I had a client reach out to me yesterday that they couldn't connect using Anyconnect anymore. Only a few users use it and IPSec VPN still works fine, so it wasn't an emergency. I checked it out for myself and after you enter your credentials, you get the following errors:
The VPN client failed to establish a connection.
Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
I checked out the Anyconnect conifguration and it looked fine. Just to be safe, I deleted and recreated the Anyconnect profile, but to no avail. I did a debug anyconnect 255 and only got the following output:
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL
The one other part I checked with the real time log viewer in ASDM. It showed the connection being built and then torn down with a TCP RESET-I. This seems a bit odd as well.
I looked around to see if the debug output would point me in the right direction. The only thing I found had to do with assigning IP addresses to the VPN client. The clients are getting IP addresses from a local IP pool on the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...