03-28-2010 07:26 PM
I have encounter problem during access ASA5520 firewall with Windows XP SP3 and Windows 7. The error message prompt "the vpn client is unable to establish a connect". I'm using Anyconnect version 2.4.1012. This version is working fine on windows xp sp2. Any suggestion above case?
here is my config
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.8.154 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
security-level 100
ip address 192.168.18.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark Allow HTTP Servers
access-list outside_access_in extended permit tcp any 192.168.8.0 255.255.255.0
eq www
access-list outside_access_in remark Allow HTTPS Services
access-list outside_access_in extended permit tcp any 192.168.8.0 255.255.255.0
eq https
access-list inside_nat_static_2 extended permit ip host 192.168.18.10 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool SSLClientPool 192.168.18.30-192.168.18.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.8.153 access-list inside_nat_static_2
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.18.40-192.168.18.45 inside
dhcpd dns 192.168.8.3 192.168.8.155 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.8.3
vpn-tunnel-protocol svc
default-domain value infrasys-intl.com
address-pools value SSLClientPool
username ken_ng password lkHaRkzaC9oN1mhm encrypted privilege 0
username ken_ng attributes
vpn-group-policy SSLVPN
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool SSLClientPool
default-group-policy SSLVPN
tunnel-group vpn webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2c6b7225dfdd6a39b9197259e961d07
: end
03-28-2010 07:56 PM
Try to upload the non-dart version of windows anyconnect software too: anyconnect-win-2.4.1012-k9.pkg
Currently you have the dart version configured:
webvpn
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1
I would suggest the following:
1) Download "anyconnect-win-2.4.1012-k9.pkg"
2) Upload it to the ASA flash
3) Install the image:
webvpn
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg.pkg 1
When you try to connect from your PC, use the browser to connect and download the anyconnect software into your pc.
Hope that helps.
03-28-2010 08:31 PM
I have base on your suggestion for update new image file for testing, but the I've got same error as perious verions.
Any Suggestion ?
03-28-2010 08:38 PM
1) When does it fail? Are you able to browse to that URL? or you are getting "Page cannot be displayed"?
2) OR/ Is it failing after you put in your username and password?
3) OR/ Is it failing when it tries to download the software?
4) OR/ Is it failing when it tries to connect via the Anyconnect?
03-28-2010 08:48 PM
1, I can access the URL to download anyconnect.
2, I have download the software after I've key in the user name and password.
3 It's faling when it tries to connect via the anyconnect.
hope these information can easy for your assistance.
Many Thx.
03-28-2010 09:11 PM
FYI, if you haven't had additional ssl license, it only comes with default 2 ssl license. There is a possibility that there are still stale connections in the ASA.
To check if there is any existing session: show vpn-sessiondb svc
If there is any, you can log the session off: vpn-sessiondb logoff webvpn
Double check that there is no more svc connection: show vpn-sessiondb svc
Then try to connect again. Hope that helps.
03-28-2010 09:22 PM
03-28-2010 09:30 PM
You can only have 2 concurrent SSL VPN connections to the ASA. As per the attached screenshot, there is no vpn session on the ASA, you should be able to connect to the ASA.
Any windows FW or something else that might be blocking the anyconnect connection on the PC?
03-28-2010 10:32 PM
I have tried but failed again, I'm sure that there is no any firewall in between my pc and asa device.
Due to this is testing enviroment therefore I m using direct connect to asa outside interface for testing.
On the other hand, shall i need to re-configured my asa to use IPSEC for vpn function rather then use SSL VPN + anyconnect client?
FYI
I have try many Windows XP workstation with SP2 is working fine on my existing configuration. Once, I have upgrade to SP3 it may casue error.
Please advice!
Hope this information can let you find out what error that we have encounter.
Many Thx!
03-28-2010 10:52 PM
With regards to Windows 7, if you upgraded it from previous version of Windows, you would need to perform a clean installation of the AnyConnect, ie: uninstall prior to upgrade, and install after the upgrade.
As per the following release notes:
I would suggest that you also perform the clean unintall of anyconnect on the upgraded PC to XP SP3, reload, and clean install the anyconnect again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: