×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Anyconnect error

Unanswered Question
Jun 4th, 2014
User Badges:

Hi I have the next error when use the AnyConnect.

The cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect.

this is when I use ipsec with the name, but if I use the ip address it works fine but use de ssl.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Wed, 06/04/2014 - 10:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

What version of AnyConnect client are you using?

It sounds like there might be an IPsec (IKEv2) VPN setup on the ASA in addition to the SSL one (or an IPsec IKEv1 VPN for the legacy Cisco VPN client). Older AnyConnect versions (prior to 3.0.0629) do not support IPsec (IKEv2) remote access VPNs (and AnyConnect does not support IPsec (IKEv1) at all).

Marvin Rhoads Wed, 06/04/2014 - 10:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

OK, so it's probably an older IPsec VPN that's also setup on the ASA. For some reason when you use the FQDN your client hits that and is unable to negotiate an IPsec VPN (as one would expect).

It's hard to say exactly why without seeing the ASA configuration.

Marvin Rhoads Wed, 06/04/2014 - 10:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

That should do it. The configured setup for remote access VPNs should be adequately discernible from the output of:

show run group-policy

show run tunnel-group

Azariel Rodrigu... Wed, 06/04/2014 - 11:18
User Badges:

This is the configuration

group-policy GroupPolicy_VPN_TEST_ANY internal
group-policy GroupPolicy_VPN_TEST_ANY attributes
 wins-server value 192.168.162.2
 dns-server value 192.168.162.2
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 
 group-lock value VPN_TEST_ANY
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value aumx-commuter-vpn_splitTunnelAcl
 default-domain none
 webvpn
  anyconnect profiles value VPN_TEST_ANY_client_profile type user

 

tunnel-group VPN_TEST_ANY type remote-access
tunnel-group VPN_TEST_ANY general-attributes
 address-pool vpnpool
 default-group-policy GroupPolicy_VPN_TEST_ANY
tunnel-group VPN_TEST_ANY webvpn-attributes
 group-alias VPN_TEST_ANY enable
tunnel-group VPN_TEST_ANY ipsec-attributes
 ikev1 trust-point ASDM_TrustPoint1

Marvin Rhoads Wed, 06/04/2014 - 13:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You have all possible protocols enabled in your group-policy:

 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 

But you only need ssl-client if your intention is to use the AnyConnect client for an SSL VPN. So there you need to remove the unnecessary ones.

You also have:

tunnel-group VPN_TEST_ANY ipsec-attributes
 ikev1 trust-point ASDM_TrustPoint1

...which is not necessary for SSL VPN and should be removed (*unless you have a site-site VPN using certificates)

Azariel Rodrigu... Wed, 06/04/2014 - 13:59
User Badges:

But I want to use ipsec this is the reason I have all the protocols.

The Anyconnect only works if I use the ip address.

Marvin Rhoads Wed, 06/04/2014 - 14:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Hmm.

Does the FQDN you fail to connect with resolve to the IP address? I'm going back to the initial coment you made about "when I use ipsec with the name"

Actions

This Discussion