Failed to get configuration from secure gateway. Contact your system administrator.

Unanswered Question
Apr 15th, 2013

I have an ASA 5515 running 9.1(1).

One of my customers is attempting to connect with AnyConnect 3.1.02040 and after authenticating, he gets the message

Failed to get configuration from secure gateway. Contact your system administrator.

I have about 100 other customers who have not had this issue and can connect fine.

Since it appears to be localized to his PC, he's uninstalled and reinstall the client, but to no avail. He's using Windows 7 Pro.

On the ASA, while he is attempting to connect, I see this:

15:48:04|302014|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Teardown TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 to identity:<<<ASA IP>>>/443 duration 0:00:00 bytes 8241 TCP Reset-I

14:48:04|725007|<<<REMOTE IP>>>|51032|||SSL session with client outside:<<<REMOTE IP>>>/51032 terminated.

14:48:04|113039|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> AnyConnect parent session started.

14:48:04|734001|||||DAP: User etpdeir, Addr <<<REMOTE IP>>>, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

14:48:04|113008|||||AAA transaction status ACCEPT : user = etpdeir

14:48:04|113019|||||Group = ibmdtsc, Username = etpdeir, IP =, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:41s, Bytes xmt: 885580, Bytes rcv: 1343, Reason: Connection Preempted

14:48:04|716002|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> WebVPN session terminated: Connection Preempted.

14:48:04|113009|||||AAA retrieved default group policy (GroupPolicy_AnyConnect) for user = etpdeir

14:48:04|113004|||||AAA user authentication Successful : server = : user = etpdeir

14:48:04|725002|<<<REMOTE IP>>>|51032|||Device completed SSL handshake with client outside:<<<REMOTE IP>>>/51032

14:48:03|725001|<<<REMOTE IP>>>|51032|||Starting SSL handshake with client outside:<<<REMOTE IP>>>/51032 for TLSv1 session.

15:48:03|302013|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Built inbound TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 (<<<REMOTE IP>>>/51032) to identity:<<<ASA IP>>>/443 (<<<ASA IP>>>/443)

Any ideas?

I have this problem too.
5 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oscardawgg Thu, 07/11/2013 - 12:40

Has there been any fix with this?  We are now running into the same issue.  Could it be a bad image that the devices are reaching for?

datacureinc Tue, 09/29/2015 - 12:28

My fix at the end of this,..

-Problem Description: Users stating that a profile which has been working is now giving some users the message "Failed to get configuration from secure gateway. Contact your system administrator." when they attempt to connect to the VPN server/"secure gateway".  This happens in both the clientless and Anyconnect clients.

-Fix: the profile.xml was not properly configured to match the Group Policy.

-ASDM setting: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

-CLI missing configuration: anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml

If you are pulling from tftp then the disk0:/ command would be replaced accordingly.


Along with these ensure that you have the latest Java update and it is a trusted site in the Java Control Panel.  Ensure The Java and/or ActiveX settings will allow the profile to load off the VPN server by URL and ensure it is enabled like below.


For Example: group-url enable

datacureinc Tue, 09/29/2015 - 12:32

To add:  anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml   you must enter the tunnel-group webvpn-attributes command first as shown below:

tunnel-group Group_Policy_Tunnel_Group_Name webvpn-attributes


jeffrey.glandt1 Tue, 12/16/2014 - 23:41

i had this problem.  for me the cause had to do with internet explorer TLS settings.

in IE8 go to tools, internet options, advanced and under security I had to make sure Use TLS 1.0 was checked (only Use SSL 3.0 and Use TLS 1.1 were checked.  I left them checked.).


This Discussion

Related Content