While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error.
Or on MAC OSX
Error: Cisco AnyConnect VPN Client
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.
Note: You may also see this error on a Mac OSX, or a Windows CE machine.
You try to connect to your Cisco CSC module, and see the following error.
Error: Activation Warning CSC is not activated. Please run setup wizard under Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup to perform setup process. Click OK button to to to Trend Micro Content Security Setup wizard.
Naturally if you’ve never setup the CSC you are going to see this, but what if it suddenly starts doing this?
3. This ones unresponsive, it probably just need restarting, to do that issue the following command.
[box]hw-module module 1 reset[/box]
4. They can take a little while to come up (apply the cup of coffee rule). Then to see if it’s back up again use the same command you used earlier.
[box]sh mod 1 det[/box]
That didn’t work! Sometimes CSC modules do fail!, I had one client go through three in a year, If doing the above or running through the setup wizard (you did write down the licence numbers that came with the CSC didn’t you?) doesn’t work then you need to log a call to TAC.
Related Articles, References, Credits, or External Links
By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.
1. Connect to the the firewall (see here for instructions).
2. Login and go to enable mode.
[box]
User Access Verification
Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********
[/box]
3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.
The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).
[box]
PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#
[/box]
4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.
Finally save your hard work with a “write mem” command.
[box]
PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13
9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#
I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.
Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.
Solution
Related Articles, References, Credits, or External Links