Issues migrating from IPsec client to AnyConnect client,, IKE v1/2 conflict on the ASA5500?
Hardware: Cisco ASA5500, Version 8.4(3)
We're obviously planning migration from the old ipsec vpn client to the AnyConnect V3 client, enabling preconnect posturing at the same time.
We have over 3000 lalptops with the old client installed working fine so we need to migrate running both clients at the same time.
By policy we prefer IPsec as the encryption so will continue with this.
As prepatory work I enabled the Anyconnect user profiles on the ASA5500.
I have tested this in our testlab without issue.
However on the live hardware we immediately ran into problems and our support engineers needed to rase a case (ref 622041287) to help resolve the issues. The wording of the fault clearance is;
"we saw that IKEv2 was configured on the group policy, and IKEv1 was configured on the tunnel group, and believe that is the conflict that is preventing connections.
We removed IKEv2 from the group policy on cnell-asa-01 and we saw several users connect to group-secid, so all seems to back as it was before the recent change."
From the appearance of the logs it appears that indeed the IKE v2 configuration was conflicting with the current clients.
Of course this could simply be a configuration error, but as I have tested the same configuration without error in the testlab on the same hardware and software I'm struggling to figure out where we went wrong. I am using the same group policies for AnyConnect and IP sec.
Actually I've just noticed in the Group Policies that I didn't have IKE v2 enabled in the defaultra group. So there was a mismatch when enable AnmyConnect profiles as they use IKE v2, and the group policyies didn't have IKE v2 enabled ... doh!
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...