DAP with Client and AnyConnect

Unanswered Question
Apr 6th, 2009

Creating dynamic access policies. Right now I'm just running a simple one - if specific AntiVirus defs are less than 7 days old, allow. DfltAccessPolicy set to terminate. This works fine when using AnyConnect. However, when I use the Cisco client (on the same pc), it fails every time (413 Authentication Failure). I'm assuming it's hitting the DflAccessPolicy, but it's not hitting the EndPoint attribute. If I change the Dflt to continue, vs terminate, then I can get in with the client. Anyone know if both the Cisco Client and AnyConnect can work together when using DAP?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 04/08/2009 - 06:21

Can you turn on the debug "debug dap trace 1" along with "debug crypto isakmp 15" and paste it here? Also can you tell me if on DAP you chose any specific application to which this policy is applied to?

brian.kennedy Wed, 04/08/2009 - 06:37

There's no application for the DAP, just checking for Symantec Antivirus and definition dates (which is on the pc I'm testing with).

I'll add the traces as attachment (too large for the post). First one is with the client failing, second with AnyConnect passing.


Ivan Martinon Wed, 04/08/2009 - 06:48

Mhhh it seems to me that based on these debugs, the ASA is unable to retrieve this information from the IPSec client, so I wonder if this is supported for ipsec client itself, you might want to check the release notes or get a tac case opened for confirmation.

brian.kennedy Wed, 04/08/2009 - 06:49

That's kind of what I thought. Thanks for looking into it. I'll follow up with TAC.


This Discussion