cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5898
Views
5
Helpful
12
Replies

Unable to connect to ASA 5505 with AnyConnect after upgrading to 8.2

davidnesbitt
Level 1
Level 1

I just purchased an AnyConnect Essentials VPN License for my ASA 5505.  I had to upgrade to ASA 8.2.

Now that I have upgraded and installed the license, the AnyConnect client will no longer connect.  It gives the following error:  "Unable to process response".

Any help you can provide would be much appreciated.  I am happy to provide any configuration information that would be helpful if you can provide the CLI commands you would like me to execute.

1 Accepted Solution

Accepted Solutions

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.

Hope that helps.

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

Have you enabled the anyconnect essential feature yet?

The commands are:

webvpn

    anyconnect-essentials

Hope that helps.

I believe it is enabled:

lunch-officegw-01# show run webvpn
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 4 regex "Linux"
svc enable
tunnel-group-list enable

Did you try to connect via browser or with the AnyConnect client itself?

Both seem not to be working.  :-(

Can you please try to disable and reenable the webvpn and test it again:

webvpn

  no enable outside

  enable outside

If it's still not working, might need to have a look at the whole config.

I gave that a try:

lunch-officegw-01(config)# webvpn
lunch-officegw-01(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
lunch-officegw-01(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

But no luck so far.  I did notice a few other things have changed since I upgraded to 8.2 and added the anyconnect-essentials license.

When I try to load ASDM (https://10.88.1.254/admin/public/index.html), FireFox tells me this:

Secure Connection Failed

An error occurred during a connection to 10.88.1.254.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

When I connect with Putty, it throws up a warning dialog that says:

The first cipher supported by the server is single-DES, which is below the configured warning threshold.

So it seems like something got messed up in the configuration along the way, but I don't know what it is.

Any ideas?

Ahh, yes, check your show version, and see if 3DES is enabled. If not, you might want to activate the 3DES license. Can be requested from the following:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

(Click on Cisco ASA 3DES/AES License)

You might want to check if DES encryption works with the following command:

ssl encryption des-sha1

Once you enabled the 3DES license, you can change the command to the following:

ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1

I am able to launch ASDM now, but I still get the warning message from Putty.

Jennifer, thank you so much for your help.  ASDM and AnyConnect clients are now working!  :-)

The only lingering configuration issue from the upgrade is the Putty warning about single DES that I mentioned.  Do you know what is causing that?

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.

Hope that helps.

Thanks.  I am back in business!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: