Anyconnect Connection Failures

ToryDav
Building a reputation

Anyconnect Connection Failures

Hi All,

Having some issues with Anyconnect on MX 64 (MX 17.6). I have a very basic Anyconnect setup. Below is a diagram of how I have my MX setup in a lab setting. I put static NAT in my router to port forward a custom port for Anyconnect using 8443. AAA is set to use Meraki Cloud Authentication. Client Anyconnect version is 4.10~
ToryDav_0-1652894674210.png

When I connect I do get a login prompt but after successful Auth the connection fails.

ToryDav_2-1652894948854.png
ToryDav_3-1652894957769.png

At this point it stalls for a few and then the following two popup errors are displayed

ToryDav_4-1652894994015.png

This happens everytime I get through the login.

Anyone have this issue? I did a packet capture and look through the event logs but I can't see what is causing the connection failure. 

EDIT: I did finally find something in the event log that shows a possible clue:

May 18 13:38:17 AnyConnect VPN connection eventmsg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] Connection closed.
May 18 13:38:08 AnyConnect VPN session eventmsg: Sess-ID[5] Peer IP=X.X.X.X User[torydav@...]: Session connected. Session Type: SSL
May 18 13:38:08 AnyConnect VPN session eventmsg: Sess-ID[2] Peer IP=X.X.X.X User[torydav@...]: Session disconnected. Session Type: SSL, Duration: 0d:00h:33m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: Port Suspended
May 18 13:38:08 AnyConnect VPN authentication successmsg: Peer IP=X.X.X.X Peer port=48571 AAA[6]: AAA authentication successful
May 18 13:38:02 AnyConnect VPN connection eventmsg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] SSL connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384




Thoughts?

10 Replies 10
ToryDav
Building a reputation

Client Message History:

1:37:59 PM Contacting https://X.X.X.X:8443.
1:38:07 PM User credentials entered.
1:38:07 PM Please respond to banner.
1:38:09 PM User accepted banner.
1:38:09 PM Establishing VPN session...
1:38:09 PM The AnyConnect Downloader is performing update checks...
1:38:09 PM Checking for profile updates...
1:38:09 PM Checking for customization updates...
1:38:09 PM Performing any required updates...
1:38:09 PM The AnyConnect Downloader updates have been completed.
1:38:09 PM Establishing VPN - Initiating connection...
1:38:10 PM Establishing VPN session...
1:38:16 PM Disconnect in progress, please wait...
1:38:16 PM Connection attempt has failed.
1:38:16 PM Ready to connect.

PhilipDAth
Kind of a big deal
Kind of a big deal

Does the router have any ACLs on it that might be limited the traffic?

Gianfranco
Comes here often

Hi,

 

As I understand, you forwarded the port 8443  ?  I did some tests with Anyconnect and the Mx and taking a trace on the VPN client, the port used is the 443 and not the 8443.

Did you tested also with the 443 ?

 

regards

PhilipDAth
Kind of a big deal
Kind of a big deal

As long as AnyConnect is configured to use port 8443 it should work fine.

 

I've used others ports lots of times, but not on an MX64.

Gianfranco
Comes here often

Hi,

 

should be then possible to change the port in the client annyconnect ?   if yes do you know how ? 

 

thx

PhilipDAth
Kind of a big deal
Kind of a big deal

In the client just add :port to the connection string.

Gianfranco
Comes here often

even if we've a hostname instead a IP ?  so we can add as :  hostname:8443  ?  

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.

Gianfranco
Comes here often

Thanks, that's works

 

OVERKILL
Building a reputation

I'm wondering if it has to do with the 13:38:08 entry with peer port 48571. If that is also not getting forwarded, I suspect traffic can't get through and the connection is dropped.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels