11-17-2010 04:24 PM - edited 02-21-2020 04:58 PM
I just purchased an AnyConnect Essentials VPN License for my ASA 5505. I had to upgrade to ASA 8.2.
Now that I have upgraded and installed the license, the AnyConnect client will no longer connect. It gives the following error: "Unable to process response".
Any help you can provide would be much appreciated. I am happy to provide any configuration information that would be helpful if you can provide the CLI commands you would like me to execute.
Solved! Go to Solution.
11-19-2010 03:17 PM
Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.
Hope that helps.
11-17-2010 04:32 PM
Have you enabled the anyconnect essential feature yet?
The commands are:
webvpn
anyconnect-essentials
Hope that helps.
11-17-2010 04:40 PM
I believe it is enabled:
lunch-officegw-01# show run webvpn
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 4 regex "Linux"
svc enable
tunnel-group-list enable
11-17-2010 04:46 PM
Did you try to connect via browser or with the AnyConnect client itself?
11-17-2010 04:52 PM
Both seem not to be working. :-(
11-17-2010 07:16 PM
Can you please try to disable and reenable the webvpn and test it again:
webvpn
no enable outside
enable outside
If it's still not working, might need to have a look at the whole config.
11-18-2010 10:19 AM
I gave that a try:
lunch-officegw-01(config)# webvpn
lunch-officegw-01(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
lunch-officegw-01(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
But no luck so far. I did notice a few other things have changed since I upgraded to 8.2 and added the anyconnect-essentials license.
When I try to load ASDM (https://10.88.1.254/admin/public/index.html), FireFox tells me this:
Secure Connection Failed
An error occurred during a connection to 10.88.1.254.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
When I connect with Putty, it throws up a warning dialog that says:
The first cipher supported by the server is single-DES, which is below the configured warning threshold.
So it seems like something got messed up in the configuration along the way, but I don't know what it is.
11-18-2010 04:20 PM
Any ideas?
11-18-2010 04:26 PM
Ahh, yes, check your show version, and see if 3DES is enabled. If not, you might want to activate the 3DES license. Can be requested from the following:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
(Click on Cisco ASA 3DES/AES License)
You might want to check if DES encryption works with the following command:
ssl encryption des-sha1
Once you enabled the 3DES license, you can change the command to the following:
ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1
11-18-2010 04:39 PM
I am able to launch ASDM now, but I still get the warning message from Putty.
11-19-2010 10:36 AM
Jennifer, thank you so much for your help. ASDM and AnyConnect clients are now working! :-)
The only lingering configuration issue from the upgrade is the Putty warning about single DES that I mentioned. Do you know what is causing that?
11-19-2010 03:17 PM
Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.
Hope that helps.
11-19-2010 05:25 PM
Thanks. I am back in business!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide