Host Unreachable when trying to connect using the AnyConnect client

Unanswered Question
Aug 10th, 2010
User Badges:

When trying to connect using the Cisco AnyConnect client ( is received the following error message: Host Unreachable.  However, if I enter my ASA's IP address in my browser, it prompts me to enter my username and passwords, downloads/updates the client and I cannot.  Any idea what could be the issue? My ASA is running version 8.2(1) and ASDM version 6.2(1).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Tue, 08/10/2010 - 14:47
User Badges:
  • Silver, 250 points or more

Does your test client have a DNS server configured?  Can you browse the Internet?  Are you able to resolve the FQDN of your WebVPN to an IP?

borealc Tue, 08/10/2010 - 18:06
User Badges:

Yes, my test client has a DNS server configured and I can browse the Internet.  However, I only use my ASA's IP as I haven't registered my ASA in DNS.  What I find strange and accidentally omitted from my original post is that, if I type my ASA's IP address in a browser (https://asa_ipaddress:4443) I get a login page prompting me to select a profile and enter a username and password, after which the client is downloaded and connected.  However, if I simply launch the AnyConnect client and enter my ASA's IP address I receive the following error message: Connection attempt has failed:Host Unreachable.

Nagaraja Thanthry Tue, 08/10/2010 - 19:41
User Badges:
  • Cisco Employee,


I guess the issue is with you enabling both ASDM and WebVPN on the outside

interface. Can you check to see if you have a "port 4443" in the



port 4443

If it is in there, then what you are seeing is normal. If you would like to

access WebVPN via port 443, then please remove the port command and change

the ASDM port to 4443.

http server enable 4443

Hope this helps.



borealc Wed, 08/11/2010 - 06:13
User Badges:

Is that the best practice in this case?  What does Cisco recommend?

Todd Pula Wed, 08/11/2010 - 06:48
User Badges:
  • Silver, 250 points or more

If you are usinga non-standard SSL port, you will also need to specifiy the configured port when entering the IP address directly into the AnyConnect client.  Without this, AnyConnect will try to connect on TCP 443 by default.  You can also configure an AnyConnect XML profile to pre-position the hostname, IP address, and port so that your end users do not need to worry about it.


This Discussion