04-06-2009 07:28 AM - edited 02-21-2020 04:12 PM
Creating dynamic access policies. Right now I'm just running a simple one - if specific AntiVirus defs are less than 7 days old, allow. DfltAccessPolicy set to terminate. This works fine when using AnyConnect. However, when I use the Cisco client (on the same pc), it fails every time (413 Authentication Failure). I'm assuming it's hitting the DflAccessPolicy, but it's not hitting the EndPoint attribute. If I change the Dflt to continue, vs terminate, then I can get in with the client. Anyone know if both the Cisco Client and AnyConnect can work together when using DAP?
Thanks,
Brian
04-08-2009 06:21 AM
Can you turn on the debug "debug dap trace 1" along with "debug crypto isakmp 15" and paste it here? Also can you tell me if on DAP you chose any specific application to which this policy is applied to?
04-08-2009 06:37 AM
04-08-2009 06:48 AM
Mhhh it seems to me that based on these debugs, the ASA is unable to retrieve this information from the IPSec client, so I wonder if this is supported for ipsec client itself, you might want to check the release notes or get a tac case opened for confirmation.
04-08-2009 06:49 AM
That's kind of what I thought. Thanks for looking into it. I'll follow up with TAC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: