Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1814
Views
0
Helpful
1
Replies

AnyConnect Secure Mobility Client - using incorrect profile

tim-marvin
Level 1
Level 1

‎05-29-2014 03:14 PM - edited ‎02-21-2020 07:39 PM

Hello,

I am working on a test configuration on an ASA 5545 with a single configured Connection Profile "VPN" (and the two default DefaultRAGroup and DefaultWEBVPNGroup)

"VPN" Connection Profile is the only one enabled for SSL.  The other two are not enabled.

"VPN" uses RSA, so the authentication dialog says "Passcode" instead of "Password".

If I set "Allow user to select connection profile on the login page", the correct Connection Profile is displayed in the list an there is no alternative in the list.  When I select Connect I am prompted for Username and Passcode as expected.  This works.

If I do not set "Allow user to select connection profile on the login page" the client does not display a list.  This is our desired config.  When you select Connect, you are prompted for Username and Password, not Passcode.  Authentication fails with password and passcode. 

So even though I only have one Connection Profile, it doesn't appear to use it unless I display it in the client.

The behavior is the same with the client or going to the web page.

Any idea how I can force "VPN" Connection Profile as the default and not display it to the end-users?

Thanks!

-------------------------------------------------------------------------------------------------------------------------------------------------------

Not sure if this helps, but a debug just logs the same thing repeatedly when it is failing:

WebVPN: unable to find webvpn session.
webvpn_session.c:http_webvpn_find_session[175]
WebVPN: unable to find webvpn session.
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_server_db_first[161]

 

Labels:
0 Helpful
1 Reply 1

tim-marvin
Level 1
Level 1

‎05-29-2014 04:19 PM

Found that I was just missing a "Group URL".

Under AnyConnect Connection Profiles - Edit "VPN" profile - Advanced - Group Alias/Group URL - added a URL corresponding with the Alias and my FQDN and enabled it.

Look like CLI is simply "group-url https://<enter your FQDN here> enable"

 

0 Helpful
Customers Also Viewed These Support Documents