Re: Cisco AnyConnect Problems with ASA...

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Sep 19 2008 - 16:24:14 ART

• Next message: Petr Lapukhov: "Re: frame-relay ecn's"
• Previous message: Jose: "Re: OT - Banking"
• Maybe in reply to: Tim Curci: "Cisco AnyConnect Problems with ASA..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That is only true for the IOS SSL VPN and not the ASA. Here is a working
debug for the ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#tshoot

Tim can you post your relevant configs?

Regards

Farrukh

On Fri, Sep 19, 2008 at 7:38 PM, <armylegionmedic@aol.com> wrote:

> I had the same exact issue 2 days ago. Here is how I corrected it.
>
> Configuring Address Pools for Nondirectly Connected Networks:?
> ?
> If you need to configure an address pool for IP addresses from a network
> that is not directly connected, perform the following steps:?
> ?
> 1. Create a localloopback interface and configure it with an IP address and
> subnet mask?
> from the address pool.?
> ?
> 2. Configure the address pool with the ip local pool command. The range of
> addresses?
> must fall under the subnet mask configured in step 1.?
> ?
> 3. Configure the svc address-pool command with name configured in step 2.?
> ?
>
> http://www.cisco.com/en/US/partner/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1358074
>
>
> -----Original Message-----
> From: Tim Curci <timcurci@roadrunner.com>
> To: ccielab@groupstudy.com
> Sent: Fri, 19 Sep 2008 9:27 am
> Subject: Cisco AnyConnect Problems with ASA...
>
>
>
> I receive the following pop-up when I attempt to establish an AnyConnect
> SSL
> session to an ASA.
>
>
> Cisco AnyConnect VPN Client
>
> An error was received from the secure gateway in response to the VPN
> negotiation request. Please contact your network administrator.
>
> The following message was received from the remote VPN device. No assigned
> address.
>
>
> I do have an address pool assigned to the group in the ASA config.
>
>
> Debug Output from the ASA is below
>
> Not calling vpn_remove_uauth: not IPv4!
> webvpn_svc_np_tear_down: no ACL
> webvpn_svc_np_tear_down: no IPv6 ACL
> webvpn_rx_data_tunnel_connect
> CSTP state = HEADER_PROCESSING
> http_parse_cstp_method()
> ...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
> webvpn_cstp_parse_request_field()
> ...input: 'Host: brittonout.obg.com'
> Processing CSTP header line: 'Host: xxxxxxx.xxxxxx.com"
> webvpn_cstp_parse_request_field()
> ...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0136'
> Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for
> Windows 2.2.0136'
> Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 2.2.0136'
> webvpn_cstp_parse_request_field()
> ...input: 'Cookie:
> webvpn=565571907@229376
> @1221840846@24614B2F8D4285A4B45A3E915C3DF64AACDD80AB'
> Processing CSTP header line: 'Cookie:
> webvpn=565571907@229376
> @1221840846@24614B2F8D4285A4B45A3E915C3DF64AACDD80AB'
> Found WebVPN cookie:
> 'webvpn=565571907@229376
> @1221840846@24614B2F8D4285A4B45A3E915C3DF64AACDD80AB'
> WebVPN Cookie:
> 'webvpn=565571907@229376
> @1221840846@24614B2F8D4285A4B45A3E915C3DF64AACDD80AB'
> IPADDR: '565571907', INDEX: '229376', LOGIN: '1221840846'
> webvpn_cstp_parse_request_field()
> ...input: 'X-CSTP-Version: 1'
> Processing CSTP header line: 'X-CSTP-Version: 1'
> Setting version to '1'
> webvpn_cstp_parse_request_field()
> ...input: 'X-CSTP-Hostname: BUBBA'
> Processing CSTP header line: 'X-CSTP-Hostname: BUBBA'
> Setting hostname to: 'BUBBA'
> webvpn_cstp_parse_request_field()
> ...input: 'X-CSTP-Accept-Encoding: deflate;q=1.0'
> Processing CSTP header line: 'X-CSTP-Accept-Encoding: deflate;q=1.0'
> webvpn_cstp_parse_req
> uest_field()
> ...input: 'X-CSTP-MTU: 1206'
> Processing CSTP header line: 'X-CSTP-MTU: 1206'
> webvpn_cstp_parse_request_field()
> ...input: 'X-CSTP-Address-Type: IPv4'
> Processing CSTP header line: 'X-CSTP-Address-Type: IPv4'
> webvpn_cstp_parse_request_field()
> ...input: 'X-DTLS-Master-Secret:
>
> ECD62B2221BB8DC2303D6D655ABEF5BD35A38591DB243A9EE977CF8D063004A5E466C596AD753
> 4923B0B49653BD881AF'
> Processing CSTP header line: 'X-DTLS-Master-Secret:
>
> ECD62B2221BB8DC2303D6D655ABEF5BD35A38591DB243A9EE977CF8D063004A5E466C596AD753
> 4923B0B49653BD881AF'
> webvpn_cstp_parse_request_field()
> ...input: 'X-DTLS-CipherSuite:
> AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
> Processing CSTP header line: 'X-DTLS-CipherSuite:
> AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
> Validating address: 0.0.0.0
> CSTP state = WAIT_FOR_ADDRESS
> webvpn_cstp_accept_address: 0.0.0.0/0.0.0.0
> webvpn_cstp_accept_address: no address?!?
> CSTP state = HAVE_ADDRESS
> No assigned address
> webvpn_cstp_send_error: 503 Service Unavailable
> CSTP state = ERROR
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Petr Lapukhov: "Re: frame-relay ecn's"
• Previous message: Jose: "Re: OT - Banking"
• Maybe in reply to: Tim Curci: "Cisco AnyConnect Problems with ASA..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:19 ART