Yes, I made sure that all of the parts of the existing 5510 setup were in this ASA with the new subnets etc. There is only one XML file in the flash and that is for a Dynamic Access Policy restricting those users who are not allowed access. I have not installed that yet because I did not want to start restricting access until it is working. My Motto is "Only break one thing at a time"

What is happening here is I am using LDAP for validation and it tests properly on the ASA to the DC but none of that even starts. It is as if the initial connection gets to the ASA from AnyConnect but the reply back to complete the SSL never gets back to the PC so it is timing out. My only option now is to assume there is a bug in this IOS and get the latest version. The reason I was using this ASA is it has 8.4 that has the new NAT rules and I wanted to make sure I got it right and did not introduce and other errors.

"Only break one thing at a time" is a great motto. I think of it with my engineer's hat and try not to solve a single multivariable equation if I can avoid it.

Two things that also come to mind is did you ensure your have the 3DES-AES license active and have you set ssl encryption to use strong ciphers (ssl encryption aes128-sha1 aes256-sha1 3des-sha1)?

I've seen a number of 5500-X ship without either of those bits. Either of those could potentially cause problems similar to what you describe.

All of the license are identical between the two ASAs. There is one wording difference. The 5510 says VPN-3DES-AES and the 5515 says Encryption-3DES-AES.  The 3DES-AES license is enabled and on the SSL encryption line, I did not have that on either ASA and when added to the 5515 it still times out.

I didn't mention that this is in one of our company plants in Brazil if that makes any difference. I tried to do a file transfer for a couple different IOS and they run all the way through and after they complete the transfer I get a invalid http response message and the transfer does not complete properly.

Have you generated a persistent self-signed identity certificate on the new ASA and bound it to both the outside interface and the connection profile?

If you're doing a file transfer are you using ASDM to the outside interface or something? That could be a problem distinct from the VPN. When upgrading past 9.1, you need to first go to 9.1(2) or else the file transfer won't work correctly (either via https using ASDM or ftp copy from the CLI).

I am using the ASDM to the inside interface of the ASA and I did find on the internet the bug report on the upgrading issue with 9.1(1) so I am reloading the ASA right now.

I have not generated a persistent self-signed identity certificate before. The 5510 with 8.4 had the Smart Call Home turned on so there was a certificate installed for that and later we added a certificate for our DNS name but that was after it had the initial configuration working.

How is this done?

There's a good configuration example on setting up an identity certificate here.

To bind it to the remote access VPN Connection Profile you need to also go under Configuration > Remote Access VPN > Network (Client) Access - AnyConnect Connection Profiles and choose the Device Certificate button and then apply the certificate you've created.

I have created the certificate but this did not change the situation.

I noticed something and that is my only clue left.

I had the site give me a second public IP address so I could see if there might be an issue with a duplicate IP address. When I tried to connect with AnyConnect, I typed in the old IP address first by mistake and then the new one. Both gave me the same timed out error, so then I just typed a random IP address and got the same error on the PC.

The ASA only shows one line in the logs that it is starting an SSL session and later closes it out. I don't think any reply after the initial connection is getting back to the PC to continue with the connection. To try to make another test, I have been trying to connect with https to the public I address and that times out also.

What would be the common denominator here?  What could stop the initial reply if I had a bug in the configuration?

Here is all I get in the Log: