Hi there ... I've set up a remote VPN access with IKEv2 using Anyconnect client 3.0.8. The issue I have is following
I establish connection to myvpn.mydomain.com ... choose the IKEv2 group and connect, no problem. Profile is downloaded to my laptop. Everything is fine
My client profile has a server list, configured following
Host name: myvpn-ike
Host Address: myvpn.mydomain.com
When I disconnect after first time, and I try to connect again, Anyconnect opens with "myvpn-ike" on the box where I should enter the endpoint to connect, and here's the problem
I click connect, it tries, I'm prompted for username and password, and I get error "login denied, authorized connection mechanism" ... if I try again, but instead of using the "myvpn-ike" , I re-type "myvpn.mydomain.com" , I connect with no problem.
what is wrong on the setting? it tells me login denied, but when I debug on the ASA side, I don't see any error related to that. All I see is AAA authentication being successful
I have also tried to set Host Name as "myvpn.mydomain.com", same as Host Address .... same thing, it doesn't connect. But if I re-type it, it goes through
It sounds like there may be something in the profile that's not formed consistent with the ASA settings. Would it be possible to post your profile (.xml file) and the contents of your AnyConnect client's message history (for an unsuccessful and successful connection)?
Choosing the HostName portal-ike in the AnyConnect client connection drop down box should refer your client to use portal.domain.com per the profile you posted. That all looks OK to me. Given that it works when overriding the drop down box with manually typing in the HostAddress leads me to believe your ASA is setup OK.
You don't have any host file entry for portal-ike that points your client to someplace other than portal.domain.com do you?
I would try seeing what packets are leaving your PC and to where using Wireshark when you try the unsuccessful attempt. (You could similarly do it with a packet capture on the ASA end.)
That's the strangest part. I don't have any host file entry. Actually, when I use the drop-down option, I see the request going to ASA and ASA processing the log in. ASA actually authenticates the account properly, and right after, it kills the connection with no error on the ASA debug. Only on client side it says "wrong mechanism"
When I over write the drop down menu, the debug first part show same as when it fails, with the difference that instead of dropping, it keeps going and establishes the VPN
I even tried to set up host entry as "portal.mydomain.com" ... it also fails ...
It's clear the ASA VPN setting is fine. My certificate is a *.mydomain.com (so I've ruled out cert issues as well)
I'm lost at this point to the point to grab a new ASA and start from scratch
Your troubleshooting steps thus far appear sound to me.
It seems you should be able to turn on a debug at the ASA to gather additional information as to why it believe it necessary to terminate your connection when using the portal-ike selection. Have you thought about or tried some of the "debug crypto" commands?
If you have multiple users or peers, first use the "debug crypto condition " to keep the output of subsequent debug crypto commands limited to the ones relevant to your username.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :