Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Feb 14, 2022

Fronting an old Cisco ASA with F5 LTM for anyconnect VPN

All,

hoping someone else has tried this successfully but we have a very old cisco ASA providing Anyconnect VPN access which only supports TLS1.0, which we are retiring in the near future but in the meantime would like to front it with a F5 LTM virtual server so we can support later TLS versions (and not 1.0). If we do not use a client and server SSL profile on the virtual server this works, however when we do perform TLS termination/re-encryption at the F5 (i.e. use the ssl profiles) the initial connection is made but then the cisco anyconnect client disconnects and we see the below error in the anyconnect eventlog relating to the CSTP protocol:

Function: CTlsTunnelMgr::OnTunnelReadComplete
File: c:\temp\build\thehoff\phoenix_mr40.309462210759\phoenix_mr4\vpn\agent\tlstunnelmgr.cpp
Line: 1941
Invoked Function: CTunnelStateMgr::readTunnel
Return Code: -31653866 (0xFE1D0016)
Description: CSTPPROTOCOL_ERROR_FRAME_SIZE_MISMATCH
callback

While I realise this might be better for a cisco forum has anyone achieved anything similar or run in to problems proxying CSTP? (realise this is a long shot!)

1 Reply

  • I don't have the gear to set up and try stuff to help, but someone else might. Do you have details on client and server settings, and what your clientssl/serverssl profiles look like (sanitized)? Might have enough there to spur a test environment for someone that has access to similar tech.

    I had my day with ASAs...it's been a hot minute!