04-14-2014 01:09 PM - edited 02-21-2020 07:36 PM
Hi Everyone,
I have config Anyconnect with IKEv2 only no SSL and web launch is also turned off.
i downloaded the anyconnect --anyconnect-win-3.1.05160-k9.pkg on PC.
tried to connect but no luck.
Will it is designed to work this way?
Regards
Mahesh
Solved! Go to Solution.
04-15-2014 06:14 AM
Yes - that's one way to do it.
The .xml profile is a very small simple (but critical) file you you can copy manually from the ASA to your PC as well as via the automatic method which, as we note, requires client services over SSL on the ASA. If you have the correct .xml file (should specify IPsec transport) and AnyConnect client software on the PC, you do not need the ASA client services via SSL.
If you do the manual method, any future update to the profile will likewise have to be distributed manually.
04-15-2014 08:48 AM
That's how I understand it.
I haven't actually used this method of manual deployment plus turning off SSL on the ASA (which is required for client services = primarily the package deployment and profile push/update) but it is documented to work that way.
04-14-2014 02:41 PM
Mahesh,
The pkg file is ONLY for deployment from the ASA. If you want to install locally on your own, you need to download the pre-deploy ISO file and extract the installation files from it.
It has a bundled installer (setup.exe) from which you can choose among all the various AnyConnect Secure Mobility Client components - VPN, DART, WebSecurity, NAM, Telemetry, Posture and Gina (Start Before Logon).
For VPN the correct file you can run separately to install would be anyconnect-win-3.1.05160-pre-deploy-k9.msi (version number will change over time of course).
If you don't want to run client services over SSL, you will also need to manually pre-deploy the profile.xml file. This is described in the links I included with the answer to your earlier question today.
04-14-2014 06:06 PM
Hi Marvin,
Few questions here
should i remove then anyconnect-win-3.1.05160-k9.pkg from flash?
via
webvpn
no anyconnect image disk0://......
Now i installed .iso image on PC and extract the image using winrar.
After that i ran setup and selected anyconnect vpn only but when i try to connect i get error
login failed.
Regards
Mahesh
04-15-2014 05:02 AM
Even if you are not deploying the client pkg file from the ASA you still need the pkg file there (set to be the AnyConnect image) in order to extract the schema used by the AnyConnect profile editor within ASDM.
(Assuming you use that function within ASDM to create and modify your profile - you could alternatively create the profile in the offline AnyConnect profile editor tool or just generate it manually using a texst editor if you're comfortable with the xml syntax.)
Have you deployed the XML profile manually onto your client?
04-15-2014 05:56 AM
Hi Marvin,
My job is to config and install ikev2 with ipsec and then our desktop team can run the
stand alone anyconnect client on users laptops.
So first step i should do is to anyconnect-win-3.1.05160-k9.pkg back to flash.
Then i can remove and reconfig anyconnect via wizard i can choose both
ssl and ikev2.
Also i can select the web deployment method at the end of wizard.
This way i can go to https download the client on test pc and get connected.
Once connected i will have that .xml profile created on this PC.
Now i can disable the SSL on ASDM so that users can not go to https website.
IF i copy this .xml profile to user PC and run standalone client on user pc will it work?
Regards
Mahesh
04-15-2014 06:14 AM
Yes - that's one way to do it.
The .xml profile is a very small simple (but critical) file you you can copy manually from the ASA to your PC as well as via the automatic method which, as we note, requires client services over SSL on the ASA. If you have the correct .xml file (should specify IPsec transport) and AnyConnect client software on the PC, you do not need the ASA client services via SSL.
If you do the manual method, any future update to the profile will likewise have to be distributed manually.
04-15-2014 07:36 AM
Hi MArvin,
Seems i am learning lot new from this post.
One way is to use ssl and enable web deployment.
Other way if i only use ikev2 to config anyconnect.
I checked .xml profile in ASA flash does this mean that when we config anyconnect on ASA then .xml profile is created automatically on ASA?
Now if i only config anyconnect to use ikev2 and copy the file(.xml profile) from ASA flash to PC and then test via standalone anyconnect it should work right?
Best regards
Mahesh
04-15-2014 08:48 AM
That's how I understand it.
I haven't actually used this method of manual deployment plus turning off SSL on the ASA (which is required for client services = primarily the package deployment and profile push/update) but it is documented to work that way.
04-18-2014 01:46 PM
Hi Marvin,
I tested it manually by running the standalone client and ASA was config to use
only IPSEC ikev2.
I did not work.Even i copy the .xml profile from ASA flash to PC everytime it gives me error login failed.
Then i opened Tac case with cisco.
Cisco Engineer checked the config all was good.
He then enabled SSL in group policy of ASA via CLI after that i went to url and anyconnect
worked fine.Then i disabled the SSL from CLI and config anyconnect to only
use IKEv2.After this i again connected from same PC and it worked fine.
Then i copy that profile - file--.xml to another PC and try to connect it give me same error message login failed.
Seems when we try to connect using ikev2 first time from PC it need SSL enabled to download the profile from ASA?
even though profile is already there on this PC.Thats pretty strange.
Regards
MAhesh
04-30-2014 10:51 AM
Hi Marvin,
I was able to install anyconnect as standalone client on user PC
and make it able to work using ikev2 only.
Best regards
MAhesh
10-05-2020 03:03 AM - edited 10-31-2020 01:07 PM
Guys you meant by client service = AnyConnect client Profile ? right ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: