07-22-2014 12:53 AM - edited 02-21-2020 07:44 PM
Hi All,
I have configured Anyconnect remote access VPN using VPN wizard.
After configuration i am getting below error in log.
X.X.X.X 7440 X.X.X.X 443 Inbound TCP connection denied from X.X.X.X/7440 to X.X.X.X/443 flags SYN on interface OUTSIDE
I also tried portal access and same above error is coming when we try to access portal.
Please help here and thanks in advance.
07-22-2014 02:23 AM
Hi Jatsy,
Can you give the below mentioned command and check if that works.
same-security-traffic permit inter-interface
for ASDM:
http://lh6.ggpht.com/-iGTof-YWDgU/Tw8KZG4mATI/AAAAAAAABGA/2Vta8ddhqgQ/s1600-h/image%25255B5%25255D.png
Regards
Karthik
07-22-2014 02:40 AM
Hi Karthik,
This command was applied and i reapplied but no luck.
Please let me know if you need more information.
Regards,
Jatsy
07-22-2014 02:50 AM
Hi Jatsy,
Can you post your CLI configuration (Hashed out the sensitive information)..... ?
Regards
Karthik
07-22-2014 03:17 AM
Here goes CLI config.
XXXXXXX/act/pri> en
Password:
XXXXX/act/pri# show runn
: Saved
:
: Serial Number:
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)
!
hostname XXXXXX
enable password XXXXXXXX encrypted
names
ip local pool Test_DHCP_pool 10.209.91.5-10.209.91.10 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address X.X.X.X 255.255.255.192 standby X.X.X.X
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 10.209.9.2 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif INSIDE
security-level 100
ip address 10.209.10.15 255.255.255.0 standby 10.209.10.16
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
description LAN Failover Interface
!
interface GigabitEthernet0/7
description STATE Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone GST 4
same-security-traffic permit inter-interface
object network 10.209.25.0
subnet 10.209.25.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_29
subnet 192.168.200.0 255.255.255.248
object network NETWORK_OBJ_10.209.91.0_28
subnet 10.209.91.0 255.255.255.240
access-list INSIDE_access_in remark Server Subnet
access-list INSIDE_access_in extended permit ip host 10.209.10.0 any
access-list INSIDE_access_in remark IT Subnet
access-list INSIDE_access_in extended permit ip host 10.209.25.0 any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/6
failover link statelink GigabitEthernet0/7
failover interface ip folink 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip statelink 1.1.1.5 255.255.255.252 standby 1.1.1.6
failover ipsec pre-shared-key XXXXX
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE) source static any interface
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.209.91.0_28 NETWORK_OBJ_10.209.91.0_28 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 195.229.222.193 1
route INSIDE 10.0.0.0 255.0.0.0 10.209.10.1 1
route INSIDE 10.209.25.0 255.255.255.0 10.209.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.209.25.0 255.255.255.0 INSIDE
http 10.209.0.0 255.255.0.0 INSIDE
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn XYZ.XYZ.COM
subject-name XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
keypair comodo
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate XXXXXXXXXXXXXXX
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate XXXXXXXXXXX
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate XXXXXXXXXX
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca XXXXXXXXX
quit
crypto ca certificate chain ASDM_TrustPoint6
certificate ca XXXXXXXXXXXX
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
telnet 10.209.0.0 255.255.0.0 INSIDE
telnet timeout 20
no ssh stricthostkeycheck
ssh 10.209.0.0 255.255.0.0 INSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint2 OUTSIDE
webvpn
enable OUTSIDE
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles XXXXXXXXX_client_profile disk0:/XXXXX_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_XXXXXXX" internal
group-policy "GroupPolicy_XXXXXXX" attributes
wins-server none
dns-server value 10.209.10.244
vpn-tunnel-protocol ikev2 ssl-client
default-domain value XXXXXXX.biz
webvpn
anyconnect profiles value XXXXX_client_profile type user
username testvpn password XXXXXXXX encrypted
username admin password XXXXXXXXXX encrypted privilege 15
tunnel-group "XXXXXXXX" type remote-access
tunnel-group "XXXXXXXX" general-attributes
address-pool Test_DHCP_pool
default-group-policy "GroupPolicy_XXXXXX"
tunnel-group "XXXXXX" webvpn-attributes
group-alias "XXXXXXX" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname state priority
no call-home reporting anonymous
Cryptochecksum:XXXXXXX
: end
07-22-2014 05:51 AM
Hi Jatsy,
I shall get back to you after a quick check on the configs.... Please answer my basic question about your anyconnect....
1) do you want anyconnect alone or anyconnect with ikev2/ipsec?
2) what is the certificate you have used is it a self-signed or third party certificate?
3) You are trying to access it from the outside network/internet right?
4) you get stuck in the initial logon page itself right before the client download auth?
Regards
Karthik
07-22-2014 07:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide