Cisco AnyConnect Client - unable to connect

joesense

I have a customer supplied anyconnect client, which works on multiple other networks. When I try and use it at home behind my 2100, I get "Connection Timed Out, please verify internet connectivity."

I have internet connectivity, and I changed DNS on my local machine. I even reverted my pfsense config to factory default as I thought maybe I had an odd setting in there somewhere. However that did not solve the issue either.

Sort of a newbie at this, but reading the forums here it seems this should work out of the box with default settings. Doing a packet capture on both the WAN and LAN interfaces I see the remote WAN IP making it through. So I'm thinking it's a protocol problem of some sort but I'm not sure where to go next. Any help in the right direction is appreciated.

stephenw10

Yup it should work with the default config.

You see traffic in both directions in the packet capture on WAN and LAN?

johnpoz

@joesense There is nothing to do on pfsense, I use anyconnect every day with work. Both this gig, the gig before that also used it and the one before that.. Never had any issue, never had to do anything special in pfsense.

If there was something that didn't work out of the box for anyconnect - I would think there would be many a person complaining or reporting problems since it has to be a common sort of setup where IT people working remote/home use anyconnect to connect to work.

What error do you get in the client?

please verify internet connectivity.

You have some sort of dns problem? It can resolve the fqdn its trying to connect to? What does the message log say? For your connection attempts? Have you looked at your diagnostic (DART) output?

joesense

@johnpoz - the errors in the client log just say "unable to contact...xxx.domain." and then it retries a few more times and then I get the message "connection timed out. Please verify internet connectivity"

I did verify that the PFSense device can resolve the fqdn. Not sure what you mean by diagnostic (DART) output. I have checked the firewalls logs and ran a packet capture I'm starting to wonder if it's something on my ATT BGW320-500, I have fiber and have to put that into passthru mode.

@stephenw10 - In the FW logs I see their wan IP on both LAN and WAN interfaces, its shows my LAN IP > Their WAN IP tcp 0, but nothing the other way around. Although not sure if it would, I am sort of a newbie at this.
00:58:27.354533 IP x.x.x.x.39408 > x.x.x.x.443: tcp 0

Thanks for the replies, going to keep digging and ill post here if I find a solution.

johnpoz

@joesense said in Cisco AnyConnect Client - unable to connect:

by diagnostic (DART) output

Its part of the anyclient.

johnpoz

@joesense said in Cisco AnyConnect Client - unable to connect:

Their WAN IP tcp 0, but nothing the other way around
00:58:27.354533 IP x.x.x.x.39408 > x.x.x.x.443: tcp 0

If you see pfsense send out traffic of your wan and you get no reply - that is not on pfsense, that is upstream of pfsense..

joesense

@johnpoz - you are correct. I just connected directly to my ATT fiber modem/gateway and I still got the same error. Now searching other forums for this gateway they are making me use. Thanks all for the help.

NOCling

Go for a traceroute to find more information.