Layer 1: VMnet2 outside reachability
Layer 2: SSL certificate on outside
Layer 3: Browser TLS compatibility
Layer 4: Portal loading
Layer 5: AnyConnect package
Layer 6: User authentication (the password loop)
Layer 7: VPN IP assignment
Layer 8: DMZ server access
ASA-GW# show interface Ethernet0
→ up/up, 192.168.91.11 ✅
ASA-GW# ping 192.168.91.204 ← engineer PC
If no connectivity: [ ] Cloud-VMnet2 using VMnet2 adapter (NOT VMnet1) [ ] Cable to ASA Ethernet0 (outside) [ ] Each Cloud node uses a DIFFERENT adapter [ ] Engineer PC VMnet2 = 192.168.91.204
Note: ASA blocks ping to outside by default — test with telnet 192.168.91.11 443 instead.
ASA-GW# show ssl
→ outside interface: SSL-CERT ✅
ASA-GW# show crypto ca certificates
→ SSL-CERT present ✅
If ssl-handshake-failed in show asp drop: [ ] crypto key generate rsa modulus 2048 [ ] crypto ca trustpoint SSL-CERT / enrollment self [ ] crypto ca enroll SSL-CERT noconfirm [ ] ssl trust-point SSL-CERT outside
Symptom: connection reset / INET_E_DOWNLOAD_FAILURE
Fix on ASA: [ ] ssl server-version tlsv1 [ ] ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
Fix on browser: [ ] Firefox about:config → security.tls.version.min = 1 [ ] Or Edge → enable older TLS
Test with: telnet 192.168.91.11 443 (proves port open) Test with: curl.exe -k https://192.168.91.11
https://192.168.91.11
→ accept cert warning → portal loads ✅
If not loading: [ ] webvpn → enable outside [ ] anyconnect enable [ ] http 0.0.0.0 0.0.0.0 outside [ ] access-list permit tcp any any eq 443 on outside
ASA-GW# show webvpn anyconnect image
→ packages listed and active ✅
If no download button: [ ] dir disk0: → verify .pkg exists [ ] anyconnect image disk0:/filename.pkg 1 [ ] anyconnect enable
Symptom: login keeps re-prompting for password
THE FIX: [ ] tunnel-group SECUREACCESS-VPN general-attributes [ ] authentication-server-group LOCAL ← critical [ ] Also add to DefaultWEBVPNGroup [ ] username employee1 password Emp@2024 exists
ASDM: [ ] Connection Profile → Basic → Authentication [ ] Method: AAA, Server Group: LOCAL
Debug: debug aaa authentication 255
ipconfig on PC → AnyConnect adapter 192.168.200.x ✅
ASA-GW# show vpn-sessiondb anyconnect → IP assigned ✅
If no IP: [ ] ip local pool VPN-POOL 192.168.200.10-100 [ ] tunnel-group address-pool VPN-POOL [ ] group-policy references pool
ping 192.168.10.10 while connected → !!!!! ✅
If fails: [ ] NAT exemption VPN-POOL to DMZ-SERVERS [ ] ACL permits 192.168.200.0/24 to 192.168.10.0/24 [ ] DMZ servers have default route to 192.168.10.1
| # | Blocker | Root Cause | Fix |
|---|---|---|---|
| 1 | Portal won't load | No SSL cert on outside | ssl trust-point outside |
| 2 | Connection reset | Old SSLv3 vs modern browser | ssl server-version tlsv1 + Firefox config |
| 3 | Password loops | No auth-server-group | authentication-server-group LOCAL |
| 4 | Profile empty/no SSL | AnyConnect access not enabled | Enable SSL access on outside in ASDM |
| 5 | VMnet2 unreachable | Wrong Cloud adapter | Cloud-VMnet2 → VMnet2 → ASA Eth0 |
show vpn-sessiondb anyconnect ← active sessions
show webvpn anyconnect image ← package status
show ssl ← cert on interface
show asp drop ← why packets dropped
show running-config tunnel-group ← auth config
show running-config webvpn ← webvpn config
show ip local pool VPN-POOL ← pool usage
debug webvpn anyconnect 255
debug aaa authentication 255
debug crypto ssl 255
undebug all