10-10-2013 11:17 AM
Hi,
Apologies if this is a simple question I'm new to Cisco tech. The basic situation is that I have 3 remote workers all wishing to connect to the VPN (using AnyConnect) but only one connection is allowed by the ASA5500 at anytime...all other connections drop as soon as a new one is established? Is this by design and the ASA blocks any concurrent SSL VPN connections from the same external IP or is this something I've unknowingly setup myself when creating the AnyConnect Connection Profile?
Help/advice much appreicated.
Thanks,
Tom
10-10-2013 11:41 AM
Is your ASA licensed to do SSL VPN? A default ASA is only licensed for 2 SSL VPN sessions at a time.
~bart
Sent from Cisco Technical Support iPhone App
10-10-2013 12:05 PM
I agree with Bart that it sounds like it is an issue with the licensing for SSL VPN (which is AnyConnect).
If Tom is quite new to Cisco tech he may not be sure where to find the answer to Bart's question. If Tom will execute the command show version on the ASA and then post the output it will include what we need to see.
HTH
Rick
10-10-2013 12:21 PM
Hi Tom,
By default, the ASA comes with two Premium peers.
This allows you to have upto two simultaneous SSL VPN connections (WebVPN or AnyConnect) at any time.
Please share the "show version" (remove any confidential informacion like the serial number, hostname and activation-key) just include the licensing information.
We may be able to give you a better feedback based on that output.
Thank you,
10-10-2013 12:44 PM
Hi,
Thanks for the speedy reply:
Result of the command: "show version"
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 50
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
cheers,
Tom
10-10-2013 12:57 PM
Tom
Thanks for posting the additional information. It shows very clearly that the problem is not an issue about licensing and that you are licensed for 50 concurrent SSL/AnyConnect sessions. So we need to look for some other issue. Perhaps you can post a sanitized version of the configuration?
HTH
Rick
10-10-2013 01:10 PM
Please follow Richard's suggestion.
Any related error (client or ASA side)?
Does this happen to any connection profile?
Thanks,
10-10-2013 02:35 PM
No error displayed on either the client or ASA just Person A's connection drops when person B connects...just to clarify this only affects clients connecting from the same external IP
Here is the config which I hope I've not stripped to "clean" as I said I new to cisco and mostly use the ASDM to do any config:
Result of the command: "show run"
: Saved
:
ASA Version 8.2(2)
!
ip local pool VPNPool 192.168.40.10-192.168.40.90 mask 255.255.255.0
ip verify reverse-path interface External
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 65535 set pfs group1
crypto dynamic-map External_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint5 External
webvpn
enable External
enable Internal
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3
svc enable
tunnel-group-list enable
java-trustpoint ASDM_TrustPoint6
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.1
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
group-lock value DefaultRAGroup
vlan none
nac-settings none
group-policy DfltGrpPolicy attributes
vpn-filter value SplitTunnel
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask none default webvpn
group-policy VPN-Clientless internal
group-policy VPN-Clientless attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol svc webvpn
group-lock value VPN-Clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value local.com
vlan none
webvpn
url-list value WebMail
svc dtls enable
svc keep-installer installed
svc compression deflate
svc ask enable default webvpn
customization value local
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy VPN-Clientless
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization local
tunnel-group VPN-Clientless type remote-access
tunnel-group VPN-Clientless general-attributes
address-pool VPNPool
authentication-server-group LDAP
authorization-server-group LDAP
default-group-policy VPN-Clientless
tunnel-group VPN-Clientless webvpn-attributes
customization
group-alias Remote enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect dns DNS_MAP_PC
inspect ip-options
: end
10-14-2013 02:50 PM
Hi, just wondering if anyone has had a chance to look over the config?
Cheers
Tom
Sent from Cisco Technical Support Android App
10-14-2013 04:01 PM
Tom
I have looked at the config and do not see anything in it that would cause the symptoms that you describe.
Your clarification of the symptoms was helpful. I had been working under the impression that the problem impacted all user sessions and restricted the total number of sessions. It is helpful to know that the problem is actually only in the situation where there are multiple users at the same site and that the existing session is dropped wen a different user initiates a new session. My theory is that the ASA sees a session with the existing user and when a new request is received with the same source address that it assumes that the remote has restarted the client and is requesting a new session. I wonder if there is anything in the logs of the ASA when this happens that could confirm what is happening?
HTH
Rick
10-15-2013 08:14 AM
Hi Rick,
Thank you for the response, I'll endeavour to duplicate the issue and check the logs to see if anything is being logged that can shed some light on whats going on.
Cheers,
Tom
10-17-2013 07:59 PM
The second thing to try would be newer ASA code. We're up to version 9.1.x. Either 9.0.x or 9.1.x (latest patch) would be a much better choice. There's always the chance you're hitting some very odd bug in a version of ASA code, but this one isn't ringing a bell.
10-17-2013 07:56 PM
Are you really using AnyConnect version 2.2? (This version is many years old). If so, first step would be to go to the latest 3.1 version (3.1.04072). Please send us your logs at ac-mobile-feedback@cisco.com from the ASA immediately after the drop (we may need to turn on additional debugs if there's nothing in there). The ASA should not have a problem with multiple connections from a single IP, however, some NAT (PAT) devices do not do a very good job in this scenario and end up reusing the same source port which could result in this behavior. I haven't seen this in a very long time, it used to plague a lot of old home PAT devices, especially with IPsec.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide