cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3207
Views
0
Helpful
5
Replies

Cannot connect AnyConnect 3.0 Secure Mobility Client to IPSec

Virtual_RV
Level 1
Level 1

Hello,

Our company has an IPSec VPN Setup on a Cisco ASA 5505.  We previously were using the Cisco VPN Client - Version 5.0.07.0410.  Everything worked fine with this client up until now.  The problem is it is not supported in our Virtual Machine environment and with our newest version of our ParaVirtualized network Drivers we are getting HMAC mismatch problems and failing to connect

I created a .pcf file with the following information for the 5.0.07.0410 client:

Connection Entry:  VC VPN

Description:  none

Host:  xxx.xxx.xxx.xxx (IP address of the ASA VPN Interface)

Group Authentication:

  • Name:  Group Name
  • Password:  Pre-Shared Key password

Transport:

  • Enable Transport Tunneling
  • IPSec over UDP (NAT/PAT)

I import this .pcf file into the client, client connects, prompted for AD username - all worked well.

We have currently run into a need to use the Cisco AnyConnect Secure Mobility Client (3.0.0629) - I have tried to use the profile editor for this AnyConnect client and I cannot get all of the options for the profile.  I leave all the defaults for Preferences (Part1), Preferences (Part2), Backup Servers, Certificate Matching, Certificate Enrollment, and Mobility Policy.

On the Servers List, I click Add.  I enter in the hostname, Host address (IP address of hostname) and group.  There are no backup servers, I change primary protocol to IPSec, save the profile and place it in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile (Win7).  Open the AnyConnect Secure Mobility Client and the profile is loaded. Trying to connect returns "The VPN Agent is unable to establish a connection".  From the ASA, I don't even see a connection attempt from the outgoing IP address.  From the client, I can ping the ASA and connect to it with the regular VPN Client.

I cannot find a place to enter a pre-shared key in the profile editor.

The AnyConnect client also seems to not read .pcf files.  Am I missing something here?

Attached is my DART Bundle from the failing client.  Any help would be greatly appreciated!

Regards,

Rich Viola

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Rich,

AC uses IKEv2 (for IPsec) which is not yet supported on ASA. Support is planned for ASA 8.4 which is still at least a few weeks away.

hth

Herbert

View solution in original post

5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

Rich,

AC uses IKEv2 (for IPsec) which is not yet supported on ASA. Support is planned for ASA 8.4 which is still at least a few weeks away.

hth

Herbert

Thank you for the reply Herbert.  I guess there is nothing I can do until it's supported and do not need to keep spinning my wheels on it .

Will 8.4 be a firmware update?

Thanks again.  Much appreciated!!

Regards,

Rich Viola

Yes you will have to upgrade the ASA to software version 8.4 (we usually refer to it as software, not firmware). The first release of 8.4 will be 8.4(1) and is expected in a few weeks (but this is tentative).

BTW here are the full release notes for Anyconnect 3.0:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html

regards

Herbert

Perfect - thank you and sorry for my incorrect naming of the update.  In the meantime I will take a look at the release notes.  Thanks again Herbert.

Regards,

Rich Viola

Just wanted to add that the release notes mention another important requirement: for IKEv2 on ASA, you need an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: