cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7946
Views
0
Helpful
12
Replies

Multiple concurrent SSL VPN Client connections

TBadgerlock
Level 1
Level 1

Hi,

Apologies if this is a simple question I'm new to Cisco tech.  The basic situation is that I have 3 remote workers all wishing to connect to the VPN (using AnyConnect) but only one connection is allowed by the ASA5500 at anytime...all other connections drop as soon as a new one is established?  Is this by design and the ASA blocks any concurrent SSL VPN connections from the same external IP or is this something I've unknowingly setup myself when creating the AnyConnect Connection Profile?

Help/advice much appreicated.

Thanks,

Tom

12 Replies 12

Bart Kersten
Level 1
Level 1

Is your ASA licensed to do SSL VPN? A default ASA is only licensed for 2 SSL VPN sessions at a time.

~bart

Sent from Cisco Technical Support iPhone App

I agree with Bart that it sounds like it is an issue with the licensing for SSL VPN (which is AnyConnect).

If Tom is quite new to Cisco tech he may not be sure where to find the answer to Bart's question. If Tom will execute the command show version on the ASA and then post the output it will include what we need to see.

HTH

Rick

HTH

Rick

Hi Tom,

By default, the ASA comes with two Premium peers.

This allows you to have upto two simultaneous SSL VPN connections (WebVPN or AnyConnect) at any time.

Please share the "show version" (remove any confidential informacion like the serial number, hostname and activation-key) just include the licensing information.

We may be able to give you a better feedback based on that output.

Thank you,

Hi,

Thanks for the speedy reply:

Result of the command: "show version"

Boot microcode   : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 50       

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 0        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 50       

Total VPN Peers                : 250      

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has a Base license.

cheers,

Tom

Tom

Thanks for posting the additional information. It shows very clearly that the problem is not an issue about licensing and that you are licensed for 50 concurrent SSL/AnyConnect sessions. So we need to look for some other issue. Perhaps you can post a sanitized version of the configuration?

HTH

Rick

HTH

Rick

Please follow Richard's suggestion.

Any related error (client or ASA side)?

Does this happen to any connection profile?

Thanks,

No error displayed on either the client or ASA just Person A's connection drops when person B connects...just to clarify this only affects clients connecting from the same external IP
Here is the config which I hope I've not stripped to "clean" as I said I new to cisco and mostly use the ASDM to do any config:

Result of the command: "show run"

: Saved

:

ASA Version 8.2(2)

!

ip local pool VPNPool 192.168.40.10-192.168.40.90 mask 255.255.255.0

ip verify reverse-path interface External

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map External_dyn_map 65535 set pfs group1

crypto dynamic-map External_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics host number-of-rate 2

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint5 External

webvpn

enable External

enable Internal

csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3

svc enable

tunnel-group-list enable

java-trustpoint ASDM_TrustPoint6

internal-password enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.1.1

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

group-lock value DefaultRAGroup

vlan none

nac-settings none

group-policy DfltGrpPolicy attributes

vpn-filter value SplitTunnel

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

webvpn

  svc ask none default webvpn

group-policy VPN-Clientless internal

group-policy VPN-Clientless attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol svc webvpn

group-lock value VPN-Clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain value local.com

vlan none

webvpn

  url-list value WebMail

  svc dtls enable

  svc keep-installer installed

  svc compression deflate

  svc ask enable default webvpn

  customization value local

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPool

authentication-server-group LDAP

authorization-server-group LDAP

default-group-policy VPN-Clientless

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization local

tunnel-group VPN-Clientless type remote-access

tunnel-group VPN-Clientless general-attributes

address-pool VPNPool

authentication-server-group LDAP

authorization-server-group LDAP

default-group-policy VPN-Clientless

tunnel-group VPN-Clientless webvpn-attributes

customization

group-alias Remote enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect pptp

  inspect dns DNS_MAP_PC

  inspect ip-options

: end

TBadgerlock
Level 1
Level 1

Hi, just wondering if anyone has had a chance to look over the config?

Cheers
Tom

Sent from Cisco Technical Support Android App

Tom

I have looked at the config and do not see anything in it that would cause the symptoms that you describe.

Your clarification of the symptoms was helpful. I had been working under the impression that the problem impacted all user sessions and restricted the total number of sessions. It is helpful to know that the problem is actually only in the situation where there are multiple users at the same site and that the existing session is dropped wen a different user initiates a new session. My theory is that the ASA sees a session with the existing user and when a new request is received with the same source address that it assumes that the remote has restarted the client and is requesting a new session. I wonder if there is anything in the logs of the ASA when this happens that could confirm what is happening?

HTH

Rick

HTH

Rick

Hi Rick,

Thank you for the response, I'll endeavour to duplicate the issue and check the logs to see if anything is being logged that can shed some light on whats going on.

Cheers,

Tom

The second thing to try would be newer ASA code.  We're up to version 9.1.x. Either 9.0.x or 9.1.x (latest patch) would be a much better choice. There's always the chance you're hitting some very odd bug in a version of ASA code, but this one isn't ringing a bell.

Peter Davis
Cisco Employee
Cisco Employee

Are you really using AnyConnect version 2.2? (This version is many years old). If so, first step would be to go to the latest 3.1 version (3.1.04072).  Please send us your logs at ac-mobile-feedback@cisco.com from the ASA immediately after the drop (we may need to turn on additional debugs if there's nothing in there). The ASA should not have a problem with multiple connections from a single IP, however, some NAT (PAT) devices do not do a very good job in this scenario and end up reusing the same source port which could result in this behavior. I haven't seen this in a very long time, it used to plague a lot of old home PAT devices, especially with IPsec.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: