In the previous post https://billyfung2010.blogspot.com/2024/03/how-to-enable-cisco-asa-anyconect.html
There are solution to upgrade the Cisco Anyconnect client, but after the upgrade. It is failed to login.
The error message is "Login Failed".
The solution is Reboot the client machine. E.g. Windows laptop
It will establish a new connect to Cisco ASA.
The reason is without reboot the machine, the new client will use the same session to reconnect to ASA. But that session is being interrupted for upgrade. So, it cannot reconnect until the session being expired after 30 mins.
Reference:
If anyconnect session is interrupted, he fails to connect due to IP conflict during 30m
When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available. In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image. When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior. When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator. This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA. This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS. The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands: webvpn svc keepalive 30 svc dpd-interval client 80 svc dpd-interval gateway 80 The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here: webvpn anyconnect ssl keepalive 15 anyconnect dpd-interval client 5 anyconnect dpd-interval gateway 5
No comments:
Post a Comment