Cisco ASA 5510 AnyConnect client - problem with connection establishment

Posted on 2012-04-13
Medium Priority
Last Modified: 2012-08-14
Hi, I have a Cisco ASA 5510 and 2 laptops. With the same user account and AnyConnect install on both laptpos, I get connected with one laptop, but not with the other one. I am showing the result of "debug webvpn anyconnect 255" command when the connection fails:

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL

Also the messages that appear on AnyConnect client windows are:
Message 1)      AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2)      The VPN client is unable to establish a connection

Any idea? Thanks
Question by:asanchgo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 17

Expert Comment

ID: 37847197
First guess: you could try disabling IPv6 on the non-working notebook.


Author Comment

ID: 37848079
I will try and tell you the result. One question, why the message would be "Not calling vpn_remove_uauth: not IPv4!" instead of "not IPv6!"?

Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.

LVL 17

Expert Comment

ID: 37848296
Yes, unselect the IPv6 checkbox.
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".

The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
 client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT

If this doesn't work, please post the relevant config and your ASA version.


Accepted Solution

asanchgo earned 0 total points
ID: 37853054
I found the solution. The laptop has antivirus Kaspersky 6.0 and by default with SSL/HTTPS inspection, which prevents AnyConnect from establishing the VPN connection. Once the HTTPS inspection is disabled on Kaspersky, the connection is successful.

Author Closing Comment

ID: 37875096
I tested myself today.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question