Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN and Group-URL's

Hi all,

I am configuring an anyconnect solution using 2,5 client, 8.3 ASA and asdm 6.3. I have two ASA's configured in a cluster with active/standby failover.

I have a wildcard cert configured on both ASA's and each of the three IP's are resolvable from the internet.FQDN redirection is enabled.

These are the url's (sanitised)... (cluster virtual IP) (Master/active real IP) (secondary/standby real IP) 

In the main, I have it the way I want it working but I am having trouble getting group-url to work for the annyconnect client. It seems to work ok for clientless connections though.

I am trying to configure the ASA so that when connecting (via a browser) to the on its own, this takes you to the clientless portal where you have a minimum set of apps. So, I configured a group-url of just the url above and this works fine.

I want my annyconnect clients to connect using The intention is that if you go here from a browser, you can download the client and if you go here from the client you can connect to all the resources as you are in the correct DAP. I am using endpoint assesmnet to identify corporate assets and place them into the correct DAP. This seems to be working fine if i use group aliases with drop down lists.

If I try to configure a group-url for, and add 'staff' to the annyconnect profile, I get an error 'connection attempt has failed due to an invalid host entry' and the bottom line of the anyconnect client reads 'Unable to process response from'.

Here are some config snips...

tunnel-group ClientProfile general-attributes
authentication-server-group MS-LDAP
default-group-policy ClientPolicy
dhcp-server 10.x.x.x
tunnel-group ClientProfile webvpn-attributes
group-alias "SLL Client" enable
group-url enable
group-url enable

in my profile I have this....




As far as I can see this should work...can anyone shed any light on this  ?

Many Thanks


Cisco Employee

Re: SSL VPN and Group-URL's


I would check without any profile.You don't need this for this particular functionality.

If I will find the time tomorrow I'll check it on a lab device.

What happens if you connect to does it offer you a drop-down menu offering "SLL Client" as a possibility?

Share your

sh run webvpn

sh run tunnel-group

sh run group-policy

and whole contents of profile for AC.


New Member

Re: SSL VPN and Group-URL's

Thanks Marcin,

I'm not sure what you mean when you say check without a profile. Could you help me out a little further with that ?

I having some difficulty understanding how the group-url is supposed to work and interact with the connection process, the Cisco docs dont seem to explain that in any detail.

I have attached a file with the out put you asked for, hope its ok but if you need anything else, please let me know.

Thanks for your help !



Cisco Employee

Re: SSL VPN and Group-URL's


Forgive for not being clear.

What I meant is to remove the xml profile if stored localy (It's in documents and settings).

Consider my config in regards to group behavior.(and look what happens when I connect with anyconnect.

and configuration:

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OVER
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias TESTING_PLEASE enable
group-url https://bsns-asa5520-10/TEST enable

tunnel-group OTHER_WEBVPN type remote-access
tunnel-group OTHER_WEBVPN webvpn-attributes
group-alias OTHER_PLEASE enable
group-url https://bsns-asa5520-10/OTHER enable

enable outside
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc enable
tunnel-group-list enable

Now I don't have a profile. But your profile mentions group which I don't see configured on the ASA. ("staff")

I know this does not provide you will all the answers but hopefully demonstrates what I wanted you to check in my initial post.


CreatePlease login to create content