Solved

Cisco ASA 5510 AnyConnect client - problem with connection establishment

Posted on 2012-04-13
5
3,096 Views
Last Modified: 2012-08-14
Hi, I have a Cisco ASA 5510 and 2 laptops. With the same user account and AnyConnect install on both laptpos, I get connected with one laptop, but not with the other one. I am showing the result of "debug webvpn anyconnect 255" command when the connection fails:

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL

Also the messages that appear on AnyConnect client windows are:
Message 1)      AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2)      The VPN client is unable to establish a connection

Any idea? Thanks
0
Comment
Question by:asanchgo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37847197
First guess: you could try disabling IPv6 on the non-working notebook.

Tamas
0
 

Author Comment

by:asanchgo
ID: 37848079
I will try and tell you the result. One question, why the message would be "Not calling vpn_remove_uauth: not IPv4!" instead of "not IPv6!"?

Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.

Thanks
Deselect-IPv6.jpg
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37848296
Yes, unselect the IPv6 checkbox.
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".

The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
!
 client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT

If this doesn't work, please post the relevant config and your ASA version.

Tamas
0
 

Accepted Solution

by:
asanchgo earned 0 total points
ID: 37853054
I found the solution. The laptop has antivirus Kaspersky 6.0 and by default with SSL/HTTPS inspection, which prevents AnyConnect from establishing the VPN connection. Once the HTTPS inspection is disabled on Kaspersky, the connection is successful.
0
 

Author Closing Comment

by:asanchgo
ID: 37875096
I tested myself today.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet link load balancer 6 117
Home firewall recommendations 11 107
Grant drive/folder change permissions to VPN user 6 40
Problem to VirtualBox Internet connection 1 52
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question