I am configuring an anyconnect solution using 2,5 client, 8.3 ASA and asdm 6.3. I have two ASA's configured in a cluster with active/standby failover.
I have a wildcard cert configured on both ASA's and each of the three IP's are resolvable from the internet.FQDN redirection is enabled.
These are the url's (sanitised)...
ac.mydomain.com (cluster virtual IP)
ac1.mydomain.com (Master/active real IP)
ac2.mydomain.com (secondary/standby real IP)
In the main, I have it the way I want it working but I am having trouble getting group-url to work for the annyconnect client. It seems to work ok for clientless connections though.
I am trying to configure the ASA so that when connecting (via a browser) to the https://ac.mydomain.com on its own, this takes you to the clientless portal where you have a minimum set of apps. So, I configured a group-url of just the url above and this works fine.
I want my annyconnect clients to connect using https://ac.mydomain.com/staff. The intention is that if you go here from a browser, you can download the client and if you go here from the client you can connect to all the resources as you are in the correct DAP. I am using endpoint assesmnet to identify corporate assets and place them into the correct DAP. This seems to be working fine if i use group aliases with drop down lists.
If I try to configure a group-url for https://ac.mydomain.com/staff, and add 'staff' to the annyconnect profile, I get an error 'connection attempt has failed due to an invalid host entry' and the bottom line of the anyconnect client reads 'Unable to process response from ac1.mydomain.com'.
Here are some config snips...
tunnel-group ClientProfile general-attributes
tunnel-group ClientProfile webvpn-attributes
group-alias "SLL Client" enable
group-url https://ac.mydomain.com/staff enable
group-url https://ac1.mydomain.com/staff enable
in my profile I have this....
As far as I can see this should work...can anyone shed any light on this ?