asanchgo
asked on
Cisco ASA 5510 AnyConnect client - problem with connection establishment
Hi, I have a Cisco ASA 5510 and 2 laptops. With the same user account and AnyConnect install on both laptpos, I get connected with one laptop, but not with the other one. I am showing the result of "debug webvpn anyconnect 255" command when the connection fails:
webvpn_login_transcend_cer t_auth_coo kie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_grou p_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cer t_auth_coo kie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_grou p_type: WEBVPN_AUTH_GROUP_TYPE = 4
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL
Also the messages that appear on AnyConnect client windows are:
Message 1) AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2) The VPN client is unable to establish a connection
Any idea? Thanks
webvpn_login_transcend_cer
webvpn_login_set_auth_grou
webvpn_login_transcend_cer
webvpn_login_set_auth_grou
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL
Also the messages that appear on AnyConnect client windows are:
Message 1) AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2) The VPN client is unable to establish a connection
Any idea? Thanks
ASKER
I will try and tell you the result. One question, why the message would be "Not calling vpn_remove_uauth: not IPv4!" instead of "not IPv6!"?
Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.
Thanks
Deselect-IPv6.jpg
Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.
Thanks
Deselect-IPv6.jpg
Yes, unselect the IPv6 checkbox.
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".
The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
!
client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT
If this doesn't work, please post the relevant config and your ASA version.
Tamas
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".
The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
!
client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT
If this doesn't work, please post the relevant config and your ASA version.
Tamas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tested myself today.
Tamas