- Cisco AnyConnect Secure Mobility Client Instructions for partner connections to AHCCCS systems.The instructions below are for Internet Explorer. Other browsers are supported for this connection, but the steps may differ. Open Internet Explorer. Open Internet Options. Click on the Security Tab, click on Trusted sites, then click the.
- I've noticed for the past couple months that users are unable to connect when on the AT&T network. It doesn't matter if we use the AnyConnect mobile app or if we use the phone as a hotspot and connect a laptop to that. We get the following error: Connection attempt has timed out. Please verify Internet connectivity.
- By default, the Cisco AnyConnect client will timeout after 12 seconds on Windows and after 30 seconds on Mac OS X. Your users may require more time to authenticate, so the following steps will guide you in creating a profile to override the default timeout. Click on.AnyConnect Client Profile. 2. Click the.Add. button.
Came across this issue when an un-answered DUO push takes down AAA servers on ASA into a failed state essentially preventing everyone from VPNing in.
Design was similar to this post. In short un-answered DUO push on DUO proxy would cause ISE “Radius request dropped” log message due to “11353 No more external Radius servers” which in turn would cause ASA to fail AAA radius-servers configured for VPN user authentication.
You have to make sure that the Eable Local LAN Access (snapshot attached) box is checked in the anyconnect client, you can do this either by creating an anyconnect profile on ASA, or by manually checking the box at the client end (if allowed by your anyconnect profile). Then, on the ASA configure the following commands under the group policy. The Network Connections window should open. Right click on the Cisco AnyConnect Secure Mobility Client Connection. Click on Properties 4. Select the Networking tab. Select Internet Protocol Version 4 (TCP/IPv4) from 'This connection uses the following items.' Click on Properties. Click on Advanced.
After reviewing configuration and going through multiple posts on the web I came across a similar issue (which pointed to timers) but it still did not give me the answer I was looking for so I turned to packet capture to find more clues.
First, I knew that an un-answered push has to eventually generate Access-Reject from the DUO proxy to ISE. DUO logs are verbose enough to spot “Login timed out” and Access-Reject.
Next, I did a packet capture on ISE to confirm Access-Reject was received and forwarded to ASA. To follow the logic below ASA IP is .4, ISE is .57, DUO proxy is .30.
So, looking at the capture below I see ASA sending Access-Request to ISE(#210), ISE to DUO(#211). Then due to an un-answered push, we’ve duplicate requests/retries and finally, DUO responds with Access-Reject(#1618) to ISE but ISE is silent and nothing is sent back to ASA. This explained why ASA Radius servers were going into a failed state. ASA kept on re-requesting an answer until the server was marked as failed (that’s when Login failed message is displayed on Anyconnect client) …. but I still did not know why ISE was not sending Access-Reject back to ASA.
I’ve tested this setup on ISE 2.7p2 and then on 2.4p9-11 to rule out any bugs and still got the same behavior. So this brought me back to reviewing configuration and taking a closer look at the timers. I was looking for clues and found one here. Based on the DUO article ISE external Radius Server Timeout had to be set to 65 seconds (by default it is 5).
Looking at ASA configuration I see my Radius server timeout is set to 60.
aaa-server ISE (inside) host <IP>
timeout 60
key *****
After updating timeouts I did another capture. To follow the below logic ASA IP is .4, ISE is .22, DUO proxy is .30. We see the same behavior up until DUO returns Access-Reject to ISE (#3237) and now we see ISE returns Access-Reject to ASA (#3239).
Cisco Anyconnect Connection Timed Out
This is because ISE did not mark DUO as a dead server before ASA marked ISE as unavailable (65 > 60) so when ISE received reject from DUO it forwarded it to the ASA.
Cisco Anyconnect Connection Timeout
The issue was resolved.