02-10-2021 05:30 AM
Hello,
I am facing the below issue. All other machines can access internal and external pages without issues. One machine can only access internal pages and services.
While checking vpn session on the asav I can see the following for non working machine:
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
While on working machine the below is present:
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA384
The difference for working is presence of DTLS-Tunnel.
I have checked the tunnel group and dtls port is 443.
Is there a way to verify why dtls is not present for the machine?
Thank you.
Regards,
Daniel
Solved! Go to Solution.
03-01-2021 06:08 AM
To get internet working I had to use alternative proxy settings. Cisco Umbrella was getting blocked by the ISP at Egypt. No issues now, with alternative squid proxy.
02-10-2021 05:35 AM - edited 02-10-2021 05:37 AM
The ISP the non-working machine is connected to might possibly be blocking UDP/443, which might explain why you have no DTLS tunnel. Regardless even if DTLS is blocked, a TLS tunnel is established so the machine should still be able to access resources.
What version of the AnyConnect client is used?
What Operating System?
Does it make a difference if a different user logins to the non-working machine?
Do you use different connection profiles and group-policies with a different IP address pool?
02-10-2021 05:49 AM
Thank you for your message.
What version of the AnyConnect client is used? All machines have anyconnect version 4.9.01095
What Operating System? Win 10 1809
Do you use different connection profiles and group-policies with a different IP address pool? Single connection profile across all devices.
03-01-2021 06:08 AM
To get internet working I had to use alternative proxy settings. Cisco Umbrella was getting blocked by the ISP at Egypt. No issues now, with alternative squid proxy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide