Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2387
Views
0
Helpful
3
Replies

SSL VPN and AnyConnect error [ASA 5510]

Go to solution
Exonix
Level 1
Level 1

‎12-13-2017 08:16 AM - edited ‎03-12-2019 04:49 AM

Hello,

I have configured the SSL VPN by these manuals: SSL VPN, Client Profile. But I still can't connect using AnyConnect Secure Mobility Client 3.0.08057 getting an error:

 

Failed to download AnyConnect VPN Profile because AnyConnect cannot confirm it is connected to your secure gateway.
The local network may not be trustworthy.
A VPN connection cannot be established.

The Client and ASA are in the same network (just for test). The RADIUS authentication by MS Server is being used. There is the ASA configuration:

Cisco Adaptive Security Appliance Software Version 9.1(7)15
Device Manager Version 7.8(2)151

Compiled on Tue 07-Mar-17 11:12 by builders
System image file is "disk0:/asa917-15-k8.bin"

webvpn
 enable WAN
 anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.0.08057-k9.pkg 2
 anyconnect profiles ssl_vpn disk0:/ssl_vpn.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
 wins-server none
 dns-server value 10.254.1.211
 vpn-tunnel-protocol ssl-client
 default-domain value companytest.company.com
 webvpn
  anyconnect profiles value ssl_vpn type user
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
 address-pool test
 authentication-server-group (WAN) NPS
 password-management
tunnel-group TEST webvpn-attributes
 group-alias TEST enable
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool test
 authentication-server-group NPS
 default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
 group-alias SSL enable
!

I have imported certificate to the ASA, which was issued by Domain PKI. Also Windows 10 has a root certificate installed.

What I have forgotten?

 

Thank you in advance!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Exonix
Level 1
Level 1
In response to Francesco Molino

‎12-18-2017 06:58 AM

Hi Francesco,

I have deleted the Client Profile, and then I connected successfully. This setting is required if user connects from Terminal Server.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-15-2017 03:36 PM

Hi

Your snippet config looks like ok. Can you run the command show run all ssl or sh ssl to verify ssl ciphers?

Have you run any debugs? Can you share debugs output?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Exonix
Level 1
Level 1
In response to Francesco Molino

‎12-18-2017 06:58 AM

Hi Francesco,

I have deleted the Client Profile, and then I connected successfully. This setting is required if user connects from Terminal Server.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Exonix

‎12-18-2017 07:12 AM

Ok, great

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents