Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect IPSEC error unauthorized connection mechanism

Hi everyone,

I'm trying to configure Anyconnect connection on my ASA 5505 (ASA 9.1.3, ASDM 7.1.4).

The goal is to have 2 connection, one for IPSEC and the other one for SSL.

SSL connection work fine but IPSEC won't work. When i try to connect i receive error "Login denied, unauthorized connection mechanism"

I can't find what i'm doing wrong. Both configurations have been done with the Anyconnect wizard.

Can you help me please ? I'm new in Cisco world ...

Thx in advance

Here's my config :

ASA Version 9.1(3)
!
hostname CiscoASA
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
ip local pool VPN-Pool 10.104.106.1-10.104.106.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.4.6.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.4.106.254 255.255.255.0
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network NETWORK_OBJ_10.104.106.0_28
subnet 10.104.106.0 255.255.255.240
object network NETWORK_OBJ_10.4.6.0_24
subnet 10.4.6.0 255.255.255.0
access-list outside_access_in remark Remote access to Cloudstation
access-list outside_access_in extended permit object Cloudstation object-group Cloudstation-Access object Synology-Cloudstation
access-list Anyconnect standard permit 10.4.6.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
logging from-address cisco@rabinformatique.be
logging recipient-address raphael.abissi@rabinformatique.be level errors
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.4.6.0_24 NETWORK_OBJ_10.4.6.0_24 destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
!
object network Synology-Cloudstation
nat (inside,outside) static interface service tcp 6690 6690
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint VPN
enrollment self
subject-name CN=*****
keypair VPN
crl configure
crypto ca trustpoint SSH
enrollment self
subject-name CN=10.4.6.254
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=***
keypair SSL
crl configure
crypto ca trustpool policy
crypto ca certificate chain VPN
certificate 8d31a352
*****
  quit
crypto ca certificate chain SSH
certificate 8c27bc52
****
  quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 730fbe52
****
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.4.6.0 255.255.255.0 inside
telnet timeout 5
ssh 10.4.6.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
!
dhcpd address 10.4.6.10-10.4.6.100 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.102 source outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles IPSEC_client_profile disk0:/IPSEC_client_profile.xml
anyconnect profiles SSL_client_profile disk0:/ssl_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
webvpn
  anyconnect ssl compression deflate
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
  anyconnect profiles value SSL_client_profile type user
group-policy GroupPolicy_IPSEC internal
group-policy GroupPolicy_IPSEC attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
  anyconnect profiles value IPSEC_client_profile type user
username test password ***** encrypted
username test attributes
service-type remote-access
username raphael password ***** encrypted
username admin password gM8SqVAvFPseIv5v encrypted privilege 15
username administrator password ***** encrypted privilege 15
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
group-alias SSL enable
tunnel-group IPSEC type remote-access
tunnel-group IPSEC general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_IPSEC
tunnel-group IPSEC webvpn-attributes
group-alias IPSEC enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
smtp-server 212.68.193.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9d5177ddc09025d07f9d5c1c2f7747e0
: end
CiscoASA#

20 REPLIES
New Member

Anyconnect IPSEC error unauthorized connection mechanism

Error: "Login Denied , unauthorized connection mechanism , contact your administrator"

AnyConnect clients are failing to connect to a Cisco ASA. The error in       the AnyConnect window is "Login Denied , unauthorized connection       mechanism , contact your administrator".

Solution

This error message occurs mostly because of configuration issues that       are improper or an incomplete configuration. Check the configuration and make       sure it is as required to resolve the issue.

Correct way would be:

1) Create Group policy

2) Create a connection profile then link it to GP

3) Create a user and link it the Connection profile

New Member

Anyconnect IPSEC error unauthorized connection mechanism

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Hello Nitin,

Thanks for your reply.

I've test it like you ask, without using the wizard and i obtain the same result, IPSEC conenction won't work.

Do you see something wrong in my config that can cause IPSEC connection issue ?

Thx

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Please check the licences which you have

Please paste the output of show version

In the mean time i will check the config

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Please let me know why you are enabling webvpn on inside and outside ?

New Member

Anyconnect IPSEC error unauthorized connection mechanism

The licence is base licence

Here's the show ver

CiscoASA(config)# show ver

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(4)

Compiled on Mon 16-Sep-13 15:28 by builders
System image file is "disk0:/asa913-k8.bin"
Config file at boot was "startup-config"

CiscoASA up 12 days 12 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is c08c.6020.affc, irq 11
1: Ext: Ethernet0/0         : address is c08c.6020.aff4, irq 255
2: Ext: Ethernet0/1         : address is c08c.6020.aff5, irq 255
3: Ext: Ethernet0/2         : address is c08c.6020.aff6, irq 255
4: Ext: Ethernet0/3         : address is c08c.6020.aff7, irq 255
5: Ext: Ethernet0/4         : address is c08c.6020.aff8, irq 255
6: Ext: Ethernet0/5         : address is c08c.6020.aff9, irq 255
7: Ext: Ethernet0/6         : address is c08c.6020.affa, irq 255
8: Ext: Ethernet0/7         : address is c08c.6020.affb, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: ******
Running Permanent Activation Key: 0x5f2dd26f 0x704bacb5 0x78410188 0x8eb85440 0x80263bb5
Configuration register is 0x1
Configuration last modified by admin at 12:40:25.066 CEST Thu Jan 9 2014
CiscoASA(config)#

New Member

Anyconnect IPSEC error unauthorized connection mechanism

The inside was actic-vate just for testing purpose.

The config have changed since my first post (but always the same problem with IKEv2.

IKEv1 work fine.

Here's the actual config

ASA Version 9.1(3)
!
hostname CiscoASA
enable password 14ssn/nefQfQ3kNU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN-Pool 10.104.106.1-10.104.106.10 mask 255.255.255.0
ip local pool IPSEC-Pool 10.104.106.11-10.104.106.20 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.4.6.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.4.106.254 255.255.255.0
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network NETWORK_OBJ_10.104.106.0_28
subnet 10.104.106.0 255.255.255.240
object network NETWORK_OBJ_10.4.6.0_24
subnet 10.4.6.0 255.255.255.0
object network Synology-Cloudstation
host 10.4.6.252
description Synology
object service Cloudstation
service tcp destination eq 6690
description Cloudstation
object network Clarenne
fqdn v4 secure.clarenne.be
description External IP Clarenne
object network NAT-Officescan-FR-HTTP
host 10.4.6.246
description 10.4.6.246
object network NAT-Officescan-FR-HTTPS
host 10.4.6.246
description Officescan-FR-HTTPS
object network NAT-Officescan-FR-ListenPort
host 10.4.6.246
description Officescan-FR-ListenPort
object network NAT-Officescan-EN-HTTP
host 10.4.6.247
description Officescan-EN-HTTP
object network NAT-Officescan-EN-HTTPS
host 10.4.6.247
description Officescan-EN-HTTPS
object network NAT-Officescan-EN-ListenPort
host 10.4.6.247
description Officescan-EN-HTTPS
object network VPN-Range
range 10.104.106.1 10.104.106.254
description VPN-Range
object-group network Cloudstation-Access
description Remote access to Cloudstation
network-object object Clarenne
object-group service Officescan-FR tcp
description Officescan-FR
port-object eq 4444
port-object eq 55556
port-object eq 8181
object-group network Officescan-FR-All
network-object object NAT-Officescan-FR-HTTP
network-object object NAT-Officescan-FR-HTTPS
network-object object NAT-Officescan-FR-ListenPort
object-group network Officescan-EN-All
description All ports Officescan EN
network-object object NAT-Officescan-EN-HTTP
network-object object NAT-Officescan-EN-HTTPS
network-object object NAT-Officescan-EN-ListenPort
object-group service Officescan-EN tcp
port-object eq 5353
port-object eq 55555
port-object eq 9090
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in remark Remote access to Cloudstation
access-list outside_access_in extended permit object Cloudstation object-group Cloudstation-Access object Synology-Cloudstation
access-list outside_access_in remark Remote Access to Officescan-FR
access-list outside_access_in extended permit tcp any object-group Officescan-FR-All object-group Officescan-FR
access-list outside_access_in extended permit tcp any object-group Officescan-EN-All object-group Officescan-EN
access-list outside_access_in extended permit ip object VPN-Range any
access-list Anyconnect standard permit 10.4.6.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IKEv1_splitTunnelAcl standard permit 10.4.6.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address *****
logging recipient-address ***** level errors
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.4.6.0_24 NETWORK_OBJ_10.4.6.0_24 destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
!
object network Synology-Cloudstation
nat (inside,outside) static interface service tcp 6690 6690
object network NAT-Officescan-FR-HTTP
nat (inside,outside) static interface service tcp 8181 8181
object network NAT-Officescan-FR-HTTPS
nat (inside,outside) static interface service tcp 4444 4444
object network NAT-Officescan-FR-ListenPort
nat (inside,outside) static interface service tcp 55556 55556
object network NAT-Officescan-EN-HTTP
nat (inside,outside) static interface service tcp 9090 9090
object network NAT-Officescan-EN-HTTPS
nat (inside,outside) static interface service tcp 5353 5353
object network NAT-Officescan-EN-ListenPort
nat (inside,outside) static interface service tcp 55555 55555
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint VPN
enrollment self
subject-name CN=*****.rabinformatique.be
keypair VPN
crl configure
crypto ca trustpoint SSH
enrollment self
subject-name CN=10.4.6.254
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=*****.rabinformatique.be
keypair SSL
crl configure
crypto ca trustpool policy
crypto ca certificate chain VPN
certificate 8d31a352
    308201f1 3082015a a0030201 0202048d 31a35230 0d06092a 864886f7 0d010105
    0500303d 31223020 06035504 03131973 65637572 652e7261 62696e66 6f726d61
    74697175 652e6265 31173015 06092a86 4886f70d 01090216 08436973 636f4153
    41301e17 0d313331 32303731 35303431 335a170d 32333132 30353135 30343133
    5a303d31 22302006 03550403 13197365 63757265 2e726162 696e666f 726d6174
    69717565 2e626531 17301506 092a8648 86f70d01 09021608 43697363 6f415341
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ce369d
    184d8817 fa384f11 f0ea46db 7efe6a2f e14bdb65 673afb9c c881363a 80b4b28e
    65f4331f 009abacc 7e42200a 8115383f e6019b22 841aa048 8d92a0cb 431ca289
    98d7d958 c8b79671 b3603c07 3c9b91d7 a1fbbbe9 1cd8d27c 6d57e051 906c9b23
    8eaa7102 307a8b8d 26ab3807 6e1d92c9 e803eec1 cd0e230d bb703c00 33020301
    0001300d 06092a86 4886f70d 01010505 00038181 003deb05 c11e914d 2f7fc1ff
    a5100c05 61da96e1 4d72cb74 ba8eba85 37eb76af a183649a 79f72cb8 1c5c195d
    8e035cc5 0d4753b6 5b83afdc a1770e9e da0a5319 8e33b626 99ef197b 6254f004
    ca25f3a7 570b0f45 3e51deb2 fc063e21 c7ca0231 c4513483 1c282bbb 74375ba7
    81db0cc0 b87a1612 4095bf7a ba110227 2c3dff64 d6
  quit
crypto ca certificate chain SSH
certificate 8c27bc52
    308201d3 3082013c a0030201 0202048c 27bc5230 0d06092a 864886f7 0d010105
    0500302e 31133011 06035504 03130a31 302e342e 362e3235 34311730 1506092a
    864886f7 0d010902 16084369 73636f41 5341301e 170d3133 31323236 32313536
    32345a17 0d323331 32323432 31353632 345a302e 31133011 06035504 03130a31
    302e342e 362e3235 34311730 1506092a 864886f7 0d010902 16084369 73636f41
    53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100f4
    7269c080 49f5422a 5af3f82f e3f791ad 9824cf51 90130c89 7dc370b4 8eaf2bd7
    a0a851a0 787b26e9 b3190e3f 2ff49f9a 72b0b57d cd3dc039 5a4fad7c 9fed354c
    cc0adcb8 72e33b11 450e2fe3 1c874d96 45cb11e4 d8c7f837 7eefcaa1 4fb45d4e
    8a6a69fd 42d915cb 22d075e0 74d3606c b5075745 cf88aef0 eeb10912 1ad2af02
    03010001 300d0609 2a864886 f70d0101 05050003 8181003c bd48239a 3c3a729a
    a4c24c6c 27024ff0 4b285c28 b119ba8a e71b3ee4 37b6d302 f8bf415e ce3d0c7b
    fcfef3a6 e294709d fe80fe64 cb060a75 b3daac1e e6c17521 41e970c2 5c0b6543
    0d0c2ebb ae42cc3e 77cd319e a1db6843 7a4fd4d8 ebaa6b17 d2dbb781 fc1e86b9
    18913303 59f9c89b ab747252 d20c2da3 dbe66ad3 eb3575
  quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 730fbe52
    308201f1 3082015a a0030201 02020473 0fbe5230 0d06092a 864886f7 0d010105
    0500303d 31223020 06035504 03131972 656d6f74 652e7261 62696e66 6f726d61
    74697175 652e6265 31173015 06092a86 4886f70d 01090216 08436973 636f4153
    41301e17 0d313331 32323831 31313033 315a170d 32333132 32363131 31303331
    5a303d31 22302006 03550403 13197265 6d6f7465 2e726162 696e666f 726d6174
    69717565 2e626531 17301506 092a8648 86f70d01 09021608 43697363 6f415341
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a00bac
    1f0fe866 36fef779 2ee99a47 1cf2181e 8b150c08 f19a48df 8ee5d74d 0200934b
    b476cade d90a7a16 647f75ad dfad9c8d 768f9b06 1bc2f2ff 5497caef a8e007f8
    deec9c18 661cabf6 3a8ec645 0179fed5 cdaa9a82 f3f157de cf281333 9bab6fda
    e6cbcfe6 858075c7 7d208d82 957a726e 68b58187 bd90a3cd 0719744c bb020301
    0001300d 06092a86 4886f70d 01010505 00038181 006c94e8 4e8e664a 94d1f0b6
    3fd9a936 264c1cee 301b7cff 4306abf6 0d413982 dfd9b36e 38b90fb7 f8b30114
    1a0f68c4 0b8f578a eb8a52cd 80d19e10 6a943e6c 2ad51b7c 0d900ccd 990b4b3b
    fb636dfc 5746dfc1 d9bde0c9 4db5d553 1c6e5b66 4d0ef8f1 7b30c2d9 51a5cd87
    008376a4 ac7d8075 350b535e 280b1049 86a32c83 a6
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.4.6.0 255.255.255.0 inside
telnet timeout 5
ssh 10.4.6.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
!
dhcpd address 10.4.6.10-10.4.6.100 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.102 source outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles IPSEC_client_profile disk0:/ipsec_client_profile.xml
anyconnect profiles SSL_client_profile disk0:/ssl_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy IKEv1 internal
group-policy IKEv1 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IKEv1_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
  anyconnect ssl compression deflate
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
  anyconnect profiles value SSL_client_profile type user
group-policy GroupPolicy_IPSEC internal
group-policy GroupPolicy_IPSEC attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2
default-domain none
webvpn
  anyconnect profiles value IPSEC_client_profile type user
username test password N8KSu.GWsyH45xRk encrypted
username test attributes
service-type remote-access
username raphael.abissi password hBmZGE7s0UGfnUxR encrypted
username admin password gM8SqVAvFPseIv5v encrypted privilege 15
username administrator password gM8SqVAvFPseIv5v encrypted privilege 15
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
group-alias SSL enable
tunnel-group IPSEC type remote-access
tunnel-group IPSEC general-attributes
address-pool IPSEC-Pool
default-group-policy GroupPolicy_IPSEC
tunnel-group IPSEC webvpn-attributes
group-alias IPSEC enable
tunnel-group IKEv1 type remote-access
tunnel-group IKEv1 general-attributes
address-pool VPN-Pool
default-group-policy IKEv1
tunnel-group IKEv1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
smtp-server 212.68.193.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b2c36635f9708193555e7600a0a69d1f
: end
CiscoASA(config)#

New Member

Anyconnect IPSEC error unauthorized connection mechanism

ok, thanks

GroupPolicy_IPSEC you are specifiing the profile

i would remove it first because i can not see any profile

when u connect please enable the debugging and let me know if you get any errors there?

New Member

Anyconnect IPSEC error unauthorized connection mechanism

are u on team viewer, is yes

email me ID and pass nitin.mohan.1980@gmail.com

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Yes, just sent you the mail with informations.

New Member

Anyconnect IPSEC error unauthorized connection mechanism

I do not see any errors but can you tell me how you are trying to connect

using a web base or you are using client ?

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Same result with specific user for IPSEC

Unauthorized connection mechanism

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Please do show license all

and paste the results


New Member

Anyconnect IPSEC error unauthorized connection mechanism

The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:

1. Choose Start > Run.

2.

Enter:

eventvwr.msc /s

Right−click the Cisco AnyConnect VPN Client log, and select Save Log File as

Please see the errors there

New Member

I know this is old post, but

I know this is old post, but I am having exactly the same issue. See link below

https://supportforums.cisco.com/discussion/12479401/asa-5505-version-915-ipsec-remote-vpn-ikev2

How was this resolved?

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Is anyone else having a solution for me ?

Thx

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Hi Abissi,

I have not given up yet !!!!

When you login with the IP sec profile, do you use the certificate ? if then

1) Check do we have the same certificate on asa.

2) Change the user authentication in GP to cert because right now it is local.

Regards,

Nitin Mohan

New Member

Anyconnect IPSEC error unauthorized connection mechanism

found a very good article that might help

https://supportforums.cisco.com/docs/DOC-18960

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Already found this article. That's exactly what i've done unfortunately without success

New Member

Anyconnect IPSEC error unauthorized connection mechanism

Hi Nitin,

:-)

I only use local authentication, no certificate.

Regards

R.

3910
Views
0
Helpful
20
Replies
CreatePlease to create content