AnyConnect VPN - Always On

Unanswered Question
Aug 15th, 2011

Hello guys,

I'm trying to configure a remote access vpn policy which allows a user to connect, and stay connected (always on VPN). I'm looking at using this on some internet kiosks we manage and rather than providing a hardware site to site ipsec solution, thought I'd try this route.

I have a standard SSL Any connect profile working nicely. Under the AnyConnect Client Profile Editor I have created a new profile which has the 'Automatic VPN policy' enabed as well as 'Connect' for both a trusted and untrusted network. I have entered the domain name of our corporate environment. When I go to connect I get the following error:

"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

Doing a bit of reading this seems to be often a certificate error. The question is why does ticking the automatic vpn policy cause this error, why is the ssl cert suddently an issue? I'm using a self signed cert FYI.

Can anyone point me in the right direction?

Cheers!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcman-Cisco Mon, 08/15/2011 - 08:19

You have to configure the Domain Name and the DNS Servers in your Profile...

Let your browser know that the Gateway is trustworthy!

Maybe this helps. Please let us know if yes!

Regards Marcus

stewartgray Mon, 08/15/2011 - 08:54

Hi Marcus, thanks for your follow up. The thing is, we're looking at rolling out a lot of these kiosks (1200 in fact). Each of these sites will be on building provided internet access, so the DNS and domain names are not consistant. My understand of that section of the configuration was that you specify what you consider to be trusted DNS/Domain names, ie if you reach mycompany.com or my DNS servers x.x.x.x you are on our LAN (no need to VPN), or if you can't reach those you are on a untrusted network and must dial up the VPN. Due to the above reasons regarding varying access methods, I cant make a new profile for every site.

Have I misunderstood?

Cheers

Marcman-Cisco Mon, 08/15/2011 - 09:39

The configuration - DNS Server is from the User Guide.

Second Idea goes in the direction of certificate:

Did you configure the settings from the browser of the Client where is Anyconnect installed? -

Let your browser know that the Gateway is trustworthy!

If you are using an self signed certificate for your VPN Gateway u can't validate it on your client in case you haven't copied the certificate ca.

stewartgray Tue, 08/16/2011 - 01:30

I am using a self signed certificate but that works fine for the regular ssl vpn any connect. When I connect a certificate comes up, I can choose to accept it or decline it and away we go. As soon as the automatic VPN option is selected this doesn't happen, I just get the "AnyConnect cannot confirm it is connected to your secure gateway" error straight away.

Marcman-Cisco Tue, 08/16/2011 - 02:24

But that's the point. The anyconnect has to validate your gateway certificate and if you connect with automatic VPN option it seems thats there is no way to do it via confirming through certificate pop-up. So there is only the way that your certificate CA can validate it. Try out to copy your certificate CA to your Client PC and drop it in the corresponding certificate store.

Actions

Login or Register to take actions

This Discussion

Posted August 15, 2011 at 7:22 AM
Stats:
Replies:5 Avg. Rating:
Views:3202 Votes:0
Shares:0
Categories: AnyConnect, ASA
+

Related Content

Discussions Leaderboard