Skip to content

Latest commit

 

History

History
185 lines (135 loc) · 4.2 KB

File metadata and controls

185 lines (135 loc) · 4.2 KB

Troubleshooting Checklist — SecureAccess AnyConnect SSL VPN

⚡ Diagnostic Order (Based on Real Journey)

Layer 1: VMnet2 outside reachability
Layer 2: SSL certificate on outside
Layer 3: Browser TLS compatibility
Layer 4: Portal loading
Layer 5: AnyConnect package
Layer 6: User authentication (the password loop)
Layer 7: VPN IP assignment
Layer 8: DMZ server access

Layer 1 — VMnet2 Outside Reachability

ASA-GW# show interface Ethernet0
→ up/up, 192.168.91.11 ✅

ASA-GW# ping 192.168.91.204  ← engineer PC

If no connectivity: [ ] Cloud-VMnet2 using VMnet2 adapter (NOT VMnet1) [ ] Cable to ASA Ethernet0 (outside) [ ] Each Cloud node uses a DIFFERENT adapter [ ] Engineer PC VMnet2 = 192.168.91.204

Note: ASA blocks ping to outside by default — test with telnet 192.168.91.11 443 instead.


Layer 2 — SSL Certificate

ASA-GW# show ssl
→ outside interface: SSL-CERT ✅

ASA-GW# show crypto ca certificates
→ SSL-CERT present ✅

If ssl-handshake-failed in show asp drop: [ ] crypto key generate rsa modulus 2048 [ ] crypto ca trustpoint SSL-CERT / enrollment self [ ] crypto ca enroll SSL-CERT noconfirm [ ] ssl trust-point SSL-CERT outside


Layer 3 — Browser TLS Compatibility

Symptom: connection reset / INET_E_DOWNLOAD_FAILURE

Fix on ASA: [ ] ssl server-version tlsv1 [ ] ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

Fix on browser: [ ] Firefox about:config → security.tls.version.min = 1 [ ] Or Edge → enable older TLS

Test with: telnet 192.168.91.11 443 (proves port open) Test with: curl.exe -k https://192.168.91.11


Layer 4 — Portal Loading

https://192.168.91.11
→ accept cert warning → portal loads ✅

If not loading: [ ] webvpn → enable outside [ ] anyconnect enable [ ] http 0.0.0.0 0.0.0.0 outside [ ] access-list permit tcp any any eq 443 on outside


Layer 5 — AnyConnect Package

ASA-GW# show webvpn anyconnect image
→ packages listed and active ✅

If no download button: [ ] dir disk0: → verify .pkg exists [ ] anyconnect image disk0:/filename.pkg 1 [ ] anyconnect enable


Layer 6 — Authentication (THE PASSWORD LOOP)

Symptom: login keeps re-prompting for password

THE FIX: [ ] tunnel-group SECUREACCESS-VPN general-attributes [ ] authentication-server-group LOCAL ← critical [ ] Also add to DefaultWEBVPNGroup [ ] username employee1 password Emp@2024 exists

ASDM: [ ] Connection Profile → Basic → Authentication [ ] Method: AAA, Server Group: LOCAL

Debug: debug aaa authentication 255


Layer 7 — VPN IP Assignment

ipconfig on PC → AnyConnect adapter 192.168.200.x ✅
ASA-GW# show vpn-sessiondb anyconnect → IP assigned ✅

If no IP: [ ] ip local pool VPN-POOL 192.168.200.10-100 [ ] tunnel-group address-pool VPN-POOL [ ] group-policy references pool


Layer 8 — DMZ Server Access

ping 192.168.10.10 while connected → !!!!! ✅

If fails: [ ] NAT exemption VPN-POOL to DMZ-SERVERS [ ] ACL permits 192.168.200.0/24 to 192.168.10.0/24 [ ] DMZ servers have default route to 192.168.10.1


🔑 The 5 Blockers We Hit (In Order)

# Blocker Root Cause Fix
1 Portal won't load No SSL cert on outside ssl trust-point outside
2 Connection reset Old SSLv3 vs modern browser ssl server-version tlsv1 + Firefox config
3 Password loops No auth-server-group authentication-server-group LOCAL
4 Profile empty/no SSL AnyConnect access not enabled Enable SSL access on outside in ASDM
5 VMnet2 unreachable Wrong Cloud adapter Cloud-VMnet2 → VMnet2 → ASA Eth0

🔑 Key Show Commands

show vpn-sessiondb anyconnect      ← active sessions
show webvpn anyconnect image       ← package status
show ssl                           ← cert on interface
show asp drop                      ← why packets dropped
show running-config tunnel-group   ← auth config
show running-config webvpn         ← webvpn config
show ip local pool VPN-POOL        ← pool usage

⚡ Debug Commands

debug webvpn anyconnect 255
debug aaa authentication 255
debug crypto ssl 255
undebug all