DAP with Client and AnyConnect

brian.kennedy · ‎04-06-2009

Creating dynamic access policies. Right now I'm just running a simple one - if specific AntiVirus defs are less than 7 days old, allow. DfltAccessPolicy set to terminate. This works fine when using AnyConnect. However, when I use the Cisco client (on the same pc), it fails every time (413 Authentication Failure). I'm assuming it's hitting the DflAccessPolicy, but it's not hitting the EndPoint attribute. If I change the Dflt to continue, vs terminate, then I can get in with the client. Anyone know if both the Cisco Client and AnyConnect can work together when using DAP?

Thanks,

Brian

Ivan Martinon · ‎04-08-2009

Can you turn on the debug "debug dap trace 1" along with "debug crypto isakmp 15" and paste it here? Also can you tell me if on DAP you chose any specific application to which this policy is applied to?

brian.kennedy · ‎04-08-2009

There's no application for the DAP, just checking for Symantec Antivirus and definition dates (which is on the pc I'm testing with).

I'll add the traces as attachment (too large for the post). First one is with the client failing, second with AnyConnect passing.

Thanks

Ivan Martinon · ‎04-08-2009

Mhhh it seems to me that based on these debugs, the ASA is unable to retrieve this information from the IPSec client, so I wonder if this is supported for ipsec client itself, you might want to check the release notes or get a tac case opened for confirmation.

brian.kennedy · ‎04-08-2009

That's kind of what I thought. Thanks for looking into it. I'll follow up with TAC.