cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5209
Views
0
Helpful
9
Replies

AnyConnect won't download to client PC

ryancisco01
Level 1
Level 1

I have an ASA5510 ver 8.2(1)1

I have configured two anyconnect VPNS. I have enabled both clientless and svc mode on both. The clientless works. They can conenct to the webpage and access plugins and access hosts on the internal network.

however the software wont download. and if I install the anyconnect client manually I can't even connect then. Depending on the version fo client I get either "Anyconnect is not enabled" or Can't start secure Desktop.

Any work aorund for this?

Config:

group-policy mypol_vpn_policy internal

group-policy mypol_vpn_policy attributes

dns-server value 10.x.x.x

vpn-filter value mypol_VPN_ACCESS_ACL

vpn-tunnel-protocol svc webvpn

split-tunnel-network-list value mypol_Split_Tunnel

address-pools value mypool_Pool

webvpn

  http-proxy disable

  svc keep-installer installed

  svc ask enable default svc

  customization value mypol

tunnel-group mypol_vpn_policy type remote-access

tunnel-group mypol_vpn_policy general-attributes

default-group-policy mypol_vpn_policy

tunnel-group mypol_vpn_policy webvpn-attributes

group-alias mypol enable

group-url https://xxx.com/mypol enable

files in flash:

csd_3.6.3002-k9.pkg

anyconnect-dart-win-2.4.1012-k9.pkg

any ideas please?

9 Replies 9

WILLIAM STEGMAN
Level 4
Level 4

I don't see anyconnect enable in your config.  Try running show run | i anyconnect and past the results.  You should have anyconnect enable under your webvpn config.

I also have this in global config:

webvpn

enable outside

csd image disk0:/csd_3.6.3002-k9.pkg

csd enable

svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2 regex "Windows NT"

svc image disk0:/anyconnect-win-3.1.04066-k9.pkg 3

svc enable

tunnel-group-list enable

smart-tunnel list RDP RDP mstsc.exe platform windows

there are no other references to anyconnect qwhen i do the show run.

Ruan, what version of ASA software are you running?

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

I installed a vpn client on my desktop, when i try and connect manually I get the error " Posture assessment has failed forr this machine" and i also get " anyconnect is not enabled on the vpn server"

when i did a debug this is all i saw:

Not calling vpn_remove_uauth: not IPv4!

webvpn_svc_np_tear_down: no ACL

webvpn_svc_np_tear_down: no IPv6 ACL

Not calling vpn_remove_uauth: not IPv4!

webvpn_svc_np_tear_down: no ACL

webvpn_svc_np_tear_down: no IPv6 ACL

Ryan, go into your webvpn config and enable anyconnect

webvpn

  anyconnect enable

Unfortunately i tired that, but the ocmmand is nto available:

ASA(config)# webvpn

ASA(config-webvpn)# anyconnect enable

                                       ^

ERROR: % Invalid input detected at '^' marker.

ASA(config-webvpn)# ?

WebVPN commands:

  anyconnect-essentials  Enable/Disable AnyConnect Essentials

  apcf                   Load Aplication Profile Customization Framework (APCF)

                         profile

  auto-signon            Configure auto-sign to allow login to certain

                         applications using the WebVPN session credentials

  cache                  Configure WebVPN cache

  certificate-group-map  Associate a tunnel-group with a certificate map rule

  character-encoding     Configures the character encoding for WebVPN portal

                         pages

  csd                    This specifies whether Cisco Secure Desktop is enabled

                         and the package file name to be used.

  default-idle-timeout   This is the default idle timeout in seconds

  default-language       Default language to use

  dtls                   Configure DTLS for WebVPN

  enable                 Enable WebVPN on the specified interface

  error-recovery         Contact TAC before using this command

  exit                   Exit from WebVPN configuration mode

  file-encoding          Configures the file encoding for a file sharing server

  help                   Help for WebVPN commands

  http-proxy             This is the proxy server to use for HTTP requests

  https-proxy            This is the proxy server to use for HTTPS requests

  internal-password      Adds an option to input a different password for

                         accessing internal servers

  java-trustpoint        Configure WebVPN java trustpoint

  keepout                Shows Web page when the login is disabled

  memory-size            Configure WebVPN memory size. CHECK MEMORY USAGE

                         BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY

                         CISCO

  no                     Remove a WebVPN command or set to its default

  onscreen-keyboard      Adds WebVPN onscreen keyboard for typing password on

                         the WebVPN logon page and internal pages requiring

                         authentication

  port                   WebVPN should listen for connections on the specified

                         port

  port-forward           Configure the port-forward list for WebVPN

  proxy-bypass           Configure proxy bypass

  rewrite                Configure content rewriting rule

  smart-tunnel           Configure a list of programs to use smart tunnel

  sso-server             Configure an SSO Server

  svc                    This specifies whether the SSL VPN Client is enabled

                         and the package file name to be used.

  tunnel-group-list      Configure WebVPN group list dropdown in login page

The enable outside is sufficient.  In 8.2, it is svc enable, not anyconnect enable.

We will need the DART or the full "show run" to find out what is happening.  We need to see how the tunnel groups and group-policies are configured for that which you are connecting to.

When you go to connect to AC, what website are you trying to connect to?  It should be "https://(outsideIPaddress)"

For the posture assessment failing, are you using hostscan or CSD?  If not, turn this off and avoid the check all together.

webvpn

no csd enable

This should help clean this up a bit

not sure exactly what the problem was. But in ASDM I did not have a dynamic policy created. (However in CLI I did)

So I enabled created it in ASDm which just movbed the commands around in the CLI:

dynamic-access-policy-record my_policy

description "my_policy"

network-acl vpn_VPN_ACCESS_ACL

webvpn

  svc ask none default svc

and now when i tried to connect it gave me the .exe to download which i did and it all worked fine.

Thanks for the help guys!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: