AnyConnect SSL VPN conn denied on outside intfc

Unanswered Question
Mar 11th, 2009

ASA5510 8.0(4)

I'm trying to setup AnyConnect on another ASA. I can't see the forest for the trees this time.

I keep getting a log msg about TCP/443 packet dropped by ACL on outside interface. I don't have an ACL denying 443 on the outside. I've done this before, but I cannot see my error. Any suggestions come to mind?

I even went so far as to follow Cisco's tech tip in Doc. #99757 just to be sure.

Classical non-SSL VPN client connectivty works fine.

Thx - Phil

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Phil Williamson Fri, 03/13/2009 - 05:45

Ivan - yes it is.

ASA5510# sho run webvpn


enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable


Here are the peritinent config details (public IPs changed to protect the protected):

Note that there is also code for traditional non-SSL client and site-to-site VPN - all that works fine.

I have other ASAs with WebVPN enabled that work fine, I cannot see why this one is different/does not work. Probably a typo I cannot see.


Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5510 Security Plus license.


interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


access-list ACL_OUT extended permit tcp host eq https

access-list ACL_OUT extended permit icmp any interface outside echo-reply

access-list ACL_OUT extended permit icmp any interface outside unreachable

access-list ACL_OUT extended permit icmp any interface outside time-exceeded

access-list NoNAT extended permit ip

access-list SSLSplitAllowACL extended permit ip

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool SSLSplitAllowPool mask

ip verify reverse-path interface outside

ip verify reverse-path interface inside


global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1

static (inside,outside) netmask

access-group ACL_OUT in interface outside

route outside 1

route inside 1

dynamic-access-policy-record DfltAccessPolicy

http server enable 444

crypto ca trustpoint ASDM_TrustPoint0

enrollment self


keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 6a6d4e86

0500304c 3121301f 06035504 03131843 44482d35 3531302e 57333637 30646f6d

98c13a65 d128ac77 d3eb55c1 ecc85d99 faf314


ssl trust-point ASDM_TrustPoint0 outside


enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLSplitAllowACL

default-domain value

address-pools value SSLSplitAllowPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username vpntest password encrypted privilege 0

username vpntest attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

Phil Williamson Fri, 03/13/2009 - 14:33

Ivan - I got the OK to reload the 5510 - that fixed all the problems. I guess 8.0(4) still has some bugs.

The fact that the reload fixed this also restored my faith in me and my craft. :-)


This Discussion