Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Anyconnect remote access VPN issue

Hi All,

I have configured Anyconnect remote access VPN using VPN wizard.

After configuration i am getting below error in log.

X.X.X.X 7440 X.X.X.X 443 Inbound TCP connection denied from X.X.X.X/7440 to X.X.X.X/443 flags SYN  on interface OUTSIDE

I also tried portal access and same above error is coming when we try to access portal.

Please help here and thanks in advance.


Everyone's tags (1)

Hi Jatsy, Can you give the

Hi Jatsy,


Can you give the below mentioned command and check if that works.

same-security-traffic permit inter-interface

for ASDM:



New Member

Hi Karthik,This command was

Hi Karthik,

This command was applied and i reapplied but no luck.

Please let me know if you need more information.



Hi Jatsy, Can you post your

Hi Jatsy,


Can you post your CLI configuration (Hashed out  the sensitive information)..... ?




New Member

Here goes CLI config. XXXXXXX

Here goes CLI config.


XXXXXXX/act/pri> en

XXXXX/act/pri# show runn
: Saved

: Serial Number: 
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA Version 9.2(2) 
hostname XXXXXX
enable password XXXXXXXX encrypted
ip local pool Test_DHCP_pool mask
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address X.X.X.X standby X.X.X.X 
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 nameif INSIDE
 security-level 100
 ip address standby 
interface GigabitEthernet0/4
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/5
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/6
 description LAN Failover Interface
interface GigabitEthernet0/7
 description STATE Failover Interface
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa922-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone GST 4
same-security-traffic permit inter-interface
object network
object network NETWORK_OBJ_192.168.200.0_29
object network NETWORK_OBJ_10.209.91.0_28
access-list INSIDE_access_in remark Server Subnet
access-list INSIDE_access_in extended permit ip host any 
access-list INSIDE_access_in remark IT Subnet
access-list INSIDE_access_in extended permit ip host any 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500  
mtu INSIDE 1500
mtu management 1500
failover lan unit primary
failover lan interface folink GigabitEthernet0/6
failover link statelink GigabitEthernet0/7
failover interface ip folink standby
failover interface ip statelink standby
failover ipsec pre-shared-key XXXXX
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE) source static any interface
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.209.91.0_28 NETWORK_OBJ_10.209.91.0_28 no-proxy-arp route-lookup
route OUTSIDE 1
route INSIDE 1
route INSIDE 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http management
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 keypair comodo
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint6
 enrollment terminal
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2

crypto ca certificate chain ASDM_TrustPoint3
 certificate XXXXXXXXXXX

crypto ca certificate chain ASDM_TrustPoint4
 certificate XXXXXXXXXX

crypto ca certificate chain ASDM_TrustPoint5
 certificate ca XXXXXXXXX

crypto ca certificate chain ASDM_TrustPoint6
 certificate ca XXXXXXXXXXXX

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha      
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
telnet INSIDE
telnet timeout 20
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint2 OUTSIDE
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect profiles XXXXXXXXX_client_profile disk0:/XXXXX_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy "GroupPolicy_XXXXXXX" internal
group-policy "GroupPolicy_XXXXXXX" attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value
  anyconnect profiles value XXXXX_client_profile type user
username testvpn password XXXXXXXX encrypted
username admin password XXXXXXXXXX encrypted privilege 15
tunnel-group "XXXXXXXX" type remote-access
tunnel-group "XXXXXXXX" general-attributes
 address-pool Test_DHCP_pool
 default-group-policy "GroupPolicy_XXXXXX"
tunnel-group "XXXXXX" webvpn-attributes
 group-alias "XXXXXXX" enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
service-policy global_policy global
prompt hostname state priority 
no call-home reporting anonymous
: end

Hi Jatsy,I shall get back to

Hi Jatsy,

I shall get back to you after a quick check on the configs.... Please answer my basic question about your anyconnect....

1) do you want anyconnect alone or anyconnect with ikev2/ipsec?

2) what is the certificate you have used is it a self-signed or third party certificate?

3) You are trying to access it from the outside network/internet right?

4) you get stuck in the initial logon page itself right before the client download auth?



New Member

Hi Karthik,

Hi Karthik, 1. With ike2 2. I installed third party cert. 3. Yes from outside. 4. No wepage displaying and anyconnect client giving connection timeout error. Regards, Jatsy