AnyConnect Client Profile Backup Server Configuration

Similar Messages

• "Anyconnect client profile" option missing in ASDM

  Hello,
  I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
  It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
  I don't have either of those options in ASDM. Here's what mine shows:
  I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
  Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

  Thanks for the response Marvin,
  It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
  Result of the command: "sh version"
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.2(1)
  Result of the command: "sh act | i Ess"
  AnyConnect Essentials        : Enabled 
  I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

• Anyconnect Client profile files deleted after client upgrade

  L.S.
  I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
  The ASA I am connecting to is a 5510 running ASA OS 8.4.5
  The problem I have is the following:
  We are using machine certificate authentication combined with RADIUS user authentication.
  The machine certificates are stored in the Machine/Personal container in the local machine.
  By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
  We do not want to have the user run the client as administrator (in elevated mode) all the time.
  Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
  With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
  the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
  The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
  The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
  The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
  The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
  The VPN is established.
  However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
  This means the user cannot connect without using elevated rights the next time he wants to connect.
  If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
  Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

  Hi poiu720408 ,
  1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
  3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
  Please rate helpful post !
  Hope this helps
  - Randy -

• AnyConnect Client Profile in ASDM

  I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu.  Also check that your ASDM username have enough privelege."
  My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this.  Righ now I have
  anyconnect-win-3.0.10055-k9.pkg installed.
  This is a lab setup using GNS3.
  Any ideas?

  Hi Marius,
  I would assume you are running ASA 8.0x, right?
  Please check this out:
  "If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
  Security Appliance Software Requirements
  So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
  Let me know.
  Thanks.
  Portu
  Please rate any posts you find helpful.

• Webserver "client denied by server configuration" after reboot

  Hello all,
  Long story short, I was the unfortunate victim of a rather nasty virus that made me have to restore from a time maching backup. In the process my webserver is acting up (not sure if this was pre or post restore).
  I am getting the following error in my apache2 error log...
  [Sat Jan 28 20:48:06 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
  [Sat Jan 28 20:48:06 2012] [notice] Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8r DAV/2 PHP/5.3.6 configured -- resuming normal operations
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/server-status
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/error
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/server-status
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/error
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/server-status
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/error
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/server-status
  [Sat Jan 28 20:48:07 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/error
  [Sat Jan 28 20:48:10 2012] [error] [client 127.0.0.1] client denied by server configuration: /var/empty/server-status
  I did some searching and tried to edit my /etc/apache2/httpd.conf file with the following code snippet...
  # Allow server status reports generated by mod_status,
  # with the URL of http://servername/server-status
  # Change the ".example.com" to match your domain to enable.
            ExtendedStatus On
            <Location "/server-status">
                      SetHandler server-status
                      Order deny,allow
                      Deny from all
                      Allow from .example.com
            </Location>
  No luck. I am somewhat at my whits end....my server is running with a 10-15% increase in load...
  Thanks so much in advance. Please let me know if any further information is required.

  any advice? Link? anything would be appreciated...

• Assigning AnyConnect Client Profiles based on the machine?

  I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
  If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
  If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
  What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
  It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
  If at all possible, I do not users to have to pick a conenction profile or use different URL's.
  Is there anyway to accomplish this?

  Hi
  Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
  Has anyone got any idea how I could do this?
  thanks
  Steve

• ASDM Anyconnect client profile - unable to edit preferences

  Hi,
  I have a functioning vpn set up, my problem is that I'm trying to set up anyconnect start before login. I navigate to the anyconnect client profile section in the remote access vpn and create a profile xml file by clicking the add button. I can add a profile but as soon as I save the file I can no longer edit it. The edit button is greyed out and if I double click the file the asdm returns the error: "Input is not a well-formed, schema-compliant XML file."
  I'm running the following versions of software:
  asdm: 7.1(5)100
  anyconnect: 3.1.05152
  asa: 8.2(3) <----asa hardware doesn't support running a newer version.
  I have not been able to find any info on this particular problem but maybe someone here can help?

  Hello Ryan,
  Do you run into the same problem if you upload AnyConnect 2.5 and perform the same task?
  Also, have you tried this operation from a different machine with and old JAVA version like 1.6?
  HTH.

• ADSM AnyConnect Client Profile Editor will not close...

  When I fire up ADSM and go into the AnyConnect Client Profile Editor It will not let me close the Editor.
  If I go it and jsut hit cancel, or OK, or the X, nothing happens.   The only way to exit is to Close down Java.
  I've run ADSM on a few machines all with the same results.
  ADSM Version 6.3(4)
  Thanks

  I Upgraded to ADSM 7.1(2)
  This resolved my issue.

• Backup Server Configuration Questions

  I have a super little setup for our small business consisting of 1 primary mac mini server, 1 backup mini server, 2 WD 2TB external firewire drives, and a rackmounted Cisco switch and UPS. AFP, VPN, FTP, expandable storage, time machine backups and managed mobile accounts all packed into a compact, quiet server cabinet that fits under a desk for less than $2000. Unfortunately the success of this little gem has made it more and more critical to our publishing workflow.
  For good measure I picked up another mac mini thinking i could set it up as an OD replica backup server. Unfortunately I didn't think this through before the purchase and now I have a what amounts to $500 brick in my server cabinet. Would appreciate some guidance on how best to deploy this backup server.
  1) For the backup server to be of any real use I assume its going to need access to the data drives. Is there any way to manage this with external drives? Somebody suggested I should just plug my external drives into both servers, however I did some other reading that suggested this could turn my drives into toasters. I then thought of setting up WD NAS drives through my cabinet switch but was told that NAS and AFP don't play well and I would have the same issue - two systems trying to access the filesystems at the same time.
  2) If i can resolve the first issue, I have the backup setup as an OD replica, which theoretically should take over if the primary goes down. Do I also need to setup DHCP on the backup for this to be relevant? Should that range be the same as the primary or do they need to be distinct?
  3) I have the 2TB primary drive firewired to the primary server with the 2TB time machine drive daisy chained. I was recommended to use Syncronize Pro for my backup between the drives but despite the warnings on time machine's applicability in a server setup (timing not configurable, CPU overhead) its been perfect for my needs with zero CPU overhead after the first sync. My only complaint is time machine doesn't work with ARD so you have to browse the time machine directory manually.
  4) Am I missing a larger plot here? Can I setup the external drives or backup server in another way to be more efficient. Should I pickup another set of drives and somehow synchronize the primary and secondary server completely??
  This is my first server config and has been a fun little project except for a nightmare of a time with the VPN but that's another story.
  Any help apprecaited.

  For the backup server to be of any real use I assume its going to need access to the data drives. Is there any way to manage this with external drives? Somebody suggested I should just plug my external drives into both servers, however I did some other reading that suggested this could turn my drives into toasters.
  You're right - You cannot connect one FireWire drive to two systems and hope it will work. That is asking for trouble right there.
  I then thought of setting up WD NAS drives through my cabinet switch but was told that NAS and AFP don't play well and I would have the same issue - two systems trying to access the filesystems at the same time.
  The whole point of NAS is that the NAS controller (in conjunction with the access protocol (e.g. AFP, NFS, etc.) takes care of concurrent access.
  However, all of the above depends on the data you're storing on the external/shared drives. For example, don't expect to store any database-based data such as Open Directory to be shared between machines via the shared drives. Any shared drive setup should be for static files only (e.g. users home directories would be OK, as would backups, web content, etc.).
  I have the backup setup as an OD replica, which theoretically should take over if the primary goes down. Do I also need to setup DHCP on the backup for this to be relevant? Should that range be the same as the primary or do they need to be distinct?
  That depends on what you're trying to protect against.
  If you're planning to keep critical services running in case the primary server fails then you can probably eschew DHCP altogether - existing clients will retain their DHCP address for at least half the lease period. e.g. if your lease is set for 3 days you have 36 hours before those machines will require a functional DHCP server. That's more than enough time for most server issues to get resolved (e.g. a reboot), and even more than it takes to turn on DHCP on the secondary server if you don't think the primary server will be back online in time.
  IMHO that's preferable to running dual DHCP servers. You can do that if you prefer but they MUST have different DHCP ranges (don't try to setup both DHCP servers with the same address pools).
  As for point 3 - Time Machine is fine, IMHO, as long as you realize its limitations and don't expect Time Machine to backup everything, including dynamic data such as database files.
  4) Am I missing a larger plot here? Can I setup the external drives or backup server in another way to be more efficient. Should I pickup another set of drives and somehow synchronize the primary and secondary server completely??
  It depends on what you're preparing for/against.
  If you're looking to protect against hardware failure then you could run everything on the external drives and reconnect the drives to the other machine to boot it as the server if the first one is down. That's not necessarily ideal, but it would be one option.
  The second thing to consider is what services you're running that support their own replication/backup protocols. You've already seen Open Directory replicas, so that's the right way to backup your OD setup. The same applies to DNS and MySQL - both of which have their own replication protocols.
  User-based data is a little harder to replicate between servers which is why a NAS option may be viable here. Of course that doesn't necessarily provide protection against accidental deletion.
  At the end of the day, though, there are many ways to set this up. The right way depends on your needs, the services you're running and what's important to your business (focus on the things your business cannot do without, and have a plan for the other services (e.g. manually start the secondary DHCP server if needed.

• AnyConnect - Client profile

  Hi all
  I have a very quick question, been trying to find a solution but fail till now. The issue, is there is a default time for AcyConnect client profile to be downloaded/updated when you create a new client profile
  Example: if I have already a client profile (XML), then if I create a new Client profile. When the user connects, it should be using the new client profile correct. But this was not the case. The user was using the old client profile. However the new profile was updated on the client side after 8hrs.
  Ok as a workaround you could delete the xml file from the client PC, however my question is,is there is an option to enable this to be downloaded after creating the profile. I have checked everywhere with the client profile and was not be able to find any setting. If someone knows could you kindly share this please?
  Thanks in advance
  Lancellot

  Hi Lancellot
  as soon as you modify the profile on the ASA (or create a new one), all clients will download this profile as soon as they connect.
  Two things to note though:
  1. the new profile is only downloaded if the user logs in successfuly. So once the tunnel is established, you should see the new profile in the local profiles directory.
  2. Many settings in the profile are applicable *before* the new profile is downloaded, i.e. some are applied only before a connection is initiated (e.g. start before logon), others only during the connection attempt( e.g. automatic certificate selection).
  Similarly, if you add new ServerList entries to the profile then they will only be visible in the client GUI after the client downloads the new profile and disconnects.
  Does this clarify the behavior you saw?
  Herbert

• AnyConnect Client profile: group-url in server-list with OGS doesn't work propertly

  Cisco Adaptive Security Appliance Software Version 8.4(4)1
  Device Manager Version 7.0(2)
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  #show webvpn anyconnect
  1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
     CISCO STC win2k+
     3,1,00495
     Hostscan Version 3.1.00495
  Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly:
  When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')

  Anton,
  It MIGHT be cosmetic:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz92140
  If not please open up a TAC case and provide DART for such a connection.
  M.

• Locking down anyconnect client profile

  I was wondering if there is a way to lock down the anyconnect profile on a clients machine.  Basically we are using certifcates to authenticate so the client can make a VPN connection.  We have enabled the certifcate match function to check for IPSec User Extended Match Key.  I can modify the XML on the client PC to bypass the check and authenticate.  We would like to keep users from doing that.  Is there something I can setup on the ASA versus the client to check the certificate or prevent the XML from being modified?
  Thanks in advance.

  I went in and modified the xml and removed the following.  I was then able to make a connection without checking for the IPSecUser extended key usage.  I have 2 certs on my client.  One cert has the IPSecUser extended key usage and the other does not.
      IPSecUser

• Oracle client for siebel server configuration

  Hi ,
  To install siebel as prerequisite we are installing oracle client on the siebel server machine. Our client is providing ldap.ora instead of tnsnames.ora file. Through out my earlier projects we used to have tnsnames.ora entry which is having connection details of database. CAn you Please confirm instead of having tnsnames.ora , can we use ldap .ora which is having Db server details in it. Have you ever seen other clients using this way without tnsnames.ora for siebel installation.
  Can you please provide any documentation which confirms that we must need tnsnames.ora, not ldap.ora.
  Thanks much in advance.

  Hi,
  Have a look at these documents
  http://docs.oracle.com/cd/E11882_01/network.112/e10835/ldap.htm#NETRF011
  Is It Possible To Use Ldap.Ora On The Client To Get Tnsname Entries From An Oid? (Doc ID 461151.1)
  Using TNS_ADMIN with LDAP.ORA and Net Manager (Doc ID 189627.1)
  What Is The Search Order For The LDAP.ORA File ? (Doc ID 363283.1)
  Thanks,
  Krishna

• Unable to use proxy server with MAC OS X Anyconnect client

  Hi All,
  I have a VPN setup thru a Cisco 5520, Windows clients connect just find and the end users configure there browser to use our internal proxy servers.   Users with the MAC OS X Anyconnect client can connect, they configure their Mac to use our proxy server, but the broswers will not work, clients can reach networks and resources behind the VPN gateway and have access to the Proxy(Tried a telnet to that hostname/port).  Anyone run into this issue before?  I am running ASA 8.3(2), Anyconnect(OS X) 3.1.01065.
  Thank You

  We had the same problem.
  We are behind government firewall so I don't know which Cisco firewall is used but we are using AnyConnect to establish VPN from internet to LAN behind firewall. We have no problems with Windows. With Mac OS X connection through proxy didn't work with Safari and Chrome (both are using system Proxy setting), but it did work with Firefox (which has it's own Proxy).
  Finally we found out that ethernet MTU size was the culprit. When we set it to manual, with size being 1347 (or less), proxy started to work.

• 2 AnyConnect queries backup server and not connecting.

  We are in the process of swapping over from the old IPSEC VPN client to AnyConnect for remote users.
  A couple of questions,
  1) With the IPSEC VPN client you could configure a Backup server. with AnyConnect there is not an option for this as far as I can see. Is there an option for this anywhere?
  2) Sometimes AnyConnect will not connect, I have found the way round this is to access an Internet website first, once that comes up then AnyConnect will come up ok. Is there something I can do about this such as timeout,script a website location to try first within Any Connect?

  Hi,
  You can add multiple backup servers by editing the profile xml file or by using the Anyconnet profile editor.
  What version of the Anyconnect client are you using? How do you connect to the Internet? Are you connecting via a proxy?
  Thanks
  John