Cannot connect AnyConnect 3.0 Secure Mobility Client to IPSec

Answered Question
Jan 20th, 2011

Hello,

Our company has an IPSec VPN Setup on a Cisco ASA 5505.  We previously were using the Cisco VPN Client - Version 5.0.07.0410.  Everything worked fine with this client up until now.  The problem is it is not supported in our Virtual Machine environment and with our newest version of our ParaVirtualized network Drivers we are getting HMAC mismatch problems and failing to connect

I created a .pcf file with the following information for the 5.0.07.0410 client:

Connection Entry:  VC VPN

Description:  none

Host:  xxx.xxx.xxx.xxx (IP address of the ASA VPN Interface)

Group Authentication:

  • Name:  Group Name
  • Password:  Pre-Shared Key password

Transport:

  • Enable Transport Tunneling
  • IPSec over UDP (NAT/PAT)

I import this .pcf file into the client, client connects, prompted for AD username - all worked well.

We have currently run into a need to use the Cisco AnyConnect Secure Mobility Client (3.0.0629) - I have tried to use the profile editor for this AnyConnect client and I cannot get all of the options for the profile.  I leave all the defaults for Preferences (Part1), Preferences (Part2), Backup Servers, Certificate Matching, Certificate Enrollment, and Mobility Policy.

On the Servers List, I click Add.  I enter in the hostname, Host address (IP address of hostname) and group.  There are no backup servers, I change primary protocol to IPSec, save the profile and place it in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile (Win7).  Open the AnyConnect Secure Mobility Client and the profile is loaded. Trying to connect returns "The VPN Agent is unable to establish a connection".  From the ASA, I don't even see a connection attempt from the outgoing IP address.  From the client, I can ping the ASA and connect to it with the regular VPN Client.

I cannot find a place to enter a pre-shared key in the profile editor.

The AnyConnect client also seems to not read .pcf files.  Am I missing something here?

Attached is my DART Bundle from the failing client.  Any help would be greatly appreciated!

Regards,

Rich Viola

I have this problem too.
0 votes
Correct Answer by hebaerte about 3 years 2 months ago

Rich,

AC uses IKEv2 (for IPsec) which is not yet supported on ASA. Support is planned for ASA 8.4 which is still at least a few weeks away.

hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
hebaerte Thu, 01/20/2011 - 12:49

Rich,

AC uses IKEv2 (for IPsec) which is not yet supported on ASA. Support is planned for ASA 8.4 which is still at least a few weeks away.

hth

Herbert

Virtual_RV Thu, 01/20/2011 - 13:57

Thank you for the reply Herbert.  I guess there is nothing I can do until it's supported and do not need to keep spinning my wheels on it .

Will 8.4 be a firmware update?

Thanks again.  Much appreciated!!

Regards,

Rich Viola

hebaerte Thu, 01/20/2011 - 14:03

Yes you will have to upgrade the ASA to software version 8.4 (we usually refer to it as software, not firmware). The first release of 8.4 will be 8.4(1) and is expected in a few weeks (but this is tentative).

BTW here are the full release notes for Anyconnect 3.0:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html

regards

Herbert

Virtual_RV Thu, 01/20/2011 - 14:07

Perfect - thank you and sorry for my incorrect naming of the update.  In the meantime I will take a look at the release notes.  Thanks again Herbert.

Regards,

Rich Viola

hebaerte Thu, 01/20/2011 - 14:09

Just wanted to add that the release notes mention another important requirement: for IKEv2 on ASA, you need an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license!

Actions

Login or Register to take actions

This Discussion

Posted January 20, 2011 at 9:39 AM
Stats:
Replies:5 Avg. Rating:5
Views:2336 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard