I have some users who are suddenly unable to connect to my VPN. Up until a week ago, they were able to connect properly without any issues. This is affecting 2 users at the same remote location.
I am using an ASA 5510
My ASA Version is 8.2(1)
My ASDM Version is 6.4(5)206
I am using Secure Mobility Client 3.0.5075
Our VPN uses certificate authentication for connection.
The situation is as follows:
Begining on May 17th, the user began being unable to connect to the VPN. When they attempt to connect, they input their username/password, and click 'Connect'. At this time, the client goes through all the required steps to connect to my 5510 - I have watched the screen while they are doing so - and it gets stuck at : 'Establishing VPN - Initiating connection'.
Looking on my ASA, I can see the VPN connection attempt on my VPN monitoring - It shows the username and group policy properly, but for the IP, I only see their Public IP - the ASA is not giving them an Assigned IP Address. The 'Protocol' stays at 'Clientless', and no encryption information is shown in the monitoring area.
I have been working at this for a week, and have only briefly been able to get the user connected (and I think that was just a fluke, since immediately afterwards they were unable to connect, even though nothing had changed in the configuration).
I have no other users who are experiencing this problem - I have at least a dozen users who connect to the VPN regularly (myself included) and I cannot replicate this with anyone.
Originally, I was seeing the highlighted error in the ASA logs (screenshot 1, attached), which seems to point towards an ACL issue. After experimenting with ACLs, I was still unable to get the user connected (and it begs the question, why did this suddenly start happening, especially since I did not change any ACLs before the issue began).
Since this time, I have run the command 'http redirect outside 80' on the ASA (which has since been removed), which has stopped the error from showing up, but the user is still unable to get connected.
Looking into his Cisco event log, I see many errors when trying to connec,t such as:
Function: ConnectIfc::TranslateStatusCode File: .\ConnectIfc.cpp Line: 2618 Invoked Function: ConnectIfc::TranslateStatusCode Return Code: -29949906 (0xFE37002E) Description: CTRANSPORT_ERROR_TIMEOUT Connection attempt has timed out. Please verify Internet connectivity.
Function: ConnectIfc::requestLogout File: .\ConnectIfc.cpp Line: 2669 Invoked Function: ConnectIfc::sendRequest Return Code: -29949906 (0xFE37002E) Description: CTRANSPORT_ERROR_TIMEOUT
Function: ConnectIfc::sendRequest File: .\ConnectIfc.cpp Line: 2770 Invoked Function: CTransport::SendRequest Return Code: -29949906 (0xFE37002E) Description: CTRANSPORT_ERROR_TIMEOUT
I have also attempted to get them connected by going through the web portal to connect, but the vpn connection process gets stuck on the step "Detecting CPU and Operating System", and the connection shows the same was in the monitoring on the ASA - no 'Assigned IP address' and no 'Encryption' information.
I have tried various things, including:
Fully reinstalling the VPN client
Upgrading VPN client from original 2.5.3055 to newest 3.0.5705 client
Manually copying the latest Client Profile to the PC
Rebooted the ASA.
All of this has resulted in nothing. I can confirm that the user account is able to connect, since I have gotten it to connect from a different location.
No username/password combination is able to connect from the affected location, confirmed using my own credentials.
This appears to be something that is being caused by the IP address that they are connecting from, but I cannot think of any reason why, since it worked properly 1 week ago (and again, I can confirm no changes, since I am the only person who administers our ASA, and I know I didn't change anything during that time period).
If anyone has any suggestions, I would love to hear them. I do have some log files available, in case anyone would like to see them. Sanitized current running config is attached.
Thanks,
Jason Jeanveau
