Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Anyconnect remote access VPN issue

Hi All,

I have configured Anyconnect remote access VPN using VPN wizard.

After configuration i am getting below error in log.

X.X.X.X 7440 X.X.X.X 443 Inbound TCP connection denied from X.X.X.X/7440 to X.X.X.X/443 flags SYN  on interface OUTSIDE

I also tried portal access and same above error is coming when we try to access portal.

Please help here and thanks in advance.

 

Everyone's tags (1)
6 REPLIES

Hi Jatsy, Can you give the

Hi Jatsy,

 

Can you give the below mentioned command and check if that works.

same-security-traffic permit inter-interface

for ASDM:

http://lh6.ggpht.com/-iGTof-YWDgU/Tw8KZG4mATI/AAAAAAAABGA/2Vta8ddhqgQ/s1600-h/image%25255B5%25255D.png

Regards

Karthik

New Member

Hi Karthik,This command was

Hi Karthik,

This command was applied and i reapplied but no luck.

Please let me know if you need more information.

Regards,

Jatsy

Hi Jatsy, Can you post your

Hi Jatsy,

 

Can you post your CLI configuration (Hashed out  the sensitive information)..... ?

 

Regards

Karthik

New Member

Here goes CLI config. XXXXXXX

Here goes CLI config.

 

XXXXXXX/act/pri> en

Password: 
XXXXX/act/pri# show runn
: Saved

: Serial Number: 
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2) 
!
hostname XXXXXX
enable password XXXXXXXX encrypted
names
ip local pool Test_DHCP_pool 10.209.91.5-10.209.91.10 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address X.X.X.X 255.255.255.192 standby X.X.X.X 
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 10.209.9.2 255.255.255.0 
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif INSIDE
 security-level 100
 ip address 10.209.10.15 255.255.255.0 standby 10.209.10.16 
!
interface GigabitEthernet0/4
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 description LAN Failover Interface
!
interface GigabitEthernet0/7
 description STATE Failover Interface
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa922-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone GST 4
same-security-traffic permit inter-interface
object network 10.209.25.0
 subnet 10.209.25.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_29
 subnet 192.168.200.0 255.255.255.248
object network NETWORK_OBJ_10.209.91.0_28
 subnet 10.209.91.0 255.255.255.240
access-list INSIDE_access_in remark Server Subnet
access-list INSIDE_access_in extended permit ip host 10.209.10.0 any 
access-list INSIDE_access_in remark IT Subnet
access-list INSIDE_access_in extended permit ip host 10.209.25.0 any 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500  
mtu INSIDE 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/6
failover link statelink GigabitEthernet0/7
failover interface ip folink 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip statelink 1.1.1.5 255.255.255.252 standby 1.1.1.6
failover ipsec pre-shared-key XXXXX
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE) source static any interface
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.209.91.0_28 NETWORK_OBJ_10.209.91.0_28 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 195.229.222.193 1
route INSIDE 10.0.0.0 255.0.0.0 10.209.10.1 1
route INSIDE 10.209.25.0 255.255.255.0 10.209.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.209.25.0 255.255.255.0 INSIDE
http 10.209.0.0 255.255.0.0 INSIDE
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 fqdn XYZ.XYZ.COM
 subject-name XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 keypair comodo
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint6
 enrollment terminal
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
 certificate XXXXXXXXXXXXXXX

  quit        
crypto ca certificate chain ASDM_TrustPoint3
 certificate XXXXXXXXXXX

  quit
crypto ca certificate chain ASDM_TrustPoint4
 certificate XXXXXXXXXX

  quit
crypto ca certificate chain ASDM_TrustPoint5
 certificate ca XXXXXXXXX

  quit
crypto ca certificate chain ASDM_TrustPoint6
 certificate ca XXXXXXXXXXXX

  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha      
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
telnet 10.209.0.0 255.255.0.0 INSIDE
telnet timeout 20
no ssh stricthostkeycheck
ssh 10.209.0.0 255.255.0.0 INSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint2 OUTSIDE
webvpn
 enable OUTSIDE
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect profiles XXXXXXXXX_client_profile disk0:/XXXXX_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy "GroupPolicy_XXXXXXX" internal
group-policy "GroupPolicy_XXXXXXX" attributes
 wins-server none
 dns-server value 10.209.10.244
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value XXXXXXX.biz
 webvpn
  anyconnect profiles value XXXXX_client_profile type user
username testvpn password XXXXXXXX encrypted
username admin password XXXXXXXXXX encrypted privilege 15
tunnel-group "XXXXXXXX" type remote-access
tunnel-group "XXXXXXXX" general-attributes
 address-pool Test_DHCP_pool
 default-group-policy "GroupPolicy_XXXXXX"
tunnel-group "XXXXXX" webvpn-attributes
 group-alias "XXXXXXX" enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname state priority 
no call-home reporting anonymous
Cryptochecksum:XXXXXXX
: end

Hi Jatsy,I shall get back to

Hi Jatsy,

I shall get back to you after a quick check on the configs.... Please answer my basic question about your anyconnect....

1) do you want anyconnect alone or anyconnect with ikev2/ipsec?

2) what is the certificate you have used is it a self-signed or third party certificate?

3) You are trying to access it from the outside network/internet right?

4) you get stuck in the initial logon page itself right before the client download auth?

Regards

Karthik

New Member

Hi Karthik,

Hi Karthik, 1. With ike2 2. I installed third party cert. 3. Yes from outside. 4. No wepage displaying and anyconnect client giving connection timeout error. Regards, Jatsy
155
Views
0
Helpful
6
Replies