Quality of VoIP BOUNCING over AnyConnect VPN problems

Hello:

I'm in the middle of the conversion of our environment of VPN for remote access of the former client VPN Cisco AnyConnect (ver. 3.1.01065) VPN's IPSec. I have a number of beta-testers on the new AnyConnect VPN environment, and we have quality problems of intermittent VoIP (IP Communicator 8.5.3 on remote laptops) with the HQ VPN. While I realize that we miss the calls over the Internet, which is a network of 'better' and can not control the Inernet QoS, the special thing is the VoIP call on the former that ipsec VPN seems to work very well 99% of the time.

I did a series of G.729 calls on the old client IPSec and customer AC, with the same laptop, using the same remote access connection. The "VPN server" for the IPSec VPN is an ASA5520 (8.0 (4)), on a connection of 100 Mbps with plenty of reserve, which runs also firewall services for an office of about 500 people and a small DMZ environment. The VPN server that is handling AnyConnect VPN is a new ASA5515-X (8.6 (1) 2), using the same channel of 100 Mbit/s Internet and running VPN services only. When you call running of tests on the old IPSec VPN, the jitter of appeal is pretty consistent, where jitter ave runs about 10 ms and jitter peak running 30-40ms. On the client ACTS, so that 'good' calls run about the same jitter as the old VPN, called the 'bad' (drops intermittent speaker, sometimes sounds 'mechanized'), which produce about 1 of evey 5 calls, run jitter ave to about 120-150ms and jitter of tip of 300-400 m for info, I don't see no packet loss to talk, just call jitter is through the roof. While in most cases, this could be written off as a "bad Internet connection", on the pretty old VPN tests prove a lot is not the issue.

That said, anyone has an idea why the quality of calls is sometimes wrong via the AnyConnect VPN? Is there pest practices that I can work from, or any settings you can recommend? Thank you.

Well, there are several things in our implementation that could help if possible, although I think you can open the case of the TAC, we saw some strange behaviors.

Things to enable the audit side ASA/SSL:

-DTLS - check if it is enabled and WORK (see the det filter name NAME_HERE anyconnect vpn-sessiondb)

see if the packets are tunneled by the DTLS Protocol not TLS. The datagram transport is much better suited for performance.

-Compression - so we see a lot of deployments with it enabled us say this as much as we can. Compression is for links to bandwidth low latency. In the modern internet, it should be used with caution.

-check the ASP drop table on ASA (fall of claire asp, run the "show asp drop' rest and during the period of low performance monitor.)

-additional recording "class... ssl connection. "can give you greater participation.

-See the proto ssl_np - good starting point count

the list goes on and.

What is important to understand, is that the problem is with the traffic on the wire or from the use of SSL.

Sniffer traces are essential.

Tags: Cisco Security

Similar Questions

Anyconnect VPN problem

Hello friends!

I ve been trying to configure the anyconnect VPN, but I cannot generate the CA, probably I m doing wrong sothing.

To be honest, I Don t know if the problem int this VPN is only what is missing, but is the only thing that I've seen what can be a problem.

Someone knows how to generate the CA in the ASA?

Hi Marcio,

Please follow this link:

https://supportforums.Cisco.com/document/12597006/how-configure-ASA-CA-s...

Do you want authentication certificate based for Anyconnect users?

I'm not sure we really need a CA in this case.

You can try to check this third party link to configure the Anyconnect on SAA basic settings:

http://www.petenetlive.com/kb/article/0000943

Kind regards

Aditya

Please evaluate the useful messages.

SSH for indoor or outdoor IP de ASA over anyconnect vpn

Hello world

I have ssl anyconnect vpn for my lab at home.

When I connect via anyconnect SSL I am unable to ssh to ASA inside and outside IP is this default behavior?

I have access to administration config inside configured on the SAA.

VPN IP 10.10.10.10 pool

SSH 10.10.10.0 255.255.255.0 outside

Concerning

Mahesh

Try adding a line like:

nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp

Cisco AnyConnect VPN Client (connection attempt failed because the network or pc problem cisco)

Hi all

I am trying to connect to my Cisco AnyConnect VPN Client but everytime I try, I get an error (connection attempt failed because the network or pc problem cisco)

Can anyone help me please with this.

Thank you

Zia

What is the local firewall on your computer?

The anyconnect vpn easy vpn Remote communication problem

Hi team,

I have a problem of communication of the anyconnect vpn easy vpn Remote I´ll explain better below and see the attachment
topology:

(1) VPN Tunnel between branch HQ - That´s OK
(2) VPN Tunnel between Client AnyConnect to HQ - that s OK

The idea is that the Anyconnect Client is reaching the local Branch Office network, but has not reached.
Communication is established just when I begin a session (icmp or rdp) branch to the AnyConnect Client,.
in this way, the communication is OK, but just for a few minutes.

Could you help me?
Below the IOS version and configurations

ASA5505 Version 8.4 (7) 23 (Headquarters)
ASA5505 Version 7.0000 23 (branch)

Configuration of the server easy VPN (HQ) *.

Crypto dynamic-map DYNAMIC - map 5 set transform-set ESP-AES-256-SHA ikev1
Crypto card outside-link-2_map 1 ipsec-isakmp DYNAMIC-map Dynamics
Crypto map link-outside-2_map-65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Crypto map interface outside-link-2_map outside-link-2

ACL_EZVPN list standard access allowed 10.0.0.0 255.255.255.0
ACL_EZVPN list standard access allowed 192.168.1.0 255.255.255.0
ACL_EZVPN list standard access allowed 192.168.50.0 255.255.255.0
ACL_EZVPN list standard access allowed 10.10.0.0 255.255.255.0

internal EZVPN_GP group policy
EZVPN_GP group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ACL_EZVPN
allow to NEM
type tunnel-group EZVPN_TG remote access
attributes global-tunnel-group EZVPN_TG
Group Policy - by default-EZVPN_GP
IPSec-attributes tunnel-group EZVPN_TG
IKEv1 pre-shared-key *.

object-group network Obj_VPN_anyconnect-local
object-network 192.168.1.0 255.255.255.0
object-network 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
object-network 192.168.50.0 255.255.255.0
the NAT_EZVPN_Source object-group network
object-network 192.168.1.0 255.255.255.0
object-network 10.10.0.0 255.255.255.0
the NAT_EZVPN_Destination object-group network
object-network 10.0.0.0 255.255.255.0

destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

NAT_EZVPN_Destination no-proxy-arp-search to itinerary
NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

Configuration VPN AnyConnect (HQ) *.

WebVPN
Select the outside link 2
by default-idle-timeout 60
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect profiles Remote_Connection_for_TS_Users disk0: / remote_connection_for_ts_users.xml
AnyConnect enable
tunnel-group-list activate

tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.15.0 255.255.255.0
tunnel of splitting allowed access list standard 10.0.0.0 255.255.255.0

internal clientgroup group policy
attributes of the strategy of group clientgroup
WINS server no
value of server DNS 192.168.1.41
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
ipconnection.com.br value by default-field
WebVPN
AnyConnect Dungeon-Installer installed
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect value Remote_Connection_for_TS_Users type user profiles
AnyConnect ask flawless anyconnect

type tunnel-group sslgroup remote access
tunnel-group sslgroup General-attributes
address vpnpool pool
authentication-server-group DC03
Group Policy - by default-clientgroup
tunnel-group sslgroup webvpn-attributes
enable IPConnection-vpn-anyconnect group-alias

object-group network Obj_VPN_anyconnect-local
object-network 192.168.1.0 255.255.255.0
object-network 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
object-network 192.168.50.0 255.255.255.0
the NAT_EZVPN_Source object-group network
object-network 192.168.1.0 255.255.255.0
object-network 10.10.0.0 255.255.255.0
the NAT_EZVPN_Destination object-group network
object-network 10.0.0.0 255.255.255.0

destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

NAT_EZVPN_Destination no-proxy-arp-search to itinerary
NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

Hello

communication works when you send the traffic of easyvpn derivation because it froms the IPSEC SA to pool local subnet and anyconnect HQ. The SA formed only when the branch initiates the connection as it's dynamic peer connection to HQ ASA.

When there no SA between branch and HQ for this traffic, HQ ASA has no idea on where to send the anyconnect to network traffic.

I hope this explains the cause.

Kind regards

Averroès.

AnyConnect VPN setup problem

Hi all, I'm going to have bad configure anyconnect VPN on my router. I'm CCENT pre level and especially followed a tutorial, but feel I'm missing something simple here.

It's a fairly simple installation on a Cisco No. 2851 - faces of a single interface my LAN 192.168.1.0/24, the other has a public IP address.

I created a network 192.168.2.0/24 VPN users, mainly to have phones Android connection of their mobile phone networks, and have access to the servers/security cameras/etc by using their local IP addresses. When my phone connects, it gets an IP address and is connected, but is not communicating with my LAN correctly.

The VPN client can ping 192.168.1.254 (the router's LAN IP) - but not the other devices on the network. However, the devices on my LAN can ping the VPN clients to their address 192.168.2.x.

Here's a copy of my current config, I have reorganized some elements with #s. Also pasted my ip sh road under him. Do not forget that I am a novice, please forgive the hack :)

Router (config) #do sh run
Building configuration...

Current configuration: 5782 bytes
!
! Last modification of the configuration at 02:24:24 UTC Sat Sep 5 2015 by #.
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name #.
!
boot-start-marker
boot-end-marker
!
!
enable secret $5 1$ 0 #.
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login local sslvpn
AAA authorization exec default local
!
!
!
!
!
AAA - the id of the joint session
!
!
dot11 syslog
no ip source route
!
!
IP cef
!
DHCP excluded-address 192.168.1.200 IP 192.168.1.254
DHCP excluded-address 192.168.1.1 IP 192.168.1.10
!
pool of dhcp IP LAN
network 192.168.1.0 255.255.255.0
Server DNS 192.168.1.254
by default-router 192.168.1.254
!
!
IP domain name # '.com'
host IP Switch 192.168.1.253
8.8.8.8 IP name-server
block connection-for 2000 tent 4 within 60
connection access silencer-class SSH_MGMT
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TRUSTPOINT-MY
enrollment selfsigned
Serial number
name of the object CN = 117-certificate
crl revocation checking
rsakeypair my-rsa-keys
!
!
MY-TRUSTPOINT crypto pki certificate chain
certificate self-signed 01
##########################

#########################
quit smoking
!
!
license udi pid CISCO2851 sn FTX1026A54Y
# 5 secret username $1$ yv # E9.
# 5 secret username $1$ X0nL ###kO.
!
redundancy
!
!
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
LAN description
IP 192.168.1.254 255.255.255.0
IP nat inside
No virtual-reassembly in ip
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
WAN description
No dhcp client ip asks tftp-server-address
No dhcp ip client application-domain name
DHCP IP address
IP access-group ACL-WAN_INTERFACE in
no ip redirection
no ip proxy-arp
NAT outside IP
No virtual-reassembly in ip
automatic duplex
automatic speed
No cdp enable
!
interface Serial0/0/0
no ip address
Shutdown
!
interface virtual-Template1
!
local IP 192.168.2.100 WEBVPN-POOL pool 192.168.2.110
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
The dns server IP
IP nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload
!
IP access-list standard INSIDE_NAT_ADDRESSES
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
IP access-list standard SSH_MGMT
permit 192.168.1.0 0.0.0.255
permit 207.210.0.0 0.0.255.255
!
IP extended ACL-WAN_INTERFACE access list
deny udp any any eq snmp
TCP refuse any any eq field
TCP refuse any any eq echo
TCP refuse any any day eq
TCP refuse any any eq chargen
TCP refuse any any eq telnet
TCP refuse any any eq finger
deny udp any any eq field
deny ip 127.0.0.0 0.255.255.255 everything
deny ip 192.168.0.0 0.0.255.255 everything
permit any any eq 443 tcp
allow an ip
!
exploitation forest esm config
NLS RESP-timeout 1
CPD cr id 1
!
!
!
!
!
!
!
control plan
!
!
!
!
profile MGCP default
!
!
!
!
!
access controller
Shutdown
!
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
exec-timeout 0 0
Synchronous recording
line vty 0 4
exec-timeout 0 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 0 0
Synchronous recording
entry ssh transport
!
Scheduler allocate 20000 1000
!
Gateway Gateway-WebVPN-Cisco WebVPN
IP interface GigabitEthernet0/1 port 443
SSL rc4 - md5 encryption
SSL trustpoint TRUSTPOINT-MY
development
!
WebVPN install svc flash:/webvpn/anyconnect-linux-3.1.03103-k9.pkg sequence 1
!
WebVPN context Cisco WebVPN
title "Firewall.cx WebVPN - powered by Cisco"
SSL authentication check all
!
list of URLS "rewrite".
!
ACL "ssl - acl.
ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Licensing ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
!
login message "Cisco Secure WebVPN"
!
webvpnpolicy political group
functions required svc
filter tunnel ssl - acl
SVC-pool of addresses 'WEBVPN-POOL' netmask 255.255.255.0
generate a new key SVC new-tunnel method
SVC split include 192.168.1.0 255.255.255.0
Group Policy - by default-webvpnpolicy
AAA authentication list sslvpn
Gateway Cisco WebVPN bridge
Max-users 5
development
!
end

Gateway of last resort is #. ###. ###. # network 0.0.0.0

S * 0.0.0.0/0 [254/0] via #. ###. ###.1
(###ISP))) is divided into subnets, subnets 1
S (# #ISP #) [254/0] via (# publicgateway #) GigabitEthernet0/1
###.###.0.0/16 is variably divided into subnets, 2 subnets, 2 masks
C ###.###.###.0/23 is directly connected, GigabitEthernet0/1
The ###.###.###.###/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably divided into subnets, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
The 192.168.1.254/32 is directly connected, GigabitEthernet0/0
192.168.2.0/32 is divided into subnets, subnets 1
S 192.168.2.100 [0/0] via 0.0.0.0, Virtual Network1

can you try to disable the FW on your internal lan hosts and then try and ping from users of vpn client

ASA checks AnyConnect VPN computer name

Hi all

I have searched the Forum and documentation, but have not found a solution to my problem. I'm guessing it happens sometimes, but maybe I'm looking for the wrong thing. We AnyConnect deployed across our cell phones, but have trouble with employees who do get the software from other sources AnyConnect and install on personal computers. We are an agency, although relatively small, but we have policies in place and I need to lock for users unable to connect to the VPN unless you're a book PC connected to our AD domain. I found a possible solution is to use dynamic access within the ASA policies to check the Windows computer name. So I set up LDAP and has created a policy to check an AAA attribute. It lets me select "MemberOf", which I assume it is the Group of users, but I need to check the name of the computer on the client before allowing access.

Step by step of what I did, does anyone know of a more logical or easier way to lock on what AnyConnect VPN client computers can be used?

Or if I go about this common sense with dynamic access policies, anyone have any suggestions or knowledge of documentation that helps to configure things properly when you check the computer name LDAP attribute?

Thank you!

JD

Hey Joe,

You do not need LDAP to do this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

Once you enable SSC, edit your DAP strategy and instead of an IPN to attribute you to try, add an attribute of endpoint (on the right hand side).

To verify the host name, select the type of the attribute "peripheral".

Alternatively, you can also activate the sweep of host (under Contract) and let the CSD to check the presence of a file with a certain file name, or a registry entry or a process name. CSD passes the result of this verification to the PAD, so you can use it in a policy (attributes of endpoint of type process, registry and files).

Another alternative is to use the CSD with a policy before opening session - that you cannot check the host name, but it does not have control over the IP, OS type, certificate as well as the presence of a process, the registry key, the file. In this case you need not to DAP.

HTH

Herbert

Cisco AnyConnect VPN Client maintains reconnection

Hello

We have recently installed an ASA5505 and activated the VPN access.

Two of my colleagues have no problems connecting to the VPN using Cisco AnyConnect VPN Client, but I do.

I am still disconnected after a few seconds with the message:

"A VPN reconnect gave rise to different configuration settings. VPN network interface is to be reset. Applications using the private network may be required to restart. »

Cisco AnyConnect VPN Client Version 2.5.2019

I work with Windows 7 but the same thing happens when I try to connect using my computer that is running Windows Vista.

My colleagues also using Win7

I also tried to disable the Windows Firewall.

Any help would be appreciated.

Best regards

Peter

TAC has been able to solve the problem. For webvpn mtu changed default from 1406 to 1200.

Not sure why 2 other ASAs we work very well otherwise though!

WebVPN
SVC mtu 1200

CISCO ANYCONNECT VPN CISCO VPN CLIENT

Hi, I was in the process of configuring cisco anyconnect vpn for ip phones to our local obtained the license for them either, the question that I get is that I already have remote configured cisco connect via the old cisco vpn client.

now, if I activate the anyconnect ssl on the same outside the interface both can exist without conflict or maybe I need to migrate users to install the end customer for anyconnect system software to connect.

I also need help with authentication of certification.

concerning

You can run both VPN at the same time without problems.

However, you should try and migrate everyone to the latest technology Anyconnect SSL anyway.

AnyConnect VPN

Hello

I have configured AnyConnect VPN with split tunneling, so my internal networks is in the tunnel and get internet directly (not via an internal network).

But we want to access one of the public IP (8.8.8.8) through AnyConnect VPN tunnel.

When we check the capture of packets on an external interface, trying to ping 8.8.8.8 showing the icmp-request package but not get icmp-response packages.

Additional configuration required to access the ip address above by tunnel?

We have activated the below configuration as well.

permit same-security-traffic intra-interface

permit same-security-traffic inter-interface

Please find details of the capture below: 192.168.18.71 is my ip from the pool AnyConnect VPN system.

114 extended access-list allow ip host 192.168.18.71 8.8.8.8
115 extended access-list allow host 8.8.8.8 ip 192.168.18.71

output interface of capture within the list of access-114
Capture interface entering inside the access-list 115

See the capture of xxx - ASA (config) # outgoing

1: 22:13:24.001800 192.168.18.71 > 8.8.8.8: icmp: echo request
2: 22:13:28.986139 192.168.18.71 > 8.8.8.8: icmp: echo request
3: 22:13:33.970561 192.168.18.71 > 8.8.8.8: icmp: echo request
4: 22:13:38.971156 192.168.18.71 > 8.8.8.8: icmp: echo request
5: 22:13:44.080058 192.168.18.71 > 8.8.8.8: icmp: echo request
5 packs shown
XXX - ASA (config) #.
XXX - ASA (config) #.
XXX - ASA (config) # display incoming capture

0 packets captured

0 illustrated package
XXX - ASA (config) # display incoming capture

0 packets captured

0 illustrated package

Kindly help us solve the problem.

Thank you and best regards,

Ashok

I like to use the notation NAT object instead. So maybe try:
```
object network obj-192.168.18.0  nat (outside,outside) dynamic interface
```

Anyconnect VPN management if password password has already expired

Hello

I have ASA Cisco AnyConnect vpn with Microsoft AD ldaps authentication. In the Group of the tunnel, I configured management password (password expire days 14). It works but my testing it seems to be no possible to update the password if it is already expired. No way to solve this problem?

Thank you

Hi, Giuseppe.

Yes, the change of password should work even when he arrived at expiration.

Maybe you can try placing screenshots on the user and the server and make sure that the TCP process is successful when the password has expired.

-Javier-

AnyConnect VPN client authentication using certificates

Guys, I'm trying to configure my ASA5505 to authenticate the AnyConnect VPN clients using certificates. I have 'Certificates' defined as my method of authentication in my AnyConnect connection profile (see screenshot), but I get 'Certificate Validation failure' whenever I try to connect. The certificate I want to use is a computer issued by my CA certificate company root (Windows Server 2008 running Active Directory Certificate Services). Screenshot of certificate is attached. I added the root certificate on the SAA, and I tried all kinds of combinations by using the corresponding certificate in the AnyConnect Client profile. Each attempt failed, and I'm having no luck finding documentation on how to proceed. Any help would be greatly appreciated!

Hello Shaun,

The problem you're describing, not be able to authenticate through certificate through Microsoft Internet Explorer, is the fact that the certificate is in the computer store. You do not want to confirm with Microsoft, but, I understand that only Microsoft Internet users explore the user store, this certificate is not available to attend the ASA via the Internet browser.

-Craig

Cisco Anyconnect VPN client cannot establish a connection.

Hello

I am trying to connect to my server license from the University. I use 'Cisco Anyconnect VPN', but when it is goinh to initialize the connection it gives me the error "unable to establish a connection to the VPN client. At this point, the network of my Cisco anyconnect adapter gets disable automatically.

I have no antivirus, and also it happens even when I turn off my firewall.

Please help me solve this problem that prevents me from my all of the work!

Thank you in advance.

In addition to the advice of John I would also look at this document from Cisco for possible help...

http://www.Cisco.com/image/gif/paws/100597/AnyConnect-VPN-Troubleshooting.PDF

Cisco help as much as possible...

http://www.Cisco.com/en/us/products/ps8411/tsd_products_support_series_home.html

Its also possible you may have to run or reinstall the Cisco client in compatibility mode, if they do not have a version of Windows 7.

http://Windows.Microsoft.com/en-us/Windows7/help/compatibility

http://Windows.Microsoft.com/en-us/Windows7/open-the-program-compatibility-Troubleshooter

http://Windows.Microsoft.com/en-us/Windows7/make-older-programs-run-in-this-version-of-Windows

Otherwise contact your university network administrators may also be a viable option.

MS - MVP Windows Expert - consumer
"When all else fails try what the captain suggested before you started...". »

PC may have the connection, but why MAC cannot have Anyconnect VPN?

Hi, we have MAC and PC users. Two users could reach inside the network through ASA and Anyconnect VPN. However, MAC users can not have connection (please see screenshot in attachment). The output of the show run webvpn command is below:

Act(config-WebVPN) # sh run webvpn
WebVPN
allow outside
allow inside
CSD image disk0:/csd_3.5.841-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
Auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all the

The lack of configuration ""anyconnect image disk0: /anyconnect -macosx- i386 - 2.5.2014 - k9.pkg "all the time." We don't think that this is the reason why MAC users are unable to reach the inside of the network because we do not have this command for a long time. Any suggestions can give? Thank you.

> The question is that the command for MAC was not there for long. Why is it could work when the order wasn't there?

I don't know, but I remember that in versions, it was not necessary to have * all * images in flash. Perhaps this changed some time. , You upgrade your ASA recently before the problems began?

MAC and PC can reach the same an ASA for Anyconnect VPN?

Hi, we have MAC and PC users. We configure the Anyconnect VPN in an ASA. But two users need two image of sorts. We must therefore use the two commands:

AnyConnect image disk0: / anyconnect -win- 3.1.04066 - k9.pkg

AnyConnect image disk0: / anyconnect -macosx- i386 - 2.5.2014 - k9.pkg.

This is what two commands cannot coexist in an ASA. How to solve the problem? I hope your suggestion. Thank you

They can co-exist, but you must add different sequence numbers at the end of each command.

Quality of VoIP BOUNCING over AnyConnect VPN problems

Similar Questions

Maybe you are looking for