Solved

Cisco ASA 5510 AnyConnect client - problem with connection establishment

Posted on 2012-04-13
5
2,987 Views
Last Modified: 2012-08-14
Hi, I have a Cisco ASA 5510 and 2 laptops. With the same user account and AnyConnect install on both laptpos, I get connected with one laptop, but not with the other one. I am showing the result of "debug webvpn anyconnect 255" command when the connection fails:

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL

Also the messages that appear on AnyConnect client windows are:
Message 1)      AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2)      The VPN client is unable to establish a connection

Any idea? Thanks
0
Comment
Question by:asanchgo
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37847197
First guess: you could try disabling IPv6 on the non-working notebook.

Tamas
0
 

Author Comment

by:asanchgo
ID: 37848079
I will try and tell you the result. One question, why the message would be "Not calling vpn_remove_uauth: not IPv4!" instead of "not IPv6!"?

Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.

Thanks
Deselect-IPv6.jpg
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37848296
Yes, unselect the IPv6 checkbox.
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".

The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
!
 client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT

If this doesn't work, please post the relevant config and your ASA version.

Tamas
0
 

Accepted Solution

by:
asanchgo earned 0 total points
ID: 37853054
I found the solution. The laptop has antivirus Kaspersky 6.0 and by default with SSL/HTTPS inspection, which prevents AnyConnect from establishing the VPN connection. Once the HTTPS inspection is disabled on Kaspersky, the connection is successful.
0
 

Author Closing Comment

by:asanchgo
ID: 37875096
I tested myself today.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now