12-09-2013 08:36 PM - edited 02-21-2020 07:22 PM
I have an ASA5510 ver 8.2(1)1
I have configured two anyconnect VPNS. I have enabled both clientless and svc mode on both. The clientless works. They can conenct to the webpage and access plugins and access hosts on the internal network.
however the software wont download. and if I install the anyconnect client manually I can't even connect then. Depending on the version fo client I get either "Anyconnect is not enabled" or Can't start secure Desktop.
Any work aorund for this?
Config:
group-policy mypol_vpn_policy internal
group-policy mypol_vpn_policy attributes
dns-server value 10.x.x.x
vpn-filter value mypol_VPN_ACCESS_ACL
vpn-tunnel-protocol svc webvpn
split-tunnel-network-list value mypol_Split_Tunnel
address-pools value mypool_Pool
webvpn
http-proxy disable
svc keep-installer installed
svc ask enable default svc
customization value mypol
tunnel-group mypol_vpn_policy type remote-access
tunnel-group mypol_vpn_policy general-attributes
default-group-policy mypol_vpn_policy
tunnel-group mypol_vpn_policy webvpn-attributes
group-alias mypol enable
group-url https://xxx.com/mypol enable
files in flash:
csd_3.6.3002-k9.pkg
anyconnect-dart-win-2.4.1012-k9.pkg
any ideas please?
12-10-2013 07:50 AM
I don't see anyconnect enable in your config. Try running show run | i anyconnect and past the results. You should have anyconnect enable under your webvpn config.
12-10-2013 05:44 PM
I also have this in global config:
webvpn
enable outside
csd image disk0:/csd_3.6.3002-k9.pkg
csd enable
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-win-3.1.04066-k9.pkg 3
svc enable
tunnel-group-list enable
smart-tunnel list RDP RDP mstsc.exe platform windows
there are no other references to anyconnect qwhen i do the show run.
12-10-2013 06:22 PM
Ruan, what version of ASA software are you running?
12-10-2013 06:40 PM
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
12-10-2013 07:46 PM
I installed a vpn client on my desktop, when i try and connect manually I get the error " Posture assessment has failed forr this machine" and i also get " anyconnect is not enabled on the vpn server"
when i did a debug this is all i saw:
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL
12-11-2013 05:33 AM
Ryan, go into your webvpn config and enable anyconnect
webvpn
anyconnect enable
12-11-2013 01:05 PM
Unfortunately i tired that, but the ocmmand is nto available:
ASA(config)# webvpn
ASA(config-webvpn)# anyconnect enable
^
ERROR: % Invalid input detected at '^' marker.
ASA(config-webvpn)# ?
WebVPN commands:
anyconnect-essentials Enable/Disable AnyConnect Essentials
apcf Load Aplication Profile Customization Framework (APCF)
profile
auto-signon Configure auto-sign to allow login to certain
applications using the WebVPN session credentials
cache Configure WebVPN cache
certificate-group-map Associate a tunnel-group with a certificate map rule
character-encoding Configures the character encoding for WebVPN portal
pages
csd This specifies whether Cisco Secure Desktop is enabled
and the package file name to be used.
default-idle-timeout This is the default idle timeout in seconds
default-language Default language to use
dtls Configure DTLS for WebVPN
enable Enable WebVPN on the specified interface
error-recovery Contact TAC before using this command
exit Exit from WebVPN configuration mode
file-encoding Configures the file encoding for a file sharing server
help Help for WebVPN commands
http-proxy This is the proxy server to use for HTTP requests
https-proxy This is the proxy server to use for HTTPS requests
internal-password Adds an option to input a different password for
accessing internal servers
java-trustpoint Configure WebVPN java trustpoint
keepout Shows Web page when the login is disabled
memory-size Configure WebVPN memory size. CHECK MEMORY USAGE
BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
CISCO
no Remove a WebVPN command or set to its default
onscreen-keyboard Adds WebVPN onscreen keyboard for typing password on
the WebVPN logon page and internal pages requiring
authentication
port WebVPN should listen for connections on the specified
port
port-forward Configure the port-forward list for WebVPN
proxy-bypass Configure proxy bypass
rewrite Configure content rewriting rule
smart-tunnel Configure a list of programs to use smart tunnel
sso-server Configure an SSO Server
svc This specifies whether the SSL VPN Client is enabled
and the package file name to be used.
tunnel-group-list Configure WebVPN group list dropdown in login page
12-11-2013 01:17 PM
The enable outside is sufficient. In 8.2, it is svc enable, not anyconnect enable.
We will need the DART or the full "show run" to find out what is happening. We need to see how the tunnel groups and group-policies are configured for that which you are connecting to.
When you go to connect to AC, what website are you trying to connect to? It should be "https://(outsideIPaddress)"
For the posture assessment failing, are you using hostscan or CSD? If not, turn this off and avoid the check all together.
webvpn
no csd enable
This should help clean this up a bit
12-11-2013 07:10 PM
not sure exactly what the problem was. But in ASDM I did not have a dynamic policy created. (However in CLI I did)
So I enabled created it in ASDm which just movbed the commands around in the CLI:
dynamic-access-policy-record my_policy
description "my_policy"
network-acl vpn_VPN_ACCESS_ACL
webvpn
svc ask none default svc
and now when i tried to connect it gave me the .exe to download which i did and it all worked fine.
Thanks for the help guys!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: