01-28-2020 01:54 AM - edited 02-21-2020 09:50 PM
We are currently switching from the old IPsec client to AnyConnect. Unfortunately we can't get AnyConnect to connect to our ASA. The ASA is behind a Peplink loadbalancer and we think the Peplink is blocking/not forwarding correctly the SSL traffic. AnyConnect always times out as there is no reply and I see nothing from the connection attempt in the ASA log. If I try to connect to an IF that does not go through the load balancer the VPN works fine.
Is there a way force the AnyConnect client to connect using IPsec?
Or has anyone had a similar problem and found a solution?
Solved! Go to Solution.
01-28-2020 02:03 AM
Hi,
Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.
To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.
HTH
01-28-2020 02:03 AM
Hi,
Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.
To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.
HTH
01-28-2020 02:21 AM - edited 01-28-2020 02:24 AM
No, IPsec is not blocked. We know it works as the IPsec VPN client works.
Edit: We are working on fixing the loadbalancer but right now we would like to have a working VPN that does not break with every Windows update.
01-28-2020 02:05 AM
Hi,
You can configure your ASA to use ikev1 or like v2 instead of SSL. The config document is old but good for reference purpose:
01-28-2020 02:26 AM
Yes, I can do that but how can that fix the problem as AnyConnect never reaches the ASA? Shouldn't AnyConnect try IPsec if SSL fails? But maybe not if it fails due to a timeout...
01-28-2020 02:33 AM
01-28-2020 04:24 AM
Ah, thanks, got it. However, I can't find any option to limit the connection method when I create a new profile. Can you tell me where it is?
01-28-2020 04:28 AM
Change the primary protocol from SSL to IPSec in the drop-down list under "Server List"
01-28-2020 06:51 AM
Thank you, found it.
Do I need to redownload and reinstall AnyConnect?
I tried it with my currently installed AnyConnect (to the IF that works), the VPN client did some updating but still connects through SSL.
01-28-2020 06:57 AM
01-29-2020 12:20 AM
Okay thanks. I'll try it out later.
We managed to get the loadbalancer to cooperate so now we can use SSL anyway.
Thanks for helping though!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide