We've got a weird problem that has popped up and we've been unable to figure out what's going on.
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
Any ideas about what's wrong or how to debug this?
We haven't found a resolution and I'm getting no help here on the discussion boards.
As a workaround, I'm telling people to initiate the VPN by starting the client directly from the start menu. I don't like training them to do that because that doesn't automatically upgrade them like it would if they used the web page to launch the VPN.
HI Patrik ,
can you attach the logs from the ASA ( debuging level ) when a user tries to connect and see this error .
also the group policy on which the users land .
How many licenses do you have? By default the config holds a line which says maximum connected users, double check how many it's set to.
Sent from Cisco Technical Support iPhone App
Have you added your site to the compatibility list in ie9?
Sent from Cisco Technical Support iPad App
Ideally, when you have Anyconnect Essentials enabled on the ASA, you cannot get access to the Clientless VPN (Web Portal access to the internal resources) however the Web Launch of the Anyconnect client does work with it.
I see that you have implemented this a different way (workaround) by manually installing the Anyconnect VPN clients on the machines and then trying to connect it to the ASA, which works and this means that configuration on the ASA for allowing the Anyconnect connection is correct. Now it is not allowing you to launch it from the web portal on machines which means the download access has been restricted somewhere on the ASA.
Could you please follow these two steps and let me know if you see something different.
1. Get access to the ASDM and follow this: Configuration>>Remote Access>>Anyconnect>>Edit the tunnel-group on which you connection is landing>>Login setting. Please check if it says go to the clientless portal or launch Anyconnect. It has to be Download Anyconnect automatically.
2. If you are not getting the prompt for the username and password on the webportal then go to Configuration>>Remote Access>>Clientless (not sure if it is under Anyconnect or clientless, please check both) where you get option: shut down portal login on the main page. Please make sure that it is unchecked.
In your case I see that the users are getting prompt for the username and password however when you authenticate yourself you are getting error message: authorized use only then it could be something to do with the DAP Policies (dynamic access policy).
Go to the dynamic access policies and you will get an option named as Anyconnect (please check if the correct option is checked under the same). If multiple dap policies are configured then please check the dap policy which gets pushed when the user logs in and make changes to that specific dap policy.
Please let me know if this help else I would request you to open a TAC request and we will look into this issue. If you find something different then please share here.
In reading a section of the point you raised you identified that if you install the software locally the client won't automatically upgrade when available. My experience is that it actually does automatically upgrade and as per the FAQ http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
This is fully in your control as a administrator to control.
Run your ASDM logging filter in debug with a filter against VPN, view ASDM monitoring in debug mode.
If you get stuck let me know and we'll feed you the instructions. However in the interim what details can you supply around your method of authentication. Albeit it may be a little early for a TAC case
The devils in the detail
Sent from Cisco Technical Support iPad App
I don't know about you, but our problem surfaced after upgrading our ASAs from 8.0.3 to 8.4.3 and upgrading our ASDM to 6.4.7.
I do not know if we had this issue prior to this, since we only had 2 clients (myself and the CIO) using the AnyConnect software to log in, and we manually installed those clients.
Now we are starting to push out Windows 7 systems to our remote users, and we need this functionality to be working properly for a smooth transition.
I will probably be opening a TAC case with Cisco to get this resolved.