Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unable to connect to ASA 5505 with AnyConnect after upgrading to 8.2

I just purchased an AnyConnect Essentials VPN License for my ASA 5505.  I had to upgrade to ASA 8.2.

Now that I have upgraded and installed the license, the AnyConnect client will no longer connect.  It gives the following error:  "Unable to process response".

Any help you can provide would be much appreciated.  I am happy to provide any configuration information that would be helpful if you can provide the CLI commands you would like me to execute.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.

Hope that helps.

12 REPLIES
Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Have you enabled the anyconnect essential feature yet?

The commands are:

webvpn

    anyconnect-essentials

Hope that helps.

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

I believe it is enabled:

lunch-officegw-01# show run webvpn
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 4 regex "Linux"
svc enable
tunnel-group-list enable

Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Did you try to connect via browser or with the AnyConnect client itself?

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Both seem not to be working.  :-(

Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Can you please try to disable and reenable the webvpn and test it again:

webvpn

  no enable outside

  enable outside

If it's still not working, might need to have a look at the whole config.

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

I gave that a try:

lunch-officegw-01(config)# webvpn
lunch-officegw-01(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
lunch-officegw-01(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

But no luck so far.  I did notice a few other things have changed since I upgraded to 8.2 and added the anyconnect-essentials license.

When I try to load ASDM (https://10.88.1.254/admin/public/index.html), FireFox tells me this:

Secure Connection Failed

An error occurred during a connection to 10.88.1.254.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

When I connect with Putty, it throws up a warning dialog that says:

The first cipher supported by the server is single-DES, which is below the configured warning threshold.

So it seems like something got messed up in the configuration along the way, but I don't know what it is.

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Any ideas?

Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Ahh, yes, check your show version, and see if 3DES is enabled. If not, you might want to activate the 3DES license. Can be requested from the following:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

(Click on Cisco ASA 3DES/AES License)

You might want to check if DES encryption works with the following command:

ssl encryption des-sha1

Once you enabled the 3DES license, you can change the command to the following:

ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

I am able to launch ASDM now, but I still get the warning message from Putty.

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Jennifer, thank you so much for your help.  ASDM and AnyConnect clients are now working!  :-)

The only lingering configuration issue from the upgrade is the Putty warning about single DES that I mentioned.  Do you know what is causing that?

Cisco Employee

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.

Hope that helps.

New Member

Re: Unable to connect to ASA 5505 with AnyConnect after upgradin

Thanks.  I am back in business!

4280
Views
5
Helpful
12
Replies
CreatePlease to create content