Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1013
Views
0
Helpful
6
Replies

VPN on demand with ASA and IPAD

Alex Li
Level 1
Level 1

‎09-15-2014 01:36 PM

Hello All,

 

I have created a new VPN profile to my ASA5510 using certificate based authentication because of a business need to On Demand VPN.

I install the AnyConnect software to my ipad and deploy the .xml configuration to the AnyConnect profile. The profile works great

and establishes a VPN connection manually.  I have also populated the "Always On" feature for my internal domain name, having any request for my internal domain initiate a VPN connection.

Unfortunately this on-demand function is not initiating automatically. I am using safari and chrome to test with my internal web applications.Where can I start to investigate the issues ?

Thansk

 

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎09-16-2014 12:29 AM

What version iOS are you running on your apple device?

From where (in relation to your web application servers) are you testing? from outside the office, from another subnet on the office network...etc.

If you are testing from outside the office, are you 100% sure that the DNS requests are not being resolved?  If the DNS requests are being resolved then the VPN connection will not be established.

--

Please remember to select a correct answer and rate helpful posts
 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Alex Li
Level 1
Level 1
In response to Marius Gunnerud

‎09-16-2014 07:36 AM

Hello Marius

I am running Apple IOS 7.1 on the IPAD.

I am using an external Wifi with the IPAD for connectivity.

I am testing with my Internal SharePoint application which the url is simply https://gateway.mycompany.com. Therefore in the AnyConnect Domain List, I have added to always connect when looking for mycompany.com.

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Alex Li

‎09-16-2014 11:25 AM

Could you try configuring the domain list under connect if needed list and then test.  As of iOS 7 the Always Connect is no longer supported, but should still check that list and act as Connect if Needed.

But does https://gateway.mycompany.com resolve to a public IP?  If it does then the VPN will not be established as the  'VPN client will do a DNS lookup first and if the name resolves a VPN connection will not be established.  It is only when internal DNS servers are used and a DNS lookup fails that a Connect if Needed VPN connection is established.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Alex Li
Level 1
Level 1
In response to Marius Gunnerud

‎09-17-2014 02:30 PM

Hello Marius,

Yes my https://gateway.mycompany.com does resolve externally.

In my domain list I have added *.mycompany.com and try testing against other internal sites that do not resolve externally but still no on demand vpn.

The operation seems very straight forward, just not sure where to start  the troubleshooting process.

 

On my ipad Any Connect, I have added the vpn profile and installed the cert. When I manually initiate the vpn it works although it does prompt my to press connect. (I assume this is normal) ?

Cheers

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Alex Li

‎09-17-2014 02:49 PM

When I manually initiate the vpn it works although it does prompt my to press connect. (I assume this is normal) ?

Yes, from my experience this is normal.

As for the URL that resolves externally, that is expected that the tunnel will not be established.

But for the URLs that do not resolve externally, where did you configure them? did you put them under Connect if Needed?

Do you perhaps have any conflicting entries under the never connect section?

Have you enabled logging on the iPhone and checked to see if there is anything there that can point us in the right direction?

do you have network roaming enabled under the VPN connection entry?

Have you looked through this guide? perhaps it will give you some ideas.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Alex Li
Level 1
Level 1
In response to Marius Gunnerud

‎09-29-2014 11:55 AM

Hello Marius,

Yes I put my domains under "Connect if Needed".

I have enabled logging, and have attached my .txt file. and I have noticed this error on the log file, not sure if it helps.

" Line: 168 User did not implement deliverWebLaunchHostCB."

BTW... I have only installed the server cert from my ASA, do I need a user cert also ?

Preview file
20 KB
0 Helpful
Customers Also Viewed These Support Documents