Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

cisco secure anyconnect mobility client error "invalid host entry. please re-enter”

Experts,

We are in a process of replacing Cisco IPSec (IKEv1) VPN client with Cisco Secure Anyconnect Mobility Client using SSL technology. We are pre-deploying the VPN client with the vpnconfiguration.xml file to the end users. In this way we control the VPN settings for the users. We have also provided the FQDN (resolvable on the Internet) of our ASA firewall (VPN Concentrator) in the vpnconfiguration.xml file.

When the user tries to connect using the vpnconfiguration.xml file he receives a message “invalid host entry. please re-enter”. Even if we put the IP address of the ASA firewall in the vpnconfiguration.xml file we get the same error message.

However if we manually enter the FQDN in the Cisco Secure Anyconnect Mobility Client.

We are not sure we are missing.

 

Ds

Everyone's tags (1)
7 REPLIES
Hall of Fame Super Silver

Did you create the XML file

Did you create the XML file manually or use the AnyConnect Profile editor?

Are you putting it (in place of the underscore) the "<HostAddress>_______</HostAddress>" field of the XML file?

New Member

Marvin,We are using the

Marvin,

We are using the profile editor provided in the Cisco ASA firewall.

See below snapshot of the partial .xml file . Let me know your thoughts.

    <ServerList>
        <HostEntry>
            <HostName>XXX-VPN-Test-Users</HostName>
            <HostAddress>XXX.XX.34.132</HostAddress>
            <UserGroup>XXX-VPN-Test-Users</UserGroup>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

Hall of Fame Super Silver

That snapshot looks OK re the

That snapshot looks OK re the host bit.

I do notice it is missing the "<PrimaryProtocol>SSL</PrimaryProtocol>" (or it could say IPsec for an IKEv2 VPN) that I would also expect within the ServerList section. I have 20 profiles on my client (yes 20 - I've worked on lots of client networks remotely) and every one of them has the PrimaryProtocol field populated. Here is a link the to the Admin Guide reference on that section.

New Member

Martin,I am still getting the

Martin,

I am still getting the same error message. What am I missing?

 <ServerList>
        <HostEntry>
            <HostName>XXX-VPN-Test-Users</HostName>
            <HostAddress>XXX.XX.34.132</HostAddress>
            <UserGroup>XXX-VPN-Test-Users</UserGroup>                    
        <PrimaryProtocol>SSL</PrimaryProtocol>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

 

Ds

New Member

Marvin,I ended up opening a

Marvin,

I ended up opening a TAC case with Cisco. It appears that I was missing the following RED highlighted portion in the tunnel group configuration :

tunnel-group XXX-VPN-Test-Users webvpn-attributes
 group-alias XXX-VPN-Test-Users enable
 group-url https://XXX.XXX.XXX.XXX.XXX/XXX-VPN-Test-Users enable

 

I thought you would be interested in knowing.

 

Ds

 

Hall of Fame Super Silver

Thanks for advising us of the

Thanks for advising us of the resolution. It's difficult at times to give a good solution when only seeing snippets of the configuration. Your resolution helps show others the important bit here. +5

New Member

I can confirm that this

I can confirm that this solution worked for me as well. I used ASDM. This is how I did it.

  1. In ASDM, go to Configuration > Remote Access VPN.
  2. Expand "Network (Client) Access", then select "AnyConnect Connection Profiles".
  3. Select the connection profile you wish to edit, then click Edit.
  4. Expand "Advanced", then select "SSL VPN".
  5. In the "Group URLs" section, add the URL.
    • The URL need to be in the following format: https://[VPN hostname or IP address]/[Group Name]

 

1036
Views
10
Helpful
7
Replies
CreatePlease to create content