Cisco ASA 5510 AnyConnect client - problem with connection establishment

Hi, I have a Cisco ASA 5510 and 2 laptops. With the same user account and AnyConnect install on both laptpos, I get connected with one laptop, but not with the other one. I am showing the result of "debug webvpn anyconnect 255" command when the connection fails:

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = IT_Tercat
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
ATTR_FILTER_ID: Name: AccesoITTERCAT, Id: 21, refcnt: 5
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: acl_id: 21
webvpn_svc_np_tear_down: ACL refcnt: 4
webvpn_svc_np_tear_down: no IPv6 ACL

Also the messages that appear on AnyConnect client windows are:
Message 1)      AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again
Message 2)      The VPN client is unable to establish a connection

Any idea? Thanks
asanchgoIT Project ManagerAsked:
Who is Participating?
 
asanchgoConnect With a Mentor IT Project ManagerAuthor Commented:
I found the solution. The laptop has antivirus Kaspersky 6.0 and by default with SSL/HTTPS inspection, which prevents AnyConnect from establishing the VPN connection. Once the HTTPS inspection is disabled on Kaspersky, the connection is successful.
0
 
TimotiStDatacenter TechnicianCommented:
First guess: you could try disabling IPv6 on the non-working notebook.

Tamas
0
 
asanchgoIT Project ManagerAuthor Commented:
I will try and tell you the result. One question, why the message would be "Not calling vpn_remove_uauth: not IPv4!" instead of "not IPv6!"?

Do you mean going to the network adapter and deselect IPv6 cell? I am attaching a jpg.

Thanks
Deselect-IPv6.jpg
0
 
TimotiStDatacenter TechnicianCommented:
Yes, unselect the IPv6 checkbox.
I don't know your vpn config on the ASA, but maybe it wants to push IPv6 client-firewall settings to the client, which are not configured on the ASA: "no IPv6 ACL".

The client-firewall setting look something like this:
access-list ACL_CLIENT_IN extended deny ip any any
access-list ACL_CLIENT_OUT extended deny ip any any
!
 client-firewall opt cisco-integrated acl-in ACL_CLIENT_IN acl-out ACL_CLIENT_OUT

If this doesn't work, please post the relevant config and your ASA version.

Tamas
0
 
asanchgoIT Project ManagerAuthor Commented:
I tested myself today.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.