#2 P0 99.66.167.69.443 > 199.87.127.164.37506: . ack 96786467 win 32768

201: 17:36:09.040616 802.1Q vlan#2 P0 199.87.127.164.37506 > 99.66.167.69.443: . ack 1913045341 win 17158

201 packets shown

ASA5505(config)#  show vpn-sessiondb svc

Session Type: SVC

Username     : testuser Index        : 25

Assigned IP  : 192.168.100.2          Public IP    : 199.87.127.164

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN, AnyConnect Mobile

Encryption   : RC4 AES128             Hashing      : SHA1

Bytes Tx     : 2423                   Bytes Rx     : 13535

Group Policy : SSLClientPolicy        Tunnel Group : SSLClientProfile

Login Time   : 17:26:01 UTC Wed May 16 2012

Duration     : 0h:14m:41s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

ASA5505(config)# show cap capout

0 packet captured

0 packet shown

ASA5505(config)# show arp

        inside 192.168.1.4 001f.f353.da5f 3

        outside 99.66.167.70 0024.c9cf.2c50 285

        outside 99.66.167.66 3ce5.a614.e06b 837

ASA5505(config)#

0 Helpful
Customers Also Viewed These Support Documents