Anyconnect Was Not Able To Establish Gateway

 admin



Cisco anyconnect cannot establish connection

[solved] how to resolve the Cisco VPN error message “Anyconnect was not able to establish a connection to the secure gateway. Please try connecting again”.

You can also the following error in the Cisco Anyconnect event logs

AnyConnect VPN dropping connection after few minutes and you can see in the ASA logs it says user requested.

Not

Hi Josue, I'm sorry that this VPN gatway is provided by our partner. I do not have the access to check ASA. Please note I'm able to connect VPN from my physical machine which is also Windows 10. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. CSCvs40531 - AnyConnect 4.8 not able to establish RA. (Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again) I have been working with a colleague of mind in Dakar to connect my computer to the Dakar system via the VPN connections.

The main issue is the user ISP firewall in the way blocking UDP 443.

Background Information from the Cisco site

Anyconnect was not able to establish gateway to wifi

Types of Tunnels

There are two methods used in order to connect an AnyConnect session:

  • Via the Portal (Clientless)
  • Via the Standalone Application

Based on the way you connect, you create three different tunnels (sessions) on the ASA, each one with a specific purpose:

  1. Clientless or Parent-Tunnel: This is the main session that is created in the negotiation in order to set up the session token that is necessary in case a reconnect is needed due to network connectivity issues or hibernation. Based on the connection mechanism, the Cisco Adaptive Security Appliance (ASA) lists the session as Clientless (Weblaunch via the Portal) or Parent (Standalone AnyConnect).
    Note: The AnyConnect-Parent represents the session when the client is not actively connected. Effectively, it works similar to a cookie, in that it is a database entry on the ASA that maps to the connection from a particular client. If the client shuts down or sleeps, the tunnels (IPsec/Internet Key Exchange (IKE)/ Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) protocols) are torn down, but the Parent remains until the idle timer or maximum connect time takes effect. This allows the user to reconnect without reauthenticating.Secure Sockets Layer (SSL)-Tunnel: The SSL connection is established first, and data is passed over this connection while it attempts to establish a DTLS connection. Once the DTLS connection is established, the client sends the packets via the DTLS connection instead of via the SSL connection. Control packets, on the other hand, always go over the SSL connection.
  2. DTLS-Tunnel: When the DTLS-Tunnel is fully established, all data moves to the DTLS-tunnel, and the SSL-Tunnel is only used for occasional control channel traffic. If something happens to User Datagram Protocol (UDP), the DTLS-Tunnel is torn down and all data passes through the SSL-Tunnel again.

Below is the error message that you get, however most likely this is due ASA firewall sending a TCP reset, since first it authenticates the users and then sends a reset which drops the connection.

The second error message is “The vpn client failed to establish a connection”

It is always best practice to eliminate the user side by either restarting the PC or restarting the Cisco Anyconnect services to be sure that this is not related to the client.

Few Things to test before you start looking in ASA

Anyconnect Was Unable To Establish

  1. Reboot the computer
  2. disable the antivirus and connect again
  3. Right click the Anyconnect icon and choose repair.
  4. Collect the Anyconnect DART bundle which has lots of information.
  5. Additionally, check that the ICS service is not running.
  6. Make sure DHCP is assigning addresses if you are using a DHCP server
    1. Select the Start button and then select Run.
    2. Type: services.msc and press ENTER on your keyboard.
    3. Find Internet Connection Sharing (ICS) and then stop the service.
    4. Change the Startup Type to Disabled and then reboot the computer.

If the above does not work then you will need to log in and check to see if it is the ASA that is dropping the connection because the connection is not coming as DTLS. The issue may then related to “DTLS”

Able

The simple solution this is to disable DTLS on the Tunnel group.

You can do so by going to your ASA.

Group-policy “name of the tunnel group” attributes
anyconnect ssl dtls none

Anyconnect Secure Gateway Error

That should resolve your issue. Thanks for reading this.