I recently set up an ASA 5505 with AnyConnect. Its a very simple set up. I have the ASA 5505 (E0/0) that is plugged straight to the ISP private static IP address. I have a computer connect to the console port for configurations. I also have 1 laptop occasionally plugged to E0/1 for testing. Everything works great for a while. I've had the laptop able to browse the web and then I can connect from Android handsets via the AnyConnect APKs.
Static IP: 220.127.116.11
I notice after about 15 minutes, my arp table shows something taking the 18.104.22.168 on the outside internet. When this happens, I can't browse anymore on the laptop and I can't connect from handsets on AnyConnect. I'm not sure where the mac-address is from. If I perform a clear arp, I am able to re-connect with the laptop to the internet. After that, I am able to VPN via AnyConnect. It doesn't appear that I can connect via AnyConnect until I first initial the laptop connect to get that initial inside / outside arp portion populated. Adding static arp entries doesn't seem to help.
The configuration looks good to me however I think there is something related to internet connectivity rather than pointing to Inconsistent Anyconnect connection. You said that when arp table shows something taking the 22.214.171.124 on the outside internet the laptop behind the ASA loses connectivity to the internet. So if there is no connectivity to the internet, then the Anyconnect client will not connect for sure. If making Anyconnect connection stable is more important then please apply capture on outside interface of the ASA and check if you are able to see the traffic coming from the anyconnect client on outside interface. To apply capture on outside use commands:
Assuming public ip address of the Anyconnect client is x.x.x.x
create an access list:
access-list cap permit ip host x.x.x.x host 126.96.36.199
access-list cap permit ip host 188.8.131.52 host x.x.x.x
capture capout access-l cap interface outside
to see the traffic coming from the anyconnect client, use command: show cap capout. If you do see the traffic coming then please paste the outputs of the command show cap capout and if you do not see anything then we need to troubleshoot in the direction to fix the connectivity issue.
I pulled the IP from a handset I was using with AnyConnect and made the logs. While the connection was established everything worked fine and logs were being captured. After 14 minutes, I lots connection. My handset was in the "reconnecting state". Below are the end logs before everything stopped and then a little more information. I just don't know what is causing the connection to get lost.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...