Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Server 2012 VM not able to Anyconnect to ASA 8.4(5)

I have a outside vendor who is trying to connect via Anyconnect from a Server 2012 virtual machine. The syslogs show he following (XX IP is him, YY IP is our 5520 ASA)

6|Nov 15 2013|16:16:22|106015|XX.XXX.XXX.XXX|21989|YY.YYY.YYY.YYY|443|Deny TCP (no connection) from XX.XXX.XXX.XXX/21989 to YY.YYY.YYY.YYY/443 flags FIN ACK  on interface Outside

6|Nov 15 2013|16:16:22|302014|XX.XXX.XXX.XXX|21989|YY.YYY.YYY.YYY|443|Teardown TCP connection 18055500 for Outside:XX.XXX.XXX.XXX/21989 to identity:YY.YYY.YYY.YYY/443 duration 0:00:00 bytes 137714 TCP Reset-O

6|Nov 15 2013|16:16:22|725007|XX.XXX.XXX.XXX|21989|||SSL session with client Outside:XX.XXX.XXX.XXX/21989 terminated.

6|Nov 15 2013|16:16:22|725002|XX.XXX.XXX.XXX|21989|||Device completed SSL handshake with client Outside:XX.XXX.XXX.XXX/21989

6|Nov 15 2013|16:16:22|725003|XX.XXX.XXX.XXX|21989|||SSL client Outside:XX.XXX.XXX.XXX/21989 request to resume previous session.

6|Nov 15 2013|16:16:22|725001|XX.XXX.XXX.XXX|21989|||Starting SSL handshake with client Outside:XX.XXX.XXX.XXX/21989 for TLSv1 session.

6|Nov 15 2013|16:16:22|302013|XX.XXX.XXX.XXX|21989|YY.YYY.YYY.YYY|443|Built inbound TCP connection 18055500 for Outside:XX.XXX.XXX.XXX/21989 (XX.XXX.XXX.XXX/21989) to identity:YY.YYY.YYY.YYY/443 (YY.YYY.YYY.YYY/443)

6|Nov 15 2013|16:16:20|106015|XX.XXX.XXX.XXX|21987|YY.YYY.YYY.YYY|443|Deny TCP (no connection) from XX.XXX.XXX.XXX/21987 to YY.YYY.YYY.YYY/443 flags FIN ACK  on interface Outside

6|Nov 15 2013|16:16:20|302014|XX.XXX.XXX.XXX|21987|YY.YYY.YYY.YYY|443|Teardown TCP connection 18055464 for Outside:XX.XXX.XXX.XXX/21987 to identity:YY.YYY.YYY.YYY/443 duration 0:00:00 bytes 656 TCP Reset-O

6|Nov 15 2013|16:16:20|725007|XX.XXX.XXX.XXX|21987|||SSL session with client Outside:XX.XXX.XXX.XXX/21987 terminated.

6|Nov 15 2013|16:16:20|725002|XX.XXX.XXX.XXX|21987|||Device completed SSL handshake with client Outside:XX.XXX.XXX.XXX/21987

6|Nov 15 2013|16:16:20|725003|XX.XXX.XXX.XXX|21987|||SSL client Outside:XX.XXX.XXX.XXX/21987 request to resume previous session.

6|Nov 15 2013|16:16:20|725001|XX.XXX.XXX.XXX|21987|||Starting SSL handshake with client Outside:XX.XXX.XXX.XXX/21987 for TLSv1 session.

6|Nov 15 2013|16:16:20|302013|XX.XXX.XXX.XXX|21987|YY.YYY.YYY.YYY|443|Built inbound TCP connection 18055464 for Outside:XX.XXX.XXX.XXX/21987 (XX.XXX.XXX.XXX/21987) to identity:YY.YYY.YYY.YYY/443 (YY.YYY.YYY.YYY/443)

6|Nov 15 2013|16:16:20|106015|XX.XXX.XXX.XXX|21986|YY.YYY.YYY.YYY|443|Deny TCP (no connection) from XX.XXX.XXX.XXX/21986 to YY.YYY.YYY.YYY/443 flags FIN ACK  on interface Outside

6|Nov 15 2013|16:16:20|302014|XX.XXX.XXX.XXX|21986|YY.YYY.YYY.YYY|443|Teardown TCP connection 18055462 for Outside:XX.XXX.XXX.XXX/21986 to identity:YY.YYY.YYY.YYY/443 duration 0:00:00 bytes 296 TCP Reset-O

6|Nov 15 2013|16:16:20|725007|XX.XXX.XXX.XXX|21986|||SSL session with client Outside:XX.XXX.XXX.XXX/21986 terminated.

6|Nov 15 2013|16:16:20|725002|XX.XXX.XXX.XXX|21986|||Device completed SSL handshake with client Outside:XX.XXX.XXX.XXX/21986

6|Nov 15 2013|16:16:20|302014|XX.XXX.XXX.XXX|21985|YY.YYY.YYY.YYY|443|Teardown TCP connection 18055459 for Outside:XX.XXX.XXX.XXX/21985 to identity:YY.YYY.YYY.YYY/443 duration 0:00:00 bytes 6178 TCP Reset-I

6|Nov 15 2013|16:16:20|725003|XX.XXX.XXX.XXX|21986|||SSL client Outside:XX.XXX.XXX.XXX/21986 request to resume previous session.

6|Nov 15 2013|16:16:20|725001|XX.XXX.XXX.XXX|21986|||Starting SSL handshake with client Outside:XX.XXX.XXX.XXX/21986 for TLSv1 session.

6|Nov 15 2013|16:16:20|302013|XX.XXX.XXX.XXX|21986|YY.YYY.YYY.YYY|443|Built inbound TCP connection 18055462 for Outside:XX.XXX.XXX.XXX/21986 (XX.XXX.XXX.XXX/21986) to identity:YY.YYY.YYY.YYY/443 (YY.YYY.YYY.YYY/443)

6|Nov 15 2013|16:16:20|725007|XX.XXX.XXX.XXX|21985|||SSL session with client Outside:XX.XXX.XXX.XXX/21985 terminated.

6|Nov 15 2013|16:16:20|725002|XX.XXX.XXX.XXX|21985|||Device completed SSL handshake with client Outside:XX.XXX.XXX.XXX/21985

6|Nov 15 2013|16:16:20|725001|XX.XXX.XXX.XXX|21985|||Starting SSL handshake with client Outside:XX.XXX.XXX.XXX/21985 for TLSv1 session.

6|Nov 15 2013|16:16:20|302013|XX.XXX.XXX.XXX|21985|YY.YYY.YYY.YYY|443|Built inbound TCP connection 18055459 for Outside:XX.XXX.XXX.XXX/21985 (XX.XXX.XXX.XXX/21985) to identity:YY.YYY.YYY.YYY/443 (YY.YYY.YYY.YYY/443)

The ASA is running 8.4(5) code.

The vendor never gets an opportunity to login with Anyconnect. His Win8 Virtual machine works fine. I checked with the Security crew and they do not have any items of interest on the IDS's behind the ASA.

I captured from the ASA "Capture Wizard" with the ingress interface as outside and egress as inside. Wireshark shows either "Ignored Unknown Record" or fragmentation (TCP segment of a reassembled PDU). I see NO return traffic back to his IP from my ASA.

Any help would be appreciated.

Thanks,

Lee

  • VPN
Everyone's tags (2)
183
Views
0
Helpful
0
Replies
This widget could not be displayed.