cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7859
Views
0
Helpful
6
Replies

Setup a simple AnyConnect VPN on ASA 5512-x

padair
Level 1
Level 1

I am replacing an old PIX 515 with an ASA 5512-x because Win8 wont support Cisco VPN Client and PIX won't support new AnyConnect client. (grr!!!)

I have basic setup for an AnyConnect VPN Client and the connection seems to work but a final popup says "AnyConnect was not able to establish a connection to the specified secure gateway.  Please try connecting again." 

Before clicking that OK on that pop-up this is what you see when doing a "show vpn-sessiondb svc"

Session Type: AnyConnect

Username     : padair                 Index        : 2
Public IP    : 172.16.1.2
Protocol     : AnyConnect-Parent
License      : AnyConnect Premium
Encryption   : AES128                 Hashing      : SHA1
Bytes Tx     : 8959                   Bytes Rx     : 1479
Group Policy : pnt-vpn-policy         Tunnel Group : pnt-vpn-tunnel
Login Time   : 14:31:20 UTC Mon Dec 9 2013
Duration     : 0h:05m:37s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

This is why I say it seems to work and I "think" I followed the sample config from the web articles to a tee.

Below is the output from doing "debug webvpn 255" and then attempting a connection.

--- this is what shows in debug when you startup the anyconnect and try a connection to the outside ip ---

webvpn_allocate_auth_struct: net_handle = 0x00007fffa1d08950
webvpn_portal.c:webvpn_determine_primary_username[6050]
webvpn_portal.c:webvpn_determine_secondary_username[6118]
webvpn_portal.c:ewaFormServe_webvpn_login[2207]
webvpn_portal.c:http_webvpn_kill_cookie[1002]
APP_BUFFER: <option value="pnt-vpn-tunnel" noaaa="0" >PNTVPNClient</option>
webvpn_free_auth_struct: net_handle = 0x00007fffa1d08950
webvpn_allocate_auth_struct: net_handle = 0x00007fffa1d08950
webvpn_free_auth_struct: net_handle = 0x00007fffa1d08950

--- the anyconnect client comes back with the proper group in the drop down and asks for a username and password.

I enter a valid username and password and then click connect

--- this is what shows ind ebug after entering the proper credentials ---

webvpn_allocate_auth_struct: net_handle = 0x00007fffa1d08aa0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3527]
webvpn_portal.c:webvpn_login_validate_net_handle[2463]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2483]
webvpn_portal.c:webvpn_login_assign_app_next[2501]
webvpn_portal.c:webvpn_login_cookie_check[2518]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2554]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2588]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = pnt-vpn-tunnel
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2650]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2702]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2775]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from group list
webvpn_login_resolve_tunnel_group: TG_BUFFER = pnt-vpn-tunnel
webvpn_portal.c:webvpn_login_negotiate_client_cert[2865]
webvpn_portal.c:webvpn_login_check_cert_status[2962]
webvpn_portal.c:webvpn_login_cert_only[3010]
webvpn_portal.c:webvpn_login_primary_username[3032]
webvpn_portal.c:webvpn_login_primary_password[3111]
webvpn_portal.c:webvpn_login_secondary_username[3143]
webvpn_portal.c:webvpn_login_secondary_password[3218]
webvpn_portal.c:webvpn_login_extra_password[3330]
webvpn_portal.c:webvpn_login_set_cookie_flag[3349]
webvpn_portal.c:webvpn_login_set_auth_group_type[3372]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3450]
webvpn_portal.c:http_webvpn_kill_cookie[1002]
webvpn_auth.c:http_webvpn_pre_authentication[2109]
WebVPN: calling AAA with ewsContext (-1669607040) and nh (-1580168544)!
webvpn_add_auth_handle: auth_handle = 2
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5163]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3527]
webvpn_portal.c:webvpn_login_validate_net_handle[2463]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2483]
webvpn_portal.c:webvpn_login_assign_app_next[2501]
webvpn_portal.c:webvpn_login_cookie_check[2518]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2554]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2588]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = pnt-vpn-tunnel
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2650]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2702]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2775]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2865]
webvpn_portal.c:webvpn_login_check_cert_status[2962]
webvpn_portal.c:webvpn_login_cert_only[3010]
webvpn_portal.c:webvpn_login_primary_username[3032]
webvpn_portal.c:webvpn_login_primary_password[3111]
webvpn_portal.c:webvpn_login_secondary_username[3143]
webvpn_portal.c:webvpn_login_secondary_password[3218]
webvpn_portal.c:webvpn_login_extra_password[3330]
webvpn_portal.c:webvpn_login_set_cookie_flag[3349]
webvpn_portal.c:webvpn_login_set_auth_group_type[3372]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3402]
webvpn_auth.c:http_webvpn_post_authentication[1483]
WebVPN: user: (padair) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2782]
webvpn_session.c:http_webvpn_create_session[205]
webvpn_session.c:http_webvpn_find_session[167]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[167]
webvpn_remove_auth_handle: auth_handle = 2
webvpn_free_auth_struct: net_handle = 0x00007fffa1d08aa0
webvpn_allocate_auth_struct: net_handle = 0x00007fffa1d08aa0
webvpn_free_auth_struct: net_handle = 0x00007fffa1d08aa0
webvpn_allocate_auth_struct: net_handle = 0x00007fffa2562cf0
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
webvpn_session.c:webvpn_update_idle_time[1588]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fffa2562cf0
webvpn_allocate_auth_struct: net_handle = 0x00007fffa2562cf0
webvpn_free_auth_struct: net_handle = 0x00007fffa2562cf0
webvpn_allocate_auth_struct: net_handle = 0x00007fffa210a520
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
webvpn_session.c:webvpn_update_idle_time[1588]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fffa210a520
webvpn_allocate_auth_struct: net_handle = 0x00007fffa210a520
webvpn_free_auth_struct: net_handle = 0x00007fffa210a520
webvpn_allocate_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
webvpn_session.c:webvpn_update_idle_time[1588]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_allocate_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_free_auth_struct: net_handle = 0x00007fff9c7bdb10

---- the popup saying a the connection could not be completed now appears.  prior to hitting ok, this is where you see the connection with the show vpn-sessiondb svc command.  once you hit "ok" the info below shows in debug.---

webvpn_allocate_auth_struct: net_handle = 0x00007fffa3826e20
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
webvpn_session.c:webvpn_update_idle_time[1588]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fffa3826e20
webvpn_allocate_auth_struct: net_handle = 0x00007fffa3826e20
webvpn_free_auth_struct: net_handle = 0x00007fffa3826e20
webvpn_allocate_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
WebVPN: session has been authenticated.
webvpn_portal.c:http_webvpn_kill_cookie[1002]
webvpn_auth.c:webvpn_auth[680]
webvpn_session.c:http_webvpn_find_session[167]
WebVPN: session has been authenticated.
webvpn_session.c:http_webvpn_destroy_session[1478]
webvpn_free_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_allocate_auth_struct: net_handle = 0x00007fff9c7bdb10
webvpn_free_auth_struct: net_handle = 0x00007fff9c7bdb10

Here is a copy of my config and sh ver.

pntsi-asa# sh ver

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

pntsi-asa up 33 secs

Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
            ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


0: Int: Internal-Data0/0    : address is b0fa.eb97.4d18, irq 11
1: Ext: GigabitEthernet0/0  : address is b0fa.eb97.4d1c, irq 10
2: Ext: GigabitEthernet0/1  : address is b0fa.eb97.4d19, irq 10
3: Ext: GigabitEthernet0/2  : address is b0fa.eb97.4d1d, irq 5
4: Ext: GigabitEthernet0/3  : address is b0fa.eb97.4d1a, irq 5
5: Ext: GigabitEthernet0/4  : address is b0fa.eb97.4d1e, irq 10
6: Ext: GigabitEthernet0/5  : address is b0fa.eb97.4d1b, irq 10
7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is b0fa.eb97.4d18, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has a Base license.

Serial Number: FCH1704J1L7
Running Permanent Activation Key: <hidden>


Configuration register is 0x1
Configuration has not been modified since last system restart.
pntsi-asa#
pntsi-asa#
pntsi-asa# sh run
: Saved
:
ASA Version 8.6(1)2
!
hostname pntsi-asa
enable password hidden encrypted
passwd hidden encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.0.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.254.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.192.4 255.255.255.0
management-only
!
ftp mode passive
object network PNT_LAN
subnet 10.0.0.0 255.255.254.0
object network PNT_VPN_LAN
subnet 10.0.1.0 255.255.255.224
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool pnt-vpn-pool 10.0.1.2-10.0.1.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static PNT_LAN PNT_LAN destination static PNT_VPN_LAN PNT_VPN_LAN
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint localtrust
enrollment self
fqdn vpn.pntsi.ca
subject-name CN=vpn.pntsi.ca
keypair sslvpn
crl configure
crypto ca certificate chain localtrust
certificate 5d68a552
    308201df 30820148 a0030201 0202045d 68a55230 0d06092a 864886f7 0d010105
    05003034 31153013 06035504 03130c76 706e2e70 6e747369 2e636131 1b301906
    092a8648 86f70d01 0902160c 76706e2e 706e7473 692e6361 301e170d 31333132
    30393038 34303037 5a170d32 33313230 37303834 3030375a 30343115 30130603
    55040313 0c76706e 2e706e74 73692e63 61311b30 1906092a 864886f7 0d010902
    160c7670 6e2e706e 7473692e 63613081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100bd 668c7b90 920790eb 58484aa1 d6e8895d 7b9ef93a
    9391f0aa 71e1a6ac 34328b91 700ae038 e9b93610 0eae8462 a42a2f42 43807e40
    03095586 3bbff940 46bb91b2 0da55146 25d2cb21 69318577 58491ee6 c2ec4c24
    d540e42b 82e41a77 8bb600f4 7baf2ff5 b188142d ceadf8a9 6455c130 758e7484
    86f97b52 d0e0ed74 bb5eb102 03010001 300d0609 2a864886 f70d0101 05050003
    81810017 8d7af09f 57bba32c b8080e75 ee8d61f8 6d37d242 75fd8752 314a3795
    200d7c65 f4db0e97 9c434423 7bad844b 550ab354 ab3da494 054128fb 3f9ed52e
    cc8d24b1 12ebc434 c833cd5f c2da6ac1 3680f6db de5c0d2d e37898d3 5e6750de
    4d69318d b68ea422 21eeac86 6d25c80b 3258b9d8 2ef0a146 ed9d1f4f a23d6119 6800f5
  quit
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy pnt-vpn-policy internal
group-policy pnt-vpn-policy attributes
vpn-tunnel-protocol ssl-client
default-domain value pntsi.local
address-pools value pnt-vpn-pool
username padair password <hidden> encrypted privilege 15
username padair attributes
service-type nas-prompt
tunnel-group pnt-vpn-tunnel type remote-access
tunnel-group pnt-vpn-tunnel general-attributes
default-group-policy pnt-vpn-policy
tunnel-group pnt-vpn-tunnel webvpn-attributes
group-alias PNTVPNClient enable
group-url https://vpn.pntsi.ca/PNTVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f1047e7b5d913bb2adedab2e7cf0117a
: end
pntsi-asa# $

Any help would be appreciated.

Thanks, Paul

2 Accepted Solutions

Accepted Solutions

Paul,

The AnyConnect 3.1.04072 supports Windows 8.1. Try and use that one if possible. Also, having it is always better to upload the latest client version on the ASA as well.

Regards,

Aseem

View solution in original post

That version 2.5.2014 definitely does not support Windows 8.

I have successfully used the 3.1.04072 suggested by Aseem with Windows 8.1

View solution in original post

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Paul,

I know this is not the solution to the problem cause you do not even connect but as a recommendation use a dedicated IP address for the VPN pool (not used on any of the local network) to avoid routing,ARP issues. Trust me this happens a LOT.

Now from the ASA configuration perspective everything looks as it should. so we might need to focus on the client side.

Doing some basic research I found :

AnyConnect was not able to establish a connection to the specified secure gateway. 
Please try connecting again.

Description    A network connectivity problem caused a VPN connection attempt to fail after a successful authentication.

Recommended User Response   Retry the VPN connection.

I dont wanna sound kind of stupid but have you retry it?? Hahaha I guess you have do it many times.

Can you run it as administrator?  Can you disable any antivirus , firewall and test??

Can you deactivvate the  connection sharing in the control center of win7.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the reply Jcarvaja.  I have definately tried re-connecting. I have disabled windows firewall and windows defender and no other security software is in place.  The OS is a Windows 8.1 on a Surface Pro.  I'm not sure what or if their is an equivalenet to "deactivate the connection sharing" for Win8.

Paul,

What version of the anyconnect client are you using on the Windows 8.1?

Also, did you try testing this on Windows 8?

Regards,

Aseem

Version 2.5.2014.  I have not tried it on Win8 first.

That version 2.5.2014 definitely does not support Windows 8.

I have successfully used the 3.1.04072 suggested by Aseem with Windows 8.1

Paul,

The AnyConnect 3.1.04072 supports Windows 8.1. Try and use that one if possible. Also, having it is always better to upload the latest client version on the ASA as well.

Regards,

Aseem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: