Session UDP Anyconnect VPN.

Similar Questions

• How to prove the historical use of vpn session ASDM Anyconnect?

  Hi Experts,

  I use Cisco ASA 5515-x.

  9.4.2 firmware

  ASDM 7.5.2

  I have a few questions:

  • How do I show Anyconnect vpn historical of the session?
  • And why when I want to display the online status of the Anyconnect client using the filter on the ASDM, the process is always stopped at 97% (photo-joint)

  Thank you

  Nodjoute

  Answers:

  Re q.1. You can see the entries of the relatively recent paper about the AnyConnect session establishment. to view historical data, you'll need an external syslog server or a tool querying SNMP. I used Kiwi syslog server and PTRG respectively and found both to be quite capable of this.

  Re q. 2. This is a bug in ASDM 7.5 (2). Later versions (e, g, currently 7.6 (1)) fix it.

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCux37581

• AnyConnect VPN session disconnect and reconnect

  I have a firewall cisco ASA 5525-X set up to accept the AnyConnect VPN client (IKEv2) connection.

  AnyConnect VPN client can successfully connect.

  During the 1st 10 minutes after logging in, will the client Anyconnect VPN lost VPN connection for a few seconds (ranging from 3 seconds to 10 seconds), then it automatically reconnect back. After that, no more lost connection times.

  The lost connection happened at all multiple. So far, all at least 4 show the same problem.

  It does not affect the operation of the network, but it gives an unpleasant impression for users.

  I tried to surveillance of the ASDM firewall logs, no newspaper of no errors.

  I use Wireshark to capture traffic on the client side, also no errors detected.

  Can idea how I can continue to troubleshoot this problem?

  Hi Limlayhin,

  You can go ahead and capture logs of dart. You can download the Pack of dart for the anyconnect version you use and that you run after you experience this problem. Please make sure that everything you clear observer logs event before you launch you the Anyconnect client.

  To clear the observer event logs, follow these steps:

  1. start > run > Eventvwr

  2. it will then open Event Viewer Window

  3 maximize the application logs and services and that you will find an option "Cisco Anyconnect Secure Mobility Client"

  4. right click on the Cisco Anyconnect Secure Mobility Client and select clear logs. Select clear after that.

  Once you are done with this, launch the anyconnect connection and allow the problem to happen. Once the problem occurs, unplug the anyconnect client and run newspapers dart. It will create a Zip file on your desktop (by default) and you can go through the logs of connection Anyconnect to look for the root cause.

  Let me know if it helps.

  Vishnu

• AnyConnect VPN setup problem

  Hi all, I'm going to have bad configure anyconnect VPN on my router. I'm CCENT pre level and especially followed a tutorial, but feel I'm missing something simple here.

  It's a fairly simple installation on a Cisco No. 2851 - faces of a single interface my LAN 192.168.1.0/24, the other has a public IP address.

  I created a network 192.168.2.0/24 VPN users, mainly to have phones Android connection of their mobile phone networks, and have access to the servers/security cameras/etc by using their local IP addresses. When my phone connects, it gets an IP address and is connected, but is not communicating with my LAN correctly.

  The VPN client can ping 192.168.1.254 (the router's LAN IP) - but not the other devices on the network. However, the devices on my LAN can ping the VPN clients to their address 192.168.2.x.

  Here's a copy of my current config, I have reorganized some elements with #s. Also pasted my ip sh road under him. Do not forget that I am a novice, please forgive the hack :)

  Router (config) #do sh run
  Building configuration...

  Current configuration: 5782 bytes
  !
  ! Last modification of the configuration at 02:24:24 UTC Sat Sep 5 2015 by #.
  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  host name #.
  !
  boot-start-marker
  boot-end-marker
  !
  !
  enable secret $5 1$ 0 #.
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login local sslvpn
  AAA authorization exec default local
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  !
  dot11 syslog
  no ip source route
  !
  !
  IP cef
  !
  DHCP excluded-address 192.168.1.200 IP 192.168.1.254
  DHCP excluded-address 192.168.1.1 IP 192.168.1.10
  !
  pool of dhcp IP LAN
  network 192.168.1.0 255.255.255.0
  Server DNS 192.168.1.254
  by default-router 192.168.1.254
  !
  !
  IP domain name # '.com'
  host IP Switch 192.168.1.253
  8.8.8.8 IP name-server
  block connection-for 2000 tent 4 within 60
  connection access silencer-class SSH_MGMT
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  voice-card 0
  !
  Crypto pki token removal timeout default 0
  !
  Crypto pki trustpoint TRUSTPOINT-MY
  enrollment selfsigned
  Serial number
  name of the object CN = 117-certificate
  crl revocation checking
  rsakeypair my-rsa-keys
  !
  !
  MY-TRUSTPOINT crypto pki certificate chain
  certificate self-signed 01
  ##########################

  #########################
  quit smoking
  !
  !
  license udi pid CISCO2851 sn FTX1026A54Y
  # 5 secret username $1$ yv # E9.
  # 5 secret username $1$ X0nL ###kO.
  !
  redundancy
  !
  !
  property intellectual ssh version 2
  !
  !
  !
  !
  !
  !
  !
  !
  interface GigabitEthernet0/0
  LAN description
  IP 192.168.1.254 255.255.255.0
  IP nat inside
  No virtual-reassembly in ip
  automatic duplex
  automatic speed
  !
  interface GigabitEthernet0/1
  WAN description
  No dhcp client ip asks tftp-server-address
  No dhcp ip client application-domain name
  DHCP IP address
  IP access-group ACL-WAN_INTERFACE in
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  No virtual-reassembly in ip
  automatic duplex
  automatic speed
  No cdp enable
  !
  interface Serial0/0/0
  no ip address
  Shutdown
  !
  interface virtual-Template1
  !
  local IP 192.168.2.100 WEBVPN-POOL pool 192.168.2.110
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  The dns server IP
  IP nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload
  !
  IP access-list standard INSIDE_NAT_ADDRESSES
  permit 192.168.1.0 0.0.0.255
  permit 192.168.2.0 0.0.0.255
  IP access-list standard SSH_MGMT
  permit 192.168.1.0 0.0.0.255
  permit 207.210.0.0 0.0.255.255
  !
  IP extended ACL-WAN_INTERFACE access list
  deny udp any any eq snmp
  TCP refuse any any eq field
  TCP refuse any any eq echo
  TCP refuse any any day eq
  TCP refuse any any eq chargen
  TCP refuse any any eq telnet
  TCP refuse any any eq finger
  deny udp any any eq field
  deny ip 127.0.0.0 0.255.255.255 everything
  deny ip 192.168.0.0 0.0.255.255 everything
  permit any any eq 443 tcp
  allow an ip
  !
  exploitation forest esm config
  NLS RESP-timeout 1
  CPD cr id 1
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  !
  profile MGCP default
  !
  !
  !
  !
  !
  access controller
  Shutdown
  !
  !
  !
  Line con 0
  exec-timeout 0 0
  Synchronous recording
  line to 0
  exec-timeout 0 0
  Synchronous recording
  line vty 0 4
  exec-timeout 0 0
  Synchronous recording
  entry ssh transport
  line vty 5 15
  exec-timeout 0 0
  Synchronous recording
  entry ssh transport
  !
  Scheduler allocate 20000 1000
  !
  Gateway Gateway-WebVPN-Cisco WebVPN
  IP interface GigabitEthernet0/1 port 443
  SSL rc4 - md5 encryption
  SSL trustpoint TRUSTPOINT-MY
  development
  !
  WebVPN install svc flash:/webvpn/anyconnect-linux-3.1.03103-k9.pkg sequence 1
  !
  WebVPN context Cisco WebVPN
  title "Firewall.cx WebVPN - powered by Cisco"
  SSL authentication check all
  !
  list of URLS "rewrite".
  !
  ACL "ssl - acl.
  ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  Licensing ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
  !
  login message "Cisco Secure WebVPN"
  !
  webvpnpolicy political group
  functions required svc
  filter tunnel ssl - acl
  SVC-pool of addresses 'WEBVPN-POOL' netmask 255.255.255.0
  generate a new key SVC new-tunnel method
  SVC split include 192.168.1.0 255.255.255.0
  Group Policy - by default-webvpnpolicy
  AAA authentication list sslvpn
  Gateway Cisco WebVPN bridge
  Max-users 5
  development
  !
  end

  Gateway of last resort is #. ###. ###. # network 0.0.0.0

  S * 0.0.0.0/0 [254/0] via #. ###. ###.1
  (###ISP))) is divided into subnets, subnets 1
  S (# #ISP #) [254/0] via (# publicgateway #) GigabitEthernet0/1
  ###.###.0.0/16 is variably divided into subnets, 2 subnets, 2 masks
  C ###.###.###.0/23 is directly connected, GigabitEthernet0/1
  The ###.###.###.###/32 is directly connected, GigabitEthernet0/1
  192.168.1.0/24 is variably divided into subnets, 2 subnets, 2 masks
  C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
  The 192.168.1.254/32 is directly connected, GigabitEthernet0/0
  192.168.2.0/32 is divided into subnets, subnets 1
  S 192.168.2.100 [0/0] via 0.0.0.0, Virtual Network1

  can you try to disable the FW on your internal lan hosts and then try and ping from users of vpn client

• Anyconnect VPN logs

  Hello people!

  I would like to know how I can see the story of anyconnect VPN.

  See current webvpn or ssl vpn client session, I now this command can be using, but I Don t know about history.
  ASA # display webvpn vpn-sessiondb
  or ASA # display vpn-sessiondb svc

  Thank you

  Marcio

  Hi Marcio,

  To do this you must configure a syslog server.

  Please visit this link:

  http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-Securi...

  You would be able to extract the information from the Anyconnect users who have a link in the past.

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• AnyConnect VPN application

  Hi all

  There is a single query on the anyconnect ASA 5510 deployment. We have the ASA 5510 with security more lic. and for lack of run (client) anyconnect VPN for concurrent users. It requires a separate licence for Anyconnect (client).

  5510 a security more lic.

  Firewall settings:

  AnyConnect Essentials: disabled

  AnyConnect Premium: 2

  Max VPN session: 250

  If I run anyconnect VPN it takes max 2 session. But need more sessions.

  Thank you

  Vishaw

  If you just want to use computers to connect to anyconnect using the AnyConnect client and not the clientless SSL, you only need to purchase the license AnyConnect Essentials for the amount of connection you need (supports up to 250).  If you need SSL clientless also, then you must purchase the Premium license.  If you also require that mobile phones, tabs, etc. need to connect to the AnyConnect client, then you need client AnyConnect mobility.

  The following link gives you an overview of the licnenses for the 5510 and other models ASA.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/intro_license.html#wp2142486

  In addition, here Pete does a good job of explaining AnyConnect licenses.

  http://www.petenetlive.com/kb/article/0000628.htm

  --

  Please do not forget to select a correct answer and rate useful posts

• ASA Anyconnect VPN do not work or download the VPN client

  I have a Cisco ASA 5505 that I try to configure anyconnect VPN and thought, I've changed my setup several times but trying to access my static public IP address of the external IP address to download the image, I am not able to. Also when I do a package tracer I see he has been ignored through the acl when the packets from side to the ASA via port 443, it drops because of the ACL. My DMZ so will he look like something trying to access the ASA via the VPN's going to port 443. Here is my config

  XXXX # sh run
  : Saved
  :
  ASA Version 8.4 (3)
  !
  hostname XXXX
  search for domain name
  activate pFTzVNrKdD9x5rhT encrypted password
  zPBAmb8krxlXh.CH encrypted passwd
  names of
  !
  interface Ethernet0/0
  Outside-interface description
  switchport access vlan 20
  !
  interface Ethernet0/1
  Uplink DMZ description
  switchport access vlan 30
  !
  interface Ethernet0/2
  switchport access vlan 10
  !
  interface Ethernet0/3
  switchport access vlan 10
  !
  interface Ethernet0/4
  Ganymede + ID description
  switchport access vlan 10
  switchport monitor Ethernet0/0
  !
  interface Ethernet0/5
  switchport access vlan 10
  !
  interface Ethernet0/6
  switchport access vlan 10
  !
  interface Ethernet0/7
  Description Wireless_AP_Loft
  switchport access vlan 10
  !
  interface Vlan10
  nameif inside
  security-level 100
  IP 192.168.10.1 255.255.255.0
  !
  interface Vlan20
  nameif outside
  security-level 0
  IP address x.x.x.249 255.255.255.248
  !
  Vlan30 interface
  no interface before Vlan10
  nameif dmz
  security-level 50
  IP 172.16.30.1 255.255.255.0
  !
  boot system Disk0: / asa843 - k8.bin
  passive FTP mode
  DNS lookup field inside
  DNS domain-lookup outside
  DNS domain-lookup dmz
  DNS server-group DefaultDNS
  Name-Server 8.8.8.8
  Server name 8.8.4.4
  search for domain name
  network obj_any1 object
  subnet 0.0.0.0 0.0.0.0
  network of the Webserver_DMZ object
  Home 172.16.30.8
  network of the Mailserver_DMZ object
  Home 172.16.30.7
  the object DMZ network
  172.16.30.0 subnet 255.255.255.0
  network of the FTPserver_DMZ object
  Home 172.16.30.9
  network of the Public-IP-subnet object
  subnet x.x.x.248 255.255.255.248
  network of the FTPserver object
  Home 172.16.30.8
  network of the object inside
  192.168.10.0 subnet 255.255.255.0
  network of the VPN_SSL object
  10.101.4.0 subnet 255.255.255.0
  outside_in list extended access permit tcp any newspaper object Mailserver_DMZ eq www
  outside_in list extended access permit tcp any newspaper EQ 587 Mailserver_DMZ object
  outside_in list extended access permit tcp any newspaper SMTP object Mailserver_DMZ eq
  outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq pop3 object
  outside_in list extended access permit tcp any newspaper EQ 2525 Mailserver_DMZ object
  outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq imap4 object
  outside_in list extended access permit tcp any newspaper EQ 465 Mailserver_DMZ object
  outside_in list extended access permit tcp any newspaper EQ 993 Mailserver_DMZ object
  outside_in list extended access permit tcp any newspaper EQ 995 object Mailserver_DMZ
  outside_in list extended access permit tcp any newspaper EQ 5901 Mailserver_DMZ object
  outside_in list extended access permit tcp any newspaper Mailserver_DMZ eq https object
  Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
  vpn_SplitTunnel list standard access allowed 192.168.10.0 255.255.255.0
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer to 8192
  logging trap warnings
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 dmz
  local pool VPN_SSL 10.101.4.1 - 10.101.4.4 255.255.255.0 IP mask
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 647.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, outside) static source inside inside static destination VPN_SSL VPN_SSL
  NAT (exterior, Interior) static source VPN_SSL VPN_SSL
  !
  network obj_any1 object
  NAT static interface (indoor, outdoor)
  network of the Webserver_DMZ object
  NAT (dmz, outside) static x.x.x.250
  network of the Mailserver_DMZ object
  NAT (dmz, outside) static x.x.x.. 251
  the object DMZ network
  NAT (dmz, outside) static interface
  Access-group outside_in in external interface
  Route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server protocol Ganymede HNIC +.
  AAA-server host 192.168.10.2 HNIC (inside)
  Timeout 60
  key *.
  identity of the user by default-domain LOCAL
  Console HTTP authentication AAA HNIC
  AAA console HNIC ssh authentication
  Console AAA authentication telnet HNIC
  AAA authentication secure-http-client
  http 192.168.10.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ca trustpoint localtrust
  registration auto
  Configure CRL
  Crypto ca trustpoint VPN_Articulate2day
  registration auto
  name of the object CN = vpn.articulate2day.com
  sslvpnkey key pair
  Configure CRL
  Telnet 192.168.10.0 255.255.255.0 inside
  Telnet timeout 30
  SSH 192.168.10.0 255.255.255.0 inside
  SSH timeout 15
  SSH version 2
  Console timeout 0
  No vpn-addr-assign aaa

  DHCP-client update dns
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd outside auto_config
  !
  dhcpd address 192.168.10.100 - 192.168.10.150 inside
  dhcpd allow inside
  !
  dhcpd address dmz 172.16.30.20 - 172.16.30.23
  dhcpd enable dmz
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  authenticate the NTP
  NTP server 192.168.10.2
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
  AnyConnect enable
  tunnel-group-list activate
  internal VPN_SSL group policy
  VPN_SSL group policy attributes
  value of server DNS 8.8.8.8
  client ssl-VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list vpn_SplitTunnel
  the address value VPN_SSL pools
  WebVPN
  activate AnyConnect ssl dtls
  AnyConnect Dungeon-Installer installed
  AnyConnect ssl keepalive 15
  AnyConnect ssl deflate compression
  AnyConnect ask enable
  ronmitch50 spn1SehCw8TvCzu7 encrypted password username
  username ronmitch50 attributes
  type of remote access service
  type tunnel-group VPN_SSL_Clients remote access
  attributes global-tunnel-group VPN_SSL_Clients
  address VPN_SSL pool
  Group Policy - by default-VPN_SSL
  tunnel-group VPN_SSL_Clients webvpn-attributes
  enable VPNSSL_GNS3 group-alias
  type tunnel-group VPN_SSL remote access
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect esmtp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
  : end

  XXXX #.

  You do not have this configuration:

   object network DMZ nat (dmz,outside) static interface

  Try and take (or delete):

   object network DMZ nat (dmz,outside) dynamic interface

• ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

  I worked on it for a while and just have not found a solution yet.

  I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it.  I followed the example of ASA 8.x split Tunnel but still miss me something.

  My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

  I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

  5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

  I tried several things with NAT, but were not able to go beyond that.  Does anyone mind looking at my config running and help me with this?  Thanks a bunch!

  -Tim

  Couple to check points.

  name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

  inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

  Looks like that one

  inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

• The anyconnect vpn easy vpn Remote communication problem

  Hi team,

  I have a problem of communication of the anyconnect vpn easy vpn Remote I´ll explain better below and see the attachment
  topology:

  (1) VPN Tunnel between branch HQ - That´s OK
  (2) VPN Tunnel between Client AnyConnect to HQ - that s OK

  The idea is that the Anyconnect Client is reaching the local Branch Office network, but has not reached.
  Communication is established just when I begin a session (icmp or rdp) branch to the AnyConnect Client,.
  in this way, the communication is OK, but just for a few minutes.

  Could you help me?
  Below the IOS version and configurations

  ASA5505 Version 8.4 (7) 23 (Headquarters)
  ASA5505 Version 7.0000 23 (branch)

  Configuration of the server easy VPN (HQ) *.

  Crypto dynamic-map DYNAMIC - map 5 set transform-set ESP-AES-256-SHA ikev1
  Crypto card outside-link-2_map 1 ipsec-isakmp DYNAMIC-map Dynamics
  Crypto map link-outside-2_map-65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  Crypto map interface outside-link-2_map outside-link-2

  ACL_EZVPN list standard access allowed 10.0.0.0 255.255.255.0
  ACL_EZVPN list standard access allowed 192.168.1.0 255.255.255.0
  ACL_EZVPN list standard access allowed 192.168.50.0 255.255.255.0
  ACL_EZVPN list standard access allowed 10.10.0.0 255.255.255.0

  internal EZVPN_GP group policy
  EZVPN_GP group policy attributes
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ACL_EZVPN
  allow to NEM
  type tunnel-group EZVPN_TG remote access
  attributes global-tunnel-group EZVPN_TG
  Group Policy - by default-EZVPN_GP
  IPSec-attributes tunnel-group EZVPN_TG
  IKEv1 pre-shared-key *.

  object-group network Obj_VPN_anyconnect-local
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.15.0 255.255.255.0
  object-group network Obj-VPN-anyconnect-remote
  object-network 192.168.50.0 255.255.255.0
  the NAT_EZVPN_Source object-group network
  object-network 192.168.1.0 255.255.255.0
  object-network 10.10.0.0 255.255.255.0
  the NAT_EZVPN_Destination object-group network
  object-network 10.0.0.0 255.255.255.0
   
  destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

  Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
  destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

  NAT_EZVPN_Destination no-proxy-arp-search to itinerary
  NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

  NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

  Configuration VPN AnyConnect (HQ) *.

  WebVPN
  Select the outside link 2
  by default-idle-timeout 60
  AnyConnect essentials
  AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  AnyConnect profiles Remote_Connection_for_TS_Users disk0: / remote_connection_for_ts_users.xml
  AnyConnect enable
  tunnel-group-list activate

  tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0
  tunnel of splitting allowed access list standard 192.168.15.0 255.255.255.0
  tunnel of splitting allowed access list standard 10.0.0.0 255.255.255.0

  internal clientgroup group policy
  attributes of the strategy of group clientgroup
  WINS server no
  value of server DNS 192.168.1.41
  client ssl-VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split tunnel
  ipconnection.com.br value by default-field
  WebVPN
  AnyConnect Dungeon-Installer installed
  time to generate a new key 30 AnyConnect ssl
  AnyConnect ssl generate a new method ssl key
  AnyConnect value Remote_Connection_for_TS_Users type user profiles
  AnyConnect ask flawless anyconnect

  type tunnel-group sslgroup remote access
  tunnel-group sslgroup General-attributes
  address vpnpool pool
  authentication-server-group DC03
  Group Policy - by default-clientgroup
  tunnel-group sslgroup webvpn-attributes
  enable IPConnection-vpn-anyconnect group-alias

  object-group network Obj_VPN_anyconnect-local
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.15.0 255.255.255.0
  object-group network Obj-VPN-anyconnect-remote
  object-network 192.168.50.0 255.255.255.0
  the NAT_EZVPN_Source object-group network
  object-network 192.168.1.0 255.255.255.0
  object-network 10.10.0.0 255.255.255.0
  the NAT_EZVPN_Destination object-group network
  object-network 10.0.0.0 255.255.255.0
   
  destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

  Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
  destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

  NAT_EZVPN_Destination no-proxy-arp-search to itinerary
  NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

  NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

  Hello

  communication works when you send the traffic of easyvpn derivation because it froms the IPSEC SA to pool local subnet and anyconnect HQ. The SA formed only when the branch initiates the connection as it's dynamic peer connection to HQ ASA.

  When there no SA between branch and HQ for this traffic, HQ ASA has no idea on where to send the anyconnect to network traffic.

  I hope this explains the cause.

  Kind regards

  Averroès.

• Cisco 1700 Setup as a hub for Cisco Anyconnect VPN

  The complete configuration for the router is attached. Additional configuration includes forwarding port 443 (the two tcp/udp), udp 4500, udp 500 and udp 50 to 192.168.1.20.

  Objective: Configure Cisco 1700 router as a VPN server, which a Cisco Anyconnect VPN client in. The VPN server is behind a NAT.

  Question 1: The Cisco Anyconnect client pulls its set of configuration of the router? I just need to point to the correct IP address and hit connect and it will do the rest? If not, what additional client side configuration must be done? I noticed, it tries to connect on port 443 to my router, but I don't really know why and I know that my router is not listening on this port, so I know I'm missing something:-D.

  Question 2: What are the features specifically include easy vpn server? I am confused as to exactly what it is. From what I can tell when you configure easy vpn server you simply set up a regular VPN.

  Question 3: Cisco Easy VPN remote has something to do with Cisco Anyconnect or they are completely distinct?

  Sorry for the newbie questions. It's really hard to understand the different systems and features on it and most of the examples I found dealt with the VPN router to router rather than configurations just for computers of end users, but I'll be the first to admit that I am new on this hahaha.

  Thanks for your help.

  PS: Any comment on the misconfigs are welcome. I'm still trying to understand fully exactly what each command does.

  Grant

  Grant,

  AnyConnect can do SSLVPN or IPsec (with IKEv2), ezvpn is all about IKEv1, it won't work.

  There (part 3) customers who will be able to connect to ezvpn, as well as the former customer Cisco VPN, but AC is not.

  BTW... it's not 50/UDP, this is IP protocol 50 (or sometimes 51) - ESP (or AH).

  You don't have TCP and UDP 443 for IPsec, but you may need them for SSL.

  And seriously... series of 1700? Wow, this is a 'retro' kit :-) Support ended 6 years ago.

  M.

• Would become Anyconnect essentials Premium AnyConnect vpn on asa

  Dear team,

  We have a pair of cisco ASA 5520 with version 8.2 (5) works well with active mode / standby. As the situation requires, we intend to change the SSL vpn to clientless SSL VPN (AnyConnect Premium) to anyconnect vpn with mobile clients (IOS & Android)

  Please specify below

  (1) I have read, we cannot have two Anyconnect Essentials & AnyConnect Premium on the same system time. We need to disable accordingly to our need-pl correct me?

  (2) what is the best way to have the device for end-user client deployment? pushing of ASA or install individually on the system? Can I have the best, I mean the latest version of windows, client MAC e.t.c I shud get?

  While pushing ASA LU that much memory cache will be used, since we have IPS (AIP - SSM) modules has also installed on ASA who shud method I adopt here?

  (3) what is the exact product for license Anyconnect Essentials & customer name mobile (IOS & Android) we get from cisco?

  (4) once I get the correct license how do I active in systems? should I remove the failover command and install the license in two devices separately?

  (5) Finally, I need to authenticate vpn anyconnect essentials with LDAP that is already configured for clientless SSL VPN(AnyConnect Premium). any suggestions here?

  Below the version Sh emitted by the devices, it seems essential Anyconnect is already active... Please correct me?

  Active Firewall
  ===============

  System image file is "disk0: / asa825 - k8.bin.
  The configuration file to the startup was "startup-config '.

  Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
  Internal ATA Compact Flash, 256 MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Ext: GigabitEthernet0/0: the address is a493.4ca3.ce0a, irq 9
  1: Ext: GigabitEthernet0/1: the address is a493.4ca3.ce0b, irq 9
  2: Ext: GigabitEthernet0/2: the address is a493.4ca3.ce0c, irq 9
  3: Ext: GigabitEthernet0/3: the address is a493.4ca3.ce0d, irq 9
  4: Ext: Management0/0: the address is a493.4ca3.ce09, irq 11
  5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
  6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: enabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  =====================================================

  Firewall standby
  ================

  Updated Saturday, May 20, 11 16:00 by manufacturers
  System image file is "disk0: / asa825 - k8.bin.
  The configuration file to the startup was "startup-config '.

  Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
  Internal ATA Compact Flash, 256 MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Ext: GigabitEthernet0/0: the address is 6073.5cab.3fae, irq 9
  1: Ext: GigabitEthernet0/1: the address is 6073.5cab.3faf, irq 9
  2: Ext: GigabitEthernet0/2: the address is 6073.5cab.3fb0, irq 9
  3: Ext: GigabitEthernet0/3: the address is 6073.5cab.3fb1, irq 9
  4: Ext: Management0/0: the address is 6073.5cab.3fb2, irq 11
  5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
  6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: enabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  Thank you

  1 correct. You can run one or the other, but not both.

  2 since you have the upgrade memory to 2 GB, you should be fine perform web deployment via the pkg file method.

  3. for a 5520, you need:

  L-ASA-AC-E-5520 =
  L-ASA-AC-M-5520

  .. .to the Essentials and Mobile licenses respectively.

  4. on ASA 8.2, you need licenses for both units. If you upgrade to 8.3 + (8.4 (7) recommend at least), you can share licenses between members of a pair of HA. If you choose not to upgrade, just apply the key of activation on the rescue unit, then on the unit activates. You don't need to move on and in the failover configuration. Failover of the rescue unit status will show as ineligible briefly while he holds the new license is not the case of the active unit. Which will be resolved after you have applied the same license on the main unit. (If you were on 8.3 + would not happen at all).

  5. simply create a new connection profile for customers of Essentials by using the same AAA server group.

• AnyConnect VPN Mobile disabled 5505 SEC no more questions

  Hi all

  I have a 5505-SEC-BUN-K9, must purchase a license of Mobile Anyconnect vpn.

  For the question now, I was able to active the anyconnect for mobile but the sec as well as features all failed. How can I check the question?

  The devices allowed for this platform:
  The maximum physical Interfaces: 8 perpetual
  VLAN: 20 unrestricted DMZ
  Double ISP: Activated perpetual
  VLAN Trunk Ports: 8 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active / standby perpetual
  Encryption - A: enabled perpetual
  AES-3DES-Encryption: activated perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: 25 perpetual
  Counterparts in other VPNS: 25 perpetual
  Total VPN counterparts: 25 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: 76 days allowed
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual
  Cluster: Disabled perpetual
   
  Internal guests: 10
  Failover: disabled
  Encryption - A: enabled
  Encryption-3DES-AES: enabled
  Security contexts: by default
  GTP/GPRS: disabled
  Premium AnyConnect peers: by default
  Other VPN peers: by default
  Assessment of Advanced endpoint: disabled
  AnyConnect for Mobile: enabled
  AnyConnect Cisco VPN phone: disabled
  Shared license Premium AnyConnect server: disabled
  Sharing license: disabled
  Proxy sessions for the UC phone: by default
  Total number of Sessions of Proxy UC: default
  AnyConnect Essentials: enabled
  Botnet traffic filter: disabled
  Intercompany media engine: disabled
  Cluster license: disabled

  Have you tried to re-apply your activation key for the license of security more?

  If you don't have it available, you may need to open a TAC case to get worldwide license team to regenerate it for you.

• AnyConnect VPN full tunnel could not access the site to site VPN

  I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.

  It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.

  I checked the IP addresses of network anyconnect are part of the tunnel on both sides.

  My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.

  Any help would be appreciated.

  Here are the relevant parts of my config:

  (Domestic network is 192.168.0.0/24,

  the AnyConnect network is 192.168.10.0/24,

  site to site VPN network is 192.168.2.0/24)

  --------------------------------------------------------------------------------------

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  the DM_INLINE_NETWORK_1 object-group network
  object-network 192.168.0.0 255.255.255.0
  object-network 192.168.10.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0

  outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

  mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 1 192.168.10.0 255.255.255.0
  access-outside group access component software snap-in interface outside
  Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
  SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
  enable SVC
  tunnel-group-list activate
  internal AnyConnectGrpPolicy group strategy
  attributes of Group Policy AnyConnectGrpPolicy
  WINS server no
  value of 192.168.0.33 DNS server 192.168.2.33
  VPN-session-timeout no
  Protocol-tunnel-VPN l2tp ipsec svc
  Split-tunnel-policy tunnelall
  the address value AnyConnectPool pools
  type tunnel-group AnyConnectGroup remote access
  attributes global-tunnel-group AnyConnectGroup
  address pool AnyConnectPool
  authentication-server-group SERVER1_AD
  Group Policy - by default-AnyConnectGrpPolicy
  tunnel-group AnyConnectGroup webvpn-attributes
  the aaa authentication certificate
  activation of the Group _AnyConnect alias

  Your dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:

   global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

• ASA checks AnyConnect VPN computer name

  Hi all

  I have searched the Forum and documentation, but have not found a solution to my problem.  I'm guessing it happens sometimes, but maybe I'm looking for the wrong thing.  We AnyConnect deployed across our cell phones, but have trouble with employees who do get the software from other sources AnyConnect and install on personal computers.  We are an agency, although relatively small, but we have policies in place and I need to lock for users unable to connect to the VPN unless you're a book PC connected to our AD domain.  I found a possible solution is to use dynamic access within the ASA policies to check the Windows computer name.  So I set up LDAP and has created a policy to check an AAA attribute.  It lets me select "MemberOf", which I assume it is the Group of users, but I need to check the name of the computer on the client before allowing access.

  Step by step of what I did, does anyone know of a more logical or easier way to lock on what AnyConnect VPN client computers can be used?

  Or if I go about this common sense with dynamic access policies, anyone have any suggestions or knowledge of documentation that helps to configure things properly when you check the computer name LDAP attribute?

  Thank you!

  JD

  Hey Joe,

  You do not need LDAP to do this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

  Once you enable SSC, edit your DAP strategy and instead of an IPN to attribute you to try, add an attribute of endpoint (on the right hand side).

  To verify the host name, select the type of the attribute "peripheral".

  Alternatively, you can also activate the sweep of host (under Contract) and let the CSD to check the presence of a file with a certain file name, or a registry entry or a process name. CSD passes the result of this verification to the PAD, so you can use it in a policy (attributes of endpoint of type process, registry and files).

  Another alternative is to use the CSD with a policy before opening session - that you cannot check the host name, but it does not have control over the IP, OS type, certificate as well as the presence of a process, the registry key, the file. In this case you need not to DAP.

  HTH

  Herbert

• AnyConnect VPN for Cisco ASA 5505 refused connections

  I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

  interface Vlan2
  
      mac-address xxxx.xxxx.xxxx
  
      nameif outside
  
      security-level 0
  
      ip address A.A.A.A 255.255.255.240
  
      !
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq www
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
  
      access-list outside_access_in extended permit icmp any any
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
  
      access-list outside_access_in extended permit gre any host C.C.C.C
  
      access-list outside_access_out extended permit ip any any
  
      access-list inside_access_in extended permit ip any any
  
      access-list inside_access_in extended permit ip any interface outside
  
      access-list inside_access_out extended permit ip any any
  access-group inside_access_in in interface inside
  
      access-group inside_access_out out interface inside
  
      access-group outside_access_in in interface outside
  
      access-group outside_access_out out interface outside
  webvpn
  
      enable inside
  
      enable outside
  
      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  
      svc enable
  group-policy DfltGrpPolicy attributes
  
      dns-server value X.X.X.X
  
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value
  
      address-pools value palm
  
      webvpn
  
        svc rekey time 30
  
        svc rekey method ssl
  
        svc ask enable default webvpn
  policy-map global_policy
  
      class inspection_default
  
        inspect pptp
  
        inspect http
  
        inspect icmp
  
        inspect ftp
  
      !
  

  When I try to connect, I get this error in the real-time log viewer:

  TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
  

  Here are the details of the license:

  Licensed features for this platform:
  
      Maximum Physical Interfaces  : 8
  
      VLANs                        : 3, DMZ Restricted
  
      Inside Hosts                 : Unlimited
  
      Failover                     : Disabled
  
      VPN-DES                      : Enabled
  
      VPN-3DES-AES                 : Enabled
  
      SSL VPN Peers                : 2
  
      Total VPN Peers              : 10
  
      Dual ISPs                    : Disabled
  
      VLAN Trunk Ports             : 0
  
      Shared License               : Disabled
  
      AnyConnect for Mobile        : Disabled
  
      AnyConnect for Linksys phone : Disabled
  
      AnyConnect Essentials        : Disabled
  
      Advanced Endpoint Assessment : Disabled
  
      UC Phone Proxy Sessions      : 2
  
      Total UC Proxy Sessions      : 2
  
      Botnet Traffic Filter        : Disabled
  This platform has a Base license.
  

  Can someone tell me what I am doing wrong or what access list I'm missing?

  I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

  Hi Matt,

  You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

  WebVPN

  tunnel-group-list activate

  Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

  HTH

  Herbert