Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Anyconnect 3.1 connectivity issues

I had a client reach out to me yesterday that they couldn't connect using Anyconnect anymore.  Only a few users use it and IPSec VPN still works fine, so it wasn't an emergency.  I checked it out for myself and after you enter your credentials, you get the following errors:

The VPN client failed to establish a connection.

Followed by:

Anyconnect was not able to establish a connection to the specified secure gateway.  Please try connecting again.

I checked out the Anyconnect conifguration and it looked fine.  Just to be safe, I deleted and recreated the Anyconnect profile, but to no avail.  I did a debug anyconnect 255 and only got the following output:

Not calling vpn_remove_uauth: not IPv4!

webvpn_svc_np_tear_down: no ACL

webvpn_svc_np_tear_down: no IPv6 ACL

The one other part I checked with the real time log viewer in ASDM.  It showed the connection being built and then torn down with a TCP RESET-I.  This seems a bit odd as well. 

I looked around to see if the debug output would point me in the right direction.  The only thing I found had to do with assigning IP addresses to the VPN client.  The clients are getting IP addresses from a local IP pool on the ASA.

Any ideas would be appreciated.

TIA,

Dan

  • VPN
1 REPLY
Cisco Employee

Anyconnect 3.1 connectivity issues

Hi Dan,

What did you find about the address assignment? Failure to assign an address would certainly be a possible cause.

In any case, the following debugs might be useful:

debug aaa authen

debug aaa author

debug aaa common 255

debug dap trace

if e.g. radius or ldap are used:

debug radius decode

debug ldap

"show vpn-sessiondb" can be useful to check if you have many stale connections (which could eat up licenses for example).

hth

Herbert

247
Views
0
Helpful
1
Replies