anyconnect not working

Unanswered Question

I want to be able to connect to asa via portal page from any internet location, automatically use anyconnect (no user choice), and have all networks tunneled (access to both the internal 192.168.5.x lan as well as that sites internet connection).  When I login, it starts downloading anyconnect, then I receive a 'can't connect to network' error and it terminates.  It used to work,but I guess the config was not saved and after a reboot it now doesn't work (yeah, I'm kicking myself for that).  Not sure where to look, I think I have been staring at it too long.

ASA Version 8.2(2)

!

hostname lenny

domain-name default.com

enable password [DELETED]

passwd [DELETED]

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

description wan

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

banner exec Unauthorized access strictly prohibited

banner login Unauthorized Access Prohibited

banner motd Unauthorized Access Prohibited

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 64.59.176.13

name-server 64.59.177.226

domain-name default.com

object-group service [DELETED]

port-object eq [DELETED]

object-group service [DELETED]udp

description [DELETED]

port-object eq [DELETED]

access-list in_nat0_out extended permit ip any 192.168.5.0 255.255.255.0

access-list outside_access_in remark [DELETED]

access-list outside_access_in extended permit tcp any any eq [DELETED]

access-list outside_access_in extended permit udp any any eq [DELETED]

access-list lan remark all lan

access-list lan standard permit 192.168.5.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool anyvpn_pool 192.168.5.75-192.168.5.80 mask 255.255.255.0

ip local pool anyvpnpool2 192.168.5.81-192.168.5.90 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list in_nat0_out

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface [DELETED]192.168.5.15 [DELETED]netmask 255.255.255.255

static (inside,outside) udp interface [DELETED]192.168.5.15 [DELETED]netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http [DELETED]255.255.255.0 outside

http 192.168.5.0 255.255.255.0 inside

http [DELETED]255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh timeout 10

ssh version 2

console timeout 5

dhcpd auto_config outside

!

dhcpd address 192.168.5.50-192.168.5.60 inside

dhcpd dns 192.168.5.1 interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 5

vpn-idle-timeout 20

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ip-comp enable

split-tunnel-network-list value lan

intercept-dhcp enable

webvpn

  url-list value default

  svc ask none default svc

  hidden-shares visible

username [DELETED]password [DELETED]== nt-encrypted

username [DELETED]attributes

service-type remote-access

username [DELETED]password [DELETED]== nt-encrypted

username [DELETED]attributes

service-type remote-access

service-type remote-access

username [DELETED]password [DELETED] encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool anyvpn_pool

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool anyvpn_pool

address-pool anyvpnpool2

tunnel-group Portal type remote-access

tunnel-group Portal general-attributes

address-pool anyvpn_pool

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

[DELETED]Cryptochecksum:78a02a9a567f683d20af7e824dc3fe2e

: end

lenny#

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ksirupa Thu, 04/01/2010 - 23:47

What does the ASA log show? If you use ASDM->Monitoring->logging->Debug level, it usually prints messages when the client fails to connect.

Thanks,

Kiran

Actions

This Discussion