×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 9.1 Trouble with tunnel-group-list enable

Answered Question
Jul 17th, 2014
User Badges:

Hello!  

I'm trying to get a configuration working where Cisco VPN / DTLS phones can VPN connect, while still allowing remote access via AnyConnect clients to PCs.  I have two tunnel-groups and group-policies configured for this purpose, and am using group-urls.  

Phones are connecting fine, but I do not get the pull-down menu to choose between the two tunnel-groups when connecting from a remote computer.  

Below is an excerpt from the config.  

By the way, I did have the menu working previously when I was using group aliases instead of group-urls.  However, the phones seem to require the group-urls.  Now that I have those configured, the menu doesn't work.  If I enter the complete URL in the AnyConnect window, both of the URLs work, and I can log in.

Thank you in advance for any suggestions you might have!

Deb

webvpn

 enable OUTSIDE

 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

 anyconnect enable

 tunnel-group-list enable 

 

group-policy ABC internal

group-policy ABC attributes

 wins-server value 10.10.16.17 10.10.16.12

 dns-server value 10.10.16.17 10.10.16.12

 vpn-simultaneous-logins 3

 vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless

 split-tunnel-policy tunnelall

 default-domain value abc.com

 address-pools value AnyConnectPool

 webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl rekey time 1440

  anyconnect ssl rekey method ssl

  anyconnect dpd-interval client 5

  anyconnect dpd-interval gateway 30

  anyconnect ask none

 

group-policy ABC-STG internal

group-policy ABC-STG attributes

 dns-server value 8.8.8.8

 vpn-simultaneous-logins 3

 vpn-tunnel-protocol l2tp-ipsec ssl-client  ssl-clientless

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split-Tunnel-Encrypt-ACL

 default-domain value abc.com

 address-pools value AnyConnectPool

 webvpn

  anyconnect ssl dtls enable

  anyconnect keep-installer installed

  anyconnect ssl rekey time 1440

  anyconnect ssl rekey method ssl

  anyconnect dpd-interval client 5

  anyconnect dpd-interval gateway 30

  anyconnect ask none

 

tunnel-group Split-Tunnel-Group type remote-access

tunnel-group Split-Tunnel-Group general-attributes

 address-pool AnyConnectPool

 default-group-policy ABC-STG

tunnel-group Split-Tunnel-Group webvpn-attributes

 group-url https://asa.abc.com/ABC-STG enable

 

tunnel-group ABC-Tunnel-Group type remote-access

tunnel-group ABC-Tunnel-Group general-attributes

 address-pool AnyConnectPool

 authentication-server-group ACTIVE-DIRECTORY

 default-group-policy ABC

 password-management

tunnel-group ABC-Tunnel-Group webvpn-attributes

 group-url https://asa.abc.com/ABC enable

 

Correct Answer by Dinesh Moudgil about 3 years 1 month ago

Hi ,

You can have group-alias and group-url simultaneously  in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.

tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable

 

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Dinesh Moudgil Fri, 07/18/2014 - 00:12
User Badges:
  • Cisco Employee,

Hi ,

You can have group-alias and group-url simultaneously  in the configuration so that phones can connnect with group-url and users can click on drop down menu to select the right connection profile.

tunnel-group <tunnel-group-name> webvpn-attributes
group-alias <tunnel-group-alias> enable
group-url <url> enable

 

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

ciscotac16 Fri, 07/18/2014 - 11:39
User Badges:

Hi, Dinesh.

Thanks for your reply.  

I did previously try the configuration that you suggest, but it did not work either.  I had the menu working, but as soon as I added the URL for the phones, the menu wouldn't display.  

I will go back and reconfigure it and try again just in case I fat-fingered something before.  I'll post the results here.

Regards,

Deb

ciscotac16 Fri, 07/18/2014 - 12:16
User Badges:

OK!  So, maybe I did fat-finger something yesterday....or maybe the ASA just needed to sleep on it.... :^)

At any rate, the menu is working again now, *and* the phones can still connect.  

I must have had this same config in there at least 3 times while I was working on it yesterday (tried all sorts of things)....< Sigh >  

Thanks again,

Deb

 

Dinesh Moudgil Fri, 07/18/2014 - 12:17
User Badges:
  • Cisco Employee,

Hi Deb,

 

I am glad it is working.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

pemasirid Thu, 08/21/2014 - 02:14
User Badges:

Hi Dinesh,

I want to disable group-alias (or disable tunnel-group-list) for webvpn (clientless) users but enable for AnyConnect Client users. I disabled tunnel-group-list under webvpn (global) but this disables for both clientless as well as AnyConnect client VPN.

We dont want to show all the available groups for webvpn users who access via https.

Is there a way we can disable group-alias only for webvpn (clientless) users..?

thanks...

 

Dinesh Moudgil Thu, 08/21/2014 - 05:21
User Badges:
  • Cisco Employee,

Hi

This setting gets applied to all the SSL users . whether client based or clientless VPN.
You can either disable the webvpn page (using keepout command) for all the users or completely disable the group-alias.

HTH

Regards,
Dinesh Moudgil

 

 

pemasirid Sat, 08/23/2014 - 23:08
User Badges:

Hi Dinesh,


Thanks for your reply. Actually we dont want to completely disable group-alias and we need ONLY to disable for webvpn (SSL) users and keep it for AnyConnect users.

We dont want to show all the available groups for webvpn users who access via https and it should able to show only SSL (clientless) vpn group when they access via https and show all available AnyConnect groups list for AnyConnect users (using IPsec) who access via AnyConnect clients.

 

Appreciate if you can let us know whether this is possible with SSL vpn.

Thanks and regards,

 

Actions

This Discussion