Hi All,
Having some issues with Anyconnect on MX 64 (MX 17.6). I have a very basic Anyconnect setup. Below is a diagram of how I have my MX setup in a lab setting. I put static NAT in my router to port forward a custom port for Anyconnect using 8443. AAA is set to use Meraki Cloud Authentication. Client Anyconnect version is 4.10~
When I connect I do get a login prompt but after successful Auth the connection fails.
At this point it stalls for a few and then the following two popup errors are displayed
This happens everytime I get through the login.
Anyone have this issue? I did a packet capture and look through the event logs but I can't see what is causing the connection failure.
EDIT: I did finally find something in the event log that shows a possible clue:
May 18 13:38:17 | AnyConnect VPN connection event | msg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] Connection closed. | |
May 18 13:38:08 | AnyConnect VPN session event | msg: Sess-ID[5] Peer IP=X.X.X.X User[torydav@...]: Session connected. Session Type: SSL | |
May 18 13:38:08 | AnyConnect VPN session event | msg: Sess-ID[2] Peer IP=X.X.X.X User[torydav@...]: Session disconnected. Session Type: SSL, Duration: 0d:00h:33m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: Port Suspended | |
May 18 13:38:08 | AnyConnect VPN authentication success | msg: Peer IP=X.X.X.X Peer port=48571 AAA[6]: AAA authentication successful | |
May 18 13:38:02 | AnyConnect VPN connection event | msg: Server IP=10.10.40.19 Server port=8443 Prot[TCP] Peer IP=X.X.X.X Peer port=48571 conn_id[4] SSL connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384 |
Thoughts?
Client Message History:
1:37:59 PM Contacting https://X.X.X.X:8443.
1:38:07 PM User credentials entered.
1:38:07 PM Please respond to banner.
1:38:09 PM User accepted banner.
1:38:09 PM Establishing VPN session...
1:38:09 PM The AnyConnect Downloader is performing update checks...
1:38:09 PM Checking for profile updates...
1:38:09 PM Checking for customization updates...
1:38:09 PM Performing any required updates...
1:38:09 PM The AnyConnect Downloader updates have been completed.
1:38:09 PM Establishing VPN - Initiating connection...
1:38:10 PM Establishing VPN session...
1:38:16 PM Disconnect in progress, please wait...
1:38:16 PM Connection attempt has failed.
1:38:16 PM Ready to connect.
Does the router have any ACLs on it that might be limited the traffic?
Hi,
As I understand, you forwarded the port 8443 ? I did some tests with Anyconnect and the Mx and taking a trace on the VPN client, the port used is the 443 and not the 8443.
Did you tested also with the 443 ?
regards
As long as AnyConnect is configured to use port 8443 it should work fine.
I've used others ports lots of times, but not on an MX64.
Hi,
should be then possible to change the port in the client annyconnect ? if yes do you know how ?
thx
In the client just add :port to the connection string.
even if we've a hostname instead a IP ? so we can add as : hostname:8443 ?
Correct.
Thanks, that's works
I'm wondering if it has to do with the 13:38:08 entry with peer port 48571. If that is also not getting forwarded, I suspect traffic can't get through and the connection is dropped.