Unable to access ASA5520 firewall.

Unanswered Question
Mar 28th, 2010

I have encounter problem during access ASA5520 firewall with Windows XP SP3 and Windows 7. The error message prompt "the vpn client is unable to establish a connect". I'm using Anyconnect version 2.4.1012. This version is working fine on windows xp sp2. Any suggestion above case?

here is my config

ASA Version 8.2(2)


hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface GigabitEthernet0/0

nameif outside

security-level 0

ip address


interface GigabitEthernet0/1


no nameif

no security-level

no ip address


interface GigabitEthernet0/2


no nameif

no security-level

no ip address

security-level 100

ip address


interface Management0/0

nameif management

security-level 100

ip address



boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

access-list inside_access_in extended permit ip any any

access-list outside_access_in remark Allow HTTP Servers

access-list outside_access_in extended permit tcp any

eq www

access-list outside_access_in remark Allow HTTPS Services

access-list outside_access_in extended permit tcp any

eq https

access-list inside_nat_static_2 extended permit ip host any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool SSLClientPool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101

static (inside,outside)  access-list inside_nat_static_2

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside


dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


enable outside

svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

dns-server value

vpn-tunnel-protocol svc

default-domain value infrasys-intl.com

address-pools value SSLClientPool

username ken_ng password lkHaRkzaC9oN1mhm encrypted privilege 0

username ken_ng attributes

vpn-group-policy SSLVPN

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool SSLClientPool

default-group-policy SSLVPN

tunnel-group vpn webvpn-attributes

group-alias SSLVPNClient enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp


service-policy global_policy global

prompt hostname context


profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD


  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sun, 03/28/2010 - 19:56

Try to upload the non-dart version of windows anyconnect software too: anyconnect-win-2.4.1012-k9.pkg

Currently you have the dart version configured:


    svc image  disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1

I would suggest the following:

1) Download "anyconnect-win-2.4.1012-k9.pkg"

2) Upload it to the ASA flash

3) Install the image:


          svc image  disk0:/anyconnect-win-2.4.1012-k9.pkg.pkg 1

When you try to connect from your PC, use the browser to connect and download the anyconnect software into your pc.

Hope that helps.

ngmanhonhk Sun, 03/28/2010 - 20:31

I have base on your suggestion for update new image file for testing, but the I've got same error as  perious verions.

Any Suggestion ?

Jennifer Halim Sun, 03/28/2010 - 20:38

1) When does it fail? Are you able to browse to that URL? or you are getting "Page cannot be displayed"?

2) OR/ Is it failing after you put in your username and password?

3) OR/ Is it failing when it tries to download the software?

4) OR/ Is it failing when it tries to connect via the Anyconnect?

ngmanhonhk Sun, 03/28/2010 - 20:48

1, I can access the URL to download anyconnect.

2, I have download the software after I've key in the user name and password.

3 It's faling when it tries to connect via the anyconnect.

hope these information can easy for your assistance.

Many Thx.

Jennifer Halim Sun, 03/28/2010 - 21:11

FYI, if you haven't had additional ssl license, it only comes with default 2 ssl license. There is a possibility that there are still stale connections in the ASA.

To check if there is any existing session: show vpn-sessiondb svc

If there is any, you can log the session off: vpn-sessiondb logoff webvpn

Double check that there is no more svc connection: show vpn-sessiondb svc

Then try to connect again. Hope that helps.

ngmanhonhk Sun, 03/28/2010 - 21:22


Please take a look with my attached image file.

On the other hand, I have checked my VPN as below.

SSL VPN Peers                  : 2
Total VPN Peers                : 750

Is it my license cannot be apply vpn access? or I have wrong setting of my firewall?

Am i need to use clientless VPN?

Please advice

Jennifer Halim Sun, 03/28/2010 - 21:30

You can only have 2 concurrent SSL VPN connections to the ASA. As per the attached screenshot, there is no vpn session on the ASA,  you should be able to connect to the ASA.

Any windows FW or something else that might be blocking the anyconnect connection on the PC?

ngmanhonhk Sun, 03/28/2010 - 22:32

I have tried but failed again, I'm sure that there is no any firewall in between my pc and asa device.

Due to this is testing enviroment therefore I m using direct connect to asa outside interface for testing.

On the other hand, shall i need to re-configured my asa to use IPSEC for vpn function rather then use SSL VPN + anyconnect client?


I have try many Windows XP workstation with SP2 is working fine on my existing configuration. Once, I have upgrade to SP3 it may casue error.

Please advice!

Hope this information can let you find out what error that we have encounter.

Many Thx!

Jennifer Halim Sun, 03/28/2010 - 22:52

With regards to Windows 7, if you upgraded it from previous version of Windows, you would need to perform a clean installation of the AnyConnect, ie: uninstall prior to upgrade, and install after the upgrade.

As per the following release notes:


I would suggest that you also perform the clean unintall of anyconnect on the upgraded PC to XP SP3, reload, and clean install the anyconnect again.


This Discussion