- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyconnect Connection Failures
Hi All,
Having some issues with Anyconnect on MX 64 (MX 17.6). I have a very basic Anyconnect setup. Below is a diagram of how I have my MX setup in a lab setting. I put static NAT in my router to port forward a custom port for Anyconnect using 8443. AAA is set to use Meraki Cloud Authentication. Client Anyconnect version is 4.10~
When I connect I do get a login prompt but after successful Auth the connection fails.
At this point it stalls for a few and then the following two popup errors are displayed
This happens everytime I get through the login.
Anyone have this issue? I did a packet capture and look through the event logs but I can't see what is causing the connection failure.
EDIT: I did finally find something in the event log that shows a possible clue:
May 18 13:38:17 | AnyConnect VPN connection event | msg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] Connection closed. | |
May 18 13:38:08 | AnyConnect VPN session event | msg: Sess-ID[5] Peer IP=X.X.X.X User[torydav@...]: Session connected. Session Type: SSL | |
May 18 13:38:08 | AnyConnect VPN session event | msg: Sess-ID[2] Peer IP=X.X.X.X User[torydav@...]: Session disconnected. Session Type: SSL, Duration: 0d:00h:33m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: Port Suspended | |
May 18 13:38:08 | AnyConnect VPN authentication success | msg: Peer IP=X.X.X.X Peer port=48571 AAA[6]: AAA authentication successful | |
May 18 13:38:02 | AnyConnect VPN connection event | msg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] SSL connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384 |
Thoughts?
- Labels:
-
Client VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Client Message History:
1:37:59 PM Contacting https://X.X.X.X:8443.
1:38:07 PM User credentials entered.
1:38:07 PM Please respond to banner.
1:38:09 PM User accepted banner.
1:38:09 PM Establishing VPN session...
1:38:09 PM The AnyConnect Downloader is performing update checks...
1:38:09 PM Checking for profile updates...
1:38:09 PM Checking for customization updates...
1:38:09 PM Performing any required updates...
1:38:09 PM The AnyConnect Downloader updates have been completed.
1:38:09 PM Establishing VPN - Initiating connection...
1:38:10 PM Establishing VPN session...
1:38:16 PM Disconnect in progress, please wait...
1:38:16 PM Connection attempt has failed.
1:38:16 PM Ready to connect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the router have any ACLs on it that might be limited the traffic?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As I understand, you forwarded the port 8443 ? I did some tests with Anyconnect and the Mx and taking a trace on the VPN client, the port used is the 443 and not the 8443.
Did you tested also with the 443 ?
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as AnyConnect is configured to use port 8443 it should work fine.
I've used others ports lots of times, but not on an MX64.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
should be then possible to change the port in the client annyconnect ? if yes do you know how ?
thx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the client just add :port to the connection string.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
even if we've a hostname instead a IP ? so we can add as : hostname:8443 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that's works
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm wondering if it has to do with the 13:38:08 entry with peer port 48571. If that is also not getting forwarded, I suspect traffic can't get through and the connection is dropped.