Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failed to get configuration from secure gateway. Contact your system administrator.

I have an ASA 5515 running 9.1(1).

One of my customers is attempting to connect with AnyConnect 3.1.02040 and after authenticating, he gets the message

Failed to get configuration from secure gateway. Contact your system administrator.

I have about 100 other customers who have not had this issue and can connect fine.

Since it appears to be localized to his PC, he's uninstalled and reinstall the client, but to no avail. He's using Windows 7 Pro.

On the ASA, while he is attempting to connect, I see this:

15:48:04|302014|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Teardown TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 to identity:<<<ASA IP>>>/443 duration 0:00:00 bytes 8241 TCP Reset-I

14:48:04|725007|<<<REMOTE IP>>>|51032|||SSL session with client outside:<<<REMOTE IP>>>/51032 terminated.

14:48:04|113039|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> AnyConnect parent session started.

14:48:04|734001|||||DAP: User etpdeir, Addr <<<REMOTE IP>>>, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

14:48:04|113008|||||AAA transaction status ACCEPT : user = etpdeir

14:48:04|113019|||||Group = ibmdtsc, Username = etpdeir, IP =, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:41s, Bytes xmt: 885580, Bytes rcv: 1343, Reason: Connection Preempted

14:48:04|716002|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> WebVPN session terminated: Connection Preempted.

14:48:04|113009|||||AAA retrieved default group policy (GroupPolicy_AnyConnect) for user = etpdeir

14:48:04|113004|||||AAA user authentication Successful : server = : user = etpdeir

14:48:04|725002|<<<REMOTE IP>>>|51032|||Device completed SSL handshake with client outside:<<<REMOTE IP>>>/51032

14:48:03|725001|<<<REMOTE IP>>>|51032|||Starting SSL handshake with client outside:<<<REMOTE IP>>>/51032 for TLSv1 session.

15:48:03|302013|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Built inbound TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 (<<<REMOTE IP>>>/51032) to identity:<<<ASA IP>>>/443 (<<<ASA IP>>>/443)

Any ideas?

Everyone's tags (3)
New Member

Failed to get configuration from secure gateway. Contact your sy

Has there been any fix with this?  We are now running into the same issue.  Could it be a bad image that the devices are reaching for?

New Member

My fix at the end of this,..

My fix at the end of this,..

-Problem Description: Users stating that a profile which has been working is now giving some users the message "Failed to get configuration from secure gateway. Contact your system administrator." when they attempt to connect to the VPN server/"secure gateway".  This happens in both the clientless and Anyconnect clients.

-Fix: the profile.xml was not properly configured to match the Group Policy.

-ASDM setting: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

-CLI missing configuration: anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml

If you are pulling from tftp then the disk0:/ command would be replaced accordingly.


Along with these ensure that you have the latest Java update and it is a trusted site in the Java Control Panel.  Ensure The Java and/or ActiveX settings will allow the profile to load off the VPN server by URL and ensure it is enabled like below.


For Example: group-url enable

New Member

To add:  anyconnect profiles

To add:  anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml   you must enter the tunnel-group webvpn-attributes command first as shown below:

tunnel-group Group_Policy_Tunnel_Group_Name webvpn-attributes


New Member

i had this problem.  for me

i had this problem.  for me the cause had to do with internet explorer TLS settings.

in IE8 go to tools, internet options, advanced and under security I had to make sure Use TLS 1.0 was checked (only Use SSL 3.0 and Use TLS 1.1 were checked.  I left them checked.).

New Member

We had the same issue here

We had the same issue here too. The reason was, that on the client there was an older version of anyconnect installed, but an update of the client was not successful (maybe because of some security configuration on windows, for example SRP or something of that kind ...). So the client disconnected to update (and reconnect with the updated version), but tthat never happened because the update failed ...

To enable (temporarily) the connectivity with the older version of anyconnect client, i configured the firewall to provide only the old version of the client to connecting PCs:


   anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 regex "Windows NT"

We will revert this configuration back to the new one, when all old client with that issue were updated to the new version ...

The newer version of the client was still able to connect even after this configuration change, the this maybe a temporary fix for you too ...

CreatePlease login to create content