Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect VPN - Always On

Hello guys,

I'm trying to configure a remote access vpn policy which allows a user to connect, and stay connected (always on VPN). I'm looking at using this on some internet kiosks we manage and rather than providing a hardware site to site ipsec solution, thought I'd try this route.

I have a standard SSL Any connect profile working nicely. Under the AnyConnect Client Profile Editor I have created a new profile which has the 'Automatic VPN policy' enabed as well as 'Connect' for both a trusted and untrusted network. I have entered the domain name of our corporate environment. When I go to connect I get the following error:

"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

Doing a bit of reading this seems to be often a certificate error. The question is why does ticking the automatic vpn policy cause this error, why is the ssl cert suddently an issue? I'm using a self signed cert FYI.

Can anyone point me in the right direction?

Cheers!

Everyone's tags (3)
5 REPLIES
New Member

AnyConnect VPN - Always On

You have to configure the Domain Name and the DNS Servers in your Profile...

Let your browser know that the Gateway is trustworthy!

Maybe this helps. Please let us know if yes!

Regards Marcus

New Member

Re: AnyConnect VPN - Always On

Hi Marcus, thanks for your follow up. The thing is, we're looking at rolling out a lot of these kiosks (1200 in fact). Each of these sites will be on building provided internet access, so the DNS and domain names are not consistant. My understand of that section of the configuration was that you specify what you consider to be trusted DNS/Domain names, ie if you reach mycompany.com or my DNS servers x.x.x.x you are on our LAN (no need to VPN), or if you can't reach those you are on a untrusted network and must dial up the VPN. Due to the above reasons regarding varying access methods, I cant make a new profile for every site.

Have I misunderstood?

Cheers

New Member

AnyConnect VPN - Always On

The configuration - DNS Server is from the User Guide.

Second Idea goes in the direction of certificate:

Did you configure the settings from the browser of the Client where is Anyconnect installed? -

Let your browser know that the Gateway is trustworthy!

If you are using an self signed certificate for your VPN Gateway u can't validate it on your client in case you haven't copied the certificate ca.

New Member

AnyConnect VPN - Always On

I am using a self signed certificate but that works fine for the regular ssl vpn any connect. When I connect a certificate comes up, I can choose to accept it or decline it and away we go. As soon as the automatic VPN option is selected this doesn't happen, I just get the "AnyConnect cannot confirm it is connected to your secure gateway" error straight away.

New Member

AnyConnect VPN - Always On

But that's the point. The anyconnect has to validate your gateway certificate and if you connect with automatic VPN option it seems thats there is no way to do it via confirming through certificate pop-up. So there is only the way that your certificate CA can validate it. Try out to copy your certificate CA to your Client PC and drop it in the corresponding certificate store.

7023
Views
0
Helpful
5
Replies