Came across this issue when an un-answered DUO push takes down AAA servers on ASA into a failed state essentially preventing everyone from VPNing in.

• I've noticed for the past couple months that users are unable to connect when on the AT&T network. It doesn't matter if we use the AnyConnect mobile app or if we use the phone as a hotspot and connect a laptop to that. We get the following error: Connection attempt has timed out. Please verify Internet connectivity.
• Cisco AnyConnect Secure Mobility Client Secure VPN access for remote workers For organizations of all sizes that need to protect sensitive data at scale, Duo is the user-friendly zero-trust security platform for all users, all devices and all applications.
• Cisco AnyConnect Secure Mobility Client Instructions for partner connections to AHCCCS systems.The instructions below are for Internet Explorer. Other browsers are supported for this connection, but the steps may differ. Open Internet Explorer. Open Internet Options. Click on the Security Tab, click on Trusted sites, then click the.

Hello, We are having some trouble with our user vpn timeouts on our ASA5545, to which we are running Cisco Adaptive Security Appliance Software Version 9.8(3)16. Specifically, our vpn sessions are timing out after six hours as designed, but not as designed, they are timing out whether or not the.

Design was similar to this post. In short un-answered DUO push on DUO proxy would cause ISE “Radius request dropped” log message due to “11353 No more external Radius servers” which in turn would cause ASA to fail AAA radius-servers configured for VPN user authentication.

After reviewing configuration and going through multiple posts on the web I came across a similar issue (which pointed to timers) but it still did not give me the answer I was looking for so I turned to packet capture to find more clues.

First, I knew that an un-answered push has to eventually generate Access-Reject from the DUO proxy to ISE. DUO logs are verbose enough to spot “Login timed out” and Access-Reject.

Next, I did a packet capture on ISE to confirm Access-Reject was received and forwarded to ASA. To follow the logic below ASA IP is .4, ISE is .57, DUO proxy is .30.

So, looking at the capture below I see ASA sending Access-Request to ISE(#210), ISE to DUO(#211). Then due to an un-answered push, we’ve duplicate requests/retries and finally, DUO responds with Access-Reject(#1618) to ISE but ISE is silent and nothing is sent back to ASA. This explained why ASA Radius servers were going into a failed state. ASA kept on re-requesting an answer until the server was marked as failed (that’s when Login failed message is displayed on Anyconnect client) …. but I still did not know why ISE was not sending Access-Reject back to ASA.

I’ve tested this setup on ISE 2.7p2 and then on 2.4p9-11 to rule out any bugs and still got the same behavior. So this brought me back to reviewing configuration and taking a closer look at the timers. I was looking for clues and found one here. Based on the DUO article ISE external Radius Server Timeout had to be set to 65 seconds (by default it is 5).

Looking at ASA configuration I see my Radius server timeout is set to 60.

aaa-server ISE (inside) host <IP>
timeout 60
key *****

After updating timeouts I did another capture. To follow the below logic ASA IP is .4, ISE is .22, DUO proxy is .30. We see the same behavior up until DUO returns Access-Reject to ISE (#3237) and now we see ISE returns Access-Reject to ASA (#3239).

This is because ISE did not mark DUO as a dead server before ASA marked ISE as unavailable (65 > 60) so when ISE received reject from DUO it forwarded it to the ASA.

Cisco Anyconnect Connection Attempt Timed Out

The issue was resolved.

Topics Map > Networking > Virtual Private Networking (VPN)

After connecting to the VPN client, Internet connectivity stops working (including network shared drives). The network connection may show up as 'Local Connection Only.'

These steps are adapted from: http://msdynamicstips.com/2011/06/27/vpn-connection-disconnects-internet-connection/.
On Windows 7:
1. Click on the Start button.
2. In the search box, type ncpa.cpl. Press Enter.
3. The Network Connections window should open. Right click on the Cisco AnyConnect Secure Mobility Client Connection. Click on Properties
4. Select the Networking tab.
5. Select Internet Protocol Version 4 (TCP/IPv4) from 'This connection uses the following items.'
6. Click on Properties. Click on Advanced. Make sure there is nothing listed under Default gateway using the Remove button to remove any that are there.
7. Close the Network Connections window. Attempt to connect to the VPN and then the Internet.
Windows 8, 8.1, 10:
Instead of using the Start button, begin with the Search tool. The rest of the Windows 7 steps will work for Windows 8.

A customer did submit this tidbit:

Cisco Anyconnect Timeout Error

My computer had a software named Connectify which is used for creating ad-hoc. And in the adapter settings there was an option regarding connectify. I disabled it and everything worked fine.

Technology Services note: Any software that allows you to share your computer's network connection with others will interfere with the VPN. Uninstall or disable the software, reboot your computer, and try the VPN again.

Cisco AnyConnect VPN Client