Anyconnect version 3.1.01065
I want to deploy anyconnect via GPO since it is MSI format. What I need to know is how do I have it put in the hostname and change the preferences so Block connections to untrusted servers is unchecked?
Hi Dustin,
Are you unable to connect to AC or is it crashing after the establishment of the VPN connection? Do you encounter any issues after or while connecting to AC? From the logs, it looks like that VPN connection is built fine.
We would need more information regarding this. I would like you to collect DART logs from the affected machine.
This is how you should go about collecting the DART:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.html#wp1070440
If you do not want to push the DART installation from the ASA, you can install it manually on the machine by running the .msi installer file by the name 'anyconnect-dart-win-3.1.xxx-k9.msi' which can be found under the below package:
anyconnect-win-3.1.01065-pre-deploy-k9.iso
IMP Note: Please clear all the event viewer logs (especially AC Secure Mobility client logs) before collecting the DART.
Once you've cleared the logs, connect to AC and disconnect (if it's connecting at all) and run the DART tool.
HTH!
Regards,
Nick
Similar Messages
-
Where is the AnyConnect Version 4.0 Client
I see the release notes for Anyconnect version 4.0 are up and ISE 1.3 is also released (which can use Anconnect 4.0 for posture assessment) but all the download links point to Anyconnect 3.1. So where can I get the 4.0 client?
Problem is fixed.
Please check the AnyConnect Secure Mobility Client 4.x download page now. -
Unable to uninstall AnyConnect Version 2.5.0217
I can't uninstall this or upgrade to another version because of missing msi file, also found the
anyconnect-win-2.5.0217-pre-deploy-k9.msi file on the internet and cannot uninstall with that either.Ive tired other's like ccleaner with no luck, finally able to fix the issue!!! thanks a millon
-
SCEP Anyconnect version 3 MS CA
Hi All
Im using anyconnect and SCEP proxy on the ASA, trying to get identity certs from a windows CA. I want the certs to have a common name of the user id of the person requesting, basically to take the username as the common name. Is there a way to take the login name across into the comman name as part of the cert request. In the anyconnect client profile you have the option of enrollment but if i set the Cn her it would use this for everybody ?
I want to use authentication based on certs. So each user requires their own cert based on common name. I presume then i can revoke the cert to prevent authentication ?
Any help would be great.
DavidDavid,
Use the following wild card in the XML profile against CN
%USER%
regards
Anoop -
Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072
I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
I am able to create the VPN connection but the connection will not allow data to be transferred.
Stats from a manual connection:
Cisco AnyConnect Secure Mobility Client Version 3.1.04072
VPN Stats
Bytes Received: 14375
Bytes Sent: 0
Compressed Bytes Received: 0
Compressed Bytes Sent: 0
Compressed Packets Received: 0
Compressed Packets Sent: 0
Control Bytes Received: 0
Control Bytes Sent: 0
Control Packets Received: 0
Control Packets Sent: 0
Encrypted Bytes Received: 7820
Encrypted Bytes Sent: 1207
Encrypted Packets Received: 9
Encrypted Packets Sent: 3
Inbound Bypassed Packets: 0
Inbound Discarded Packets: 0
Outbound Bypassed Packets: 0
Outbound Discarded Packets: 0
Packets Received: 4
Packets Sent: 0
Time Connected: 00:03:01
Protocol Info
Inactive Protocol
Protocol Cipher: RSA_3DES_168_SHA1
Protocol Compression: None
Protocol State: Disconnected
Protocol: DTLS
Active Protocol
Protocol Cipher: RSA_3DES_168_SHA1
Protocol Compression: Deflate
Protocol State: Connected
Protocol: TLS
OS Version
Windows 8 : WinNT 6.2.9200
Log from the data transmission software:
24/12/2013 12:51:13 - Application version = 1.11.28.0
24/12/2013 12:51:13 - Lodgement Library Version = 1.11.28.0
24/12/2013 12:51:13 - Connection Method = INTERNET
24/12/2013 12:51:13 - DIS Connection Type = Automatic
24/12/2013 12:51:13 - VPN Client = ACTIVE
24/12/2013 12:51:13 - Check Available Connections = NOT ACTIVE
24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
24/12/2013 12:51:13 - Language: English (Australia)
24/12/2013 12:51:13 -
24/12/2013 12:51:13 - Connected to ISP via LAN
24/12/2013 12:51:13 - Checking for presence of VPN client.
24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
24/12/2013 12:51:18 -
24/12/2013 12:51:18 - Checking Cisco AnyConnect version.
24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc. All Rights Reserved.
24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
24/12/2013 12:51:19 -
24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
24/12/2013 12:51:19 -
24/12/2013 12:51:19 - Initializing the VPN connection.
24/12/2013 12:51:19 - Ready to connect.
24/12/2013 12:51:19 - Ready to connect.
24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
24/12/2013 12:51:23 - Authenticating user.
24/12/2013 12:51:23 - Connected to VPN concentrator.
24/12/2013 12:51:23 - Establishing VPN session...
24/12/2013 12:51:23 - Checking for profile updates...
24/12/2013 12:51:23 - Checking for product updates...
24/12/2013 12:51:23 - Checking for customization updates...
24/12/2013 12:51:23 - Performing any required updates...
24/12/2013 12:51:23 - Establishing VPN session...
24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
24/12/2013 12:51:24 - Establishing VPN - Examining system...
24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
24/12/2013 12:51:24 - Establishing VPN - Configuring system...
24/12/2013 12:51:24 - Establishing VPN...
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connection to VPN client return code = 0.
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
Connection timed out.
24/12/2013 12:51:46 -
24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
24/12/2013 12:51:46 - Disconnect in progress, please wait...
24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
24/12/2013 12:51:47 - Detached.
24/12/2013 12:51:47 - Disconnected from VPN concentrator.
24/12/2013 12:51:47 - *****************************************************
24/12/2013 12:51:47 - END OF LODGEMENT PROCESS
24/12/2013 12:51:47 - *****************************************************
Issue history:
- Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
- Upgrade to Windows 8.1 stopped the VPN client working
- Refreshed system back to Windows 8 and reinstalled all software
- Cisco VPN client would not install on system
- Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
- Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
- Data transmission software returns error code #10060
Any assistance would be greatly appreciated.anyone found the fix for this?
-
Cisco AnyConnect Secure Mobility Client - Newbie Totally Lost
We currently have an ASA 5505 Firewall with VPN services configured. The system is running ASA Version 9.0.0 and ADSDM 7.0.2. I installed the "Cisco AnyConnect Sercure Mobility Client" Version 3.1.01065 on my Windows 7 Ultimate PC. When I try to connect to my VPN service I ge the following message:
Security Warning: Untrusted VPN Server Certificate! AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX
Certifiate does not match the server name
Certificate is from an untrusted source.
Certificate is not identified for this purpose.
Without purchasing a certificate from a 3rd Party vendor, is it possible to register a "Self" generated Certificate to get rid of this message? If so are there any "Detailed" (e.g., simplified or not in Cisco-eeze language) instructions on how to setup the Firewall to "push" the certificate to the VPN client so the message doesn't come up for the user?You can simply accept the self-signed certificate the first time you are presented with that message and direct AnyConnect to always trust such certificates.
If you don't want to do that, you need to make your clients automatically trust this certificate from your ASA. You can do that several ways. You mentioned using a 3rd party vendor - that ends up being the method of using a vendor in the trusted root Certificate Authority (CA) list. If you don't use one of the 3rd party ones, you will need to push out the trust via some software deployment method - e.g. a GPO for Windows clients in a managed AD setup or via pre-deploying with yet another 3rd party tool like LANdesk.
If you don't have an internal CA or AD-managed infrastructure for your clients then just telling users to click "always trust" is the path of least resistance (although the least secure). -
Starting AnyConnect VPN through RDP Session
Hi,
We have AnyConnect (ver 3.1.01065) configured on our ASA5520 boxes. VPN is working fine from the desktop, but I also need the ability to establish a VPN connection through a RDP connection (i.e. I'm using RDP to connect to a PC which has AnyConnect installed on, then trying to establish a VPN connection).
I've downloaded the Cisco VPN Profile Editor, chaned the <WindowsVPNEstablishment> option to "AllowRemoteUsers". Then applied the profile to the relevant Group Policy. Connected VPN from the PC (not through RDP), so that it downloads the new profile, and then disconnected again.
However, I still can't start VPN through an RDP connection. (Error is "VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established".)
I've checked the XML file on the local PC to confirm the profile has been downloaded (and is has, and I can see the AllowRemoteUsers option.
This also happened with the previous version of AnyConnect (3.0.xxxx).
The PC's local routing tables look fine, and I can't see any conflicts that would cause the RDP session to drop.
Also - If I connect VPN, then RDP onto the PC, both the VPN and RDP sessions work fine.
Any ideas would be appreciated!
Thanks
TonyHi Portu,
Thanks for your reply, and thanks for confirming that it works with AC 3.1 and ASA 8.4 (I'm using the same ASA version).
It looks like the issue was that I created the profile with the standalone Cisco VPN Profile Editor, saved it, uploaded it to the ASA, I then added a new profile on the ASA (in the Cisco AnyConnect Profiles section), and specified the file... however, it appears that I over wrote the uploaded profile, as the WindowsVPNEstablishment was set to LocalUsers. Once I changed it to AllowRemoteUsers and applied the config, then deleted the profiles from the client, it worked!
Simple mistake - but easily done!!
Thanks again
Tony -
Cisco 1841 SSL VPN and Anyconnect Help
I am pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks
Current configuration : 7741 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname buchanan1841
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
crypto pki trustpoint buchanan_Certificate
enrollment selfsigned
revocation-check crl
rsakeypair buchanan_rsakey_pairname
crypto pki certificate chain buchanan_Certificate
certificate self-signed 01
30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
quit
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
crypto ipsec profile cybera
set transform-set cybera
archive
log config
hidekeys
ip ssh version 1
interface Tunnel0
description Cybera WAN - IPSEC Tunnel
ip address x.x.x.x 255.255.255.252
ip virtual-reassembly
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile cybera
interface FastEthernet0/0
description LAN Connection
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description WAN Connection
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface ATM0/0/0
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
interface Virtual-Template2
ip unnumbered FastEthernet0/0
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
password xxxxx
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint buchanan_Certificate
inservice
webvpn install svc flash:/webvpn/anyconnect-w
in-3.1.04059-k9.pkg sequence 1
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "LAN_POOL"
svc default-domain "buchanan.local"
svc keep-client-installed
svc dns-server primary 192.168.1.2
svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
endbuchanan1841#Perhaps you have changed the host-/domainname after the certificate was created?
I'd generate a new one ...
Michael
Please rate all helpful posts -
Not able to access Internet or Internal network via SSL AnyConnect
After connecting succesfully with Cisco AnyConnect version 3.0.05152 I am unable to access internal resources. Below is the configuration of the ASA.
Any input on the below would be appreciated
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.04 16:15:58 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
ASA Version 9.1(4)
hostname ASA
domain-name hb.local
enable password pEuUQweb2zEldXkE encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd pEuUQweb2zEldXkE encrypted
names
ip local pool Remote_VPN_DHCP_Pool 172.16.253.100-172.16.253.150 mask 255.255.255.0
interface Ethernet0/0
description *** Internet ***
nameif publicWAN
security-level 0
ip address X.X.X.X X.X.X.X.
interface Ethernet0/1
description *** Guest Wireless Network ***
nameif guest
security-level 50
ip address 10.0.254.1 255.255.255.0
interface Ethernet0/2
description *** Uplink to Branches ***
nameif Branches
security-level 100
ip address 192.168.254.1 255.255.255.0
interface Ethernet0/3
description *** Uplink to JHA ***
nameif JHA
security-level 0
ip address 10.0.8.1 255.255.255.0
interface Management0/0
description *** Managemnet Interface - NOT USED ***
management-only
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup publicWAN
dns domain-lookup guest
dns domain-lookup Branches
dns domain-lookup JHA
dns server-group DefaultDNS
name-server 172.16.1.2
domain-name hb.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_guest
subnet 10.0.254.0 255.255.255.0
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.1.5
host 172.16.1.5
object network obj-172.16.1.5-01
host 172.16.1.5
access-list Branches extended permit icmp any4 any4
access-list Branches extended permit ip any4 any4
access-list JHA extended permit ip any4 any4
access-list JHA extended permit icmp any4 any4
access-list guest extended deny ip any4 10.0.1.0 255.255.255.0
access-list guest extended deny ip any4 10.0.2.0 255.255.255.0
access-list guest extended deny ip any4 10.0.3.0 255.255.255.0
access-list guest extended deny ip any4 10.0.4.0 255.255.255.0
access-list guest extended deny ip any4 10.0.5.0 255.255.255.0
access-list guest extended deny ip any4 10.0.6.0 255.255.255.0
access-list guest extended deny ip any4 10.0.7.0 255.255.255.0
access-list guest extended deny ip any4 10.0.8.0 255.255.255.0
access-list guest extended deny ip any4 10.0.9.0 255.255.255.0
access-list guest extended deny ip any4 10.0.10.0 255.255.255.0
access-list guest extended deny ip any4 172.16.0.0 255.255.0.0
access-list guest extended permit ip any4 any4
access-list guest extended permit icmp any4 any4
access-list traffic_send_ips_module extended permit ip any4 any4
access-list outside extended permit tcp any4 host 172.16.1.5 eq https
access-list outside extended permit tcp X.X.X.X 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended permit tcp X.X.X.X. 255.255.255.0 host 172.16.1.5 eq smtp
access-list outside extended deny ip any4 any4 log interval 30
pager lines 50
logging enable
logging timestamp
logging monitor warnings
logging buffered informational
logging trap warnings
logging asdm informational
logging queue 2048
logging device-id hostname
logging host Branches 172.16.1.80
flow-export destination Branches 172.16.1.80 2055
flow-export template timeout-rate 15
mtu publicWAN 1500
mtu guest 1500
mtu Branches 1500
mtu JHA 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any publicWAN
asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (any,publicWAN) dynamic interface
object network obj-10.0.0.0
nat (Branches,JHA) static 10.0.0.0
object network obj_guest
nat (guest,publicWAN) dynamic interface
object network obj-172.16.1.0
nat (Branches,JHA) static 172.16.1.0
object network obj-172.16.1.5
nat (Branches,publicWAN) static interface service tcp smtp smtp
object network obj-172.16.1.5-01
nat (Branches,publicWAN) static interface service tcp https https
access-group outside in interface publicWAN
access-group guest in interface guest
access-group Branches in interface Branches
access-group JHA in interface JHA
route publicWAN 0.0.0.0 0.0.0.0 X.X.X.X. 1
route Branches 10.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 10.0.5.0 255.255.255.0 192.168.254.2 1
route Branches 10.28.11.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.55.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.57.6.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.4.0 255.255.255.0 192.168.254.2 1
route Branches 10.71.6.0 255.255.255.0 192.168.254.2 1
route JHA 10.150.0.0 255.255.0.0 10.0.8.254 1
route JHA 10.251.4.0 255.255.255.0 10.0.8.254 1
route Branches 172.16.0.0 255.255.0.0 192.168.254.2 1
route Branches 172.28.0.0 255.255.0.0 192.168.254.2 1
route Branches 172.28.250.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.200.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.201.0 255.255.255.0 192.168.254.2 1
route Branches 192.9.220.0 255.255.255.0 192.168.254.2 1
route Branches 200.0.0.0 255.255.0.0 192.168.254.2 1
route Branches 200.0.11.0 255.255.255.0 192.168.254.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
always-on-vpn profile-setting
aaa-server HB_LDAP_Group protocol ldap
aaa-server HB_LDAP_Group (Branches) host 172.16.1.2
server-port 636
ldap-base-dn CN=VPN LDAP,OU=HB Users,DC=hb,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn VPN LDAP
ldap-over-ssl enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 Branches
http 172.16.0.0 255.255.0.0 Branches
snmp-server host Branches 172.16.1.80 community *****
snmp-server location Seagoville
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection timewait
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 publicWAN
ssh 10.0.0.0 255.255.0.0 Branches
ssh 172.16.0.0 255.255.0.0 Branches
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain hb.local
dhcpd address 10.0.254.100-10.0.254.200 guest
dhcpd dns 12.127.17.72 12.127.17.73 interface guest
dhcpd enable guest
threat-detection rate acl-drop rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source publicWAN
webvpn
port 4443
enable publicWAN
enable Branches
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 172.16.1.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value hb.local
split-tunnel-all-dns enable
username HBAdmin password azFWMwV/tQh/YjoW encrypted
tunnel-group Remote_VPN_Users type remote-access
tunnel-group Remote_VPN_Users general-attributes
address-pool Remote_VPN_DHCP_Pool
authentication-server-group HB_LDAP_Group LOCAL
default-group-policy GroupPolicy1
dhcp-server 172.16.1.2
tunnel-group Remote_VPN_Users webvpn-attributes
group-alias RemoteVPNUsers enable
class-map inspection_default
match default-inspection-traffic
class-map ips_module_class_map
match access-list traffic_send_ips_module
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
inspect ip-options
class ips_module_class_map
ips inline fail-open
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1c38a95ce10dab97ac6ad2e99823f5a2
: end
ASA# exit
LogoffLooks like you are missing the nonat statement. Try adding the following and test (adjust the source subnet to match your needs)
object network VPN_range
range 172.16.253.100 172.16.253
nat (Branches,publicWAN) source static obj-10.0.0.0 obj-10.0.0.0 destination static VPN_range VPN_range
Please remember to rate and select a correct answer -
AnyConnect VPN on Mac - Can't SSH to Virtualbox Virtual Machines
Hi,
I'm running AnyConnect version 3.1.05170 on my Mac. I'm also doing SW Development on multiple Virtual Machines on my Mac via VirtualBox. When I connect via VPN, I can no longer SSH to my Virtual Machines. I'm sure there is a rules setting or something that is killing my "Host Only Network" in VirtualBox so I can no longer access them. The worst part is that even if I Quit the AnyConnect Client, I still can't SSH to my Virtual Machines, so whatever rule is put in place doesn't go away when I disconnect the tunnel.
Has anyone witnessed this or have a suggestion on how to go about solving it?
Thanks,
- CurtHello,
I just encountered the same problem. To solve it, I checked the box "Allow Local (LAN) access when using VPN (if configured)" in the preferences of AnyConnect.
It's working fine for me but I am using Parallels and not VirtualBox.
Regards
David -
Anyconnect Client profile files deleted after client upgrade
L.S.
I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
The ASA I am connecting to is a 5510 running ASA OS 8.4.5
The problem I have is the following:
We are using machine certificate authentication combined with RADIUS user authentication.
The machine certificates are stored in the Machine/Personal container in the local machine.
By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
We do not want to have the user run the client as administrator (in elevated mode) all the time.
Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
The VPN is established.
However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
This means the user cannot connect without using elevated rights the next time he wants to connect.
If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?Hi poiu720408 ,
1. You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration. So once the user connect to the proper URL/alias the profile will be applied.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
3. This behavior is totally expected and they should disappear after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
Please rate helpful post !
Hope this helps
- Randy - -
Windows 8.1 64-Bit AnyConnect Crash
Running Windows 8.1 (64-bit) with AnyConnect version 3.1.05170
I can connect without issue, but after an indeterminate amount of time and seemingly unrelated to whatever task I'm working on, the system crashes. BSOD with the little sad face.
I've seen at least one other post regarding this issue but, for some reason, when I tried to reply there, the UI didn't let me enter any text. Just prompted for a file upload.
Is there a fix for this issue available?
Thanks.
JI have the same configuration and problem even with 3.1.06073 (latest). My VPNwill connect and start and then hang. If I look at the statistics I'll see Bytes being sent but the Received count will stop at 19880 bytes. I have been able to work around this sometimes by re-installing but that doesn't always work. Usually I just have to keep trying, uninstalling, re-installing and eventually it'll start working. This is very frustrating.
-
ISE 1.2 Posture Assessment with AnyConnect Client
Hi Experts,
I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ? Can you please put light on this ?
if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
Thanks in advanceISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.
-
AnyConnect version: 2.5.2001
Mac OS versions: 10.7.2 and 10.6.8
We used to invoke Cisco AnyConnect VPN via the Safari browser for the SSL URL and it used to work fine on Mac OS 10.6 and 10.7. Apple released a security update on 8/Nov/2011 (see: http://support.apple.com/kb/HT5045) and after applying the update, invoking AnyConnect from the browser no longer invokes the AnyConnect application on the machine. The browser stops at this page repeatedly:
I have installed AnyConnect on my machine and am able to invoke it explicitly, but browser login just fails to do that. I have tried re-installing AnyConnect, but the problem still persists.
Any help would be highly appreciated as we are in a show-stopped situation because of this issue.
Thanks
Vivek.This is an old issue, but I ran into it continually this month while trying to use AnyConnect on my Mac 10.8+ version.
For me, the solution was:
I realized that I should have seen a pop-up warning me about the dangers of using Java etc. etc but it seemed as if my computer was blocking it automatically without giving me the option.
I went to the Java page (Java.com) and clicked on "Do I have Java?" The plug-in was inactive, so clicking it allowed me to check that my Java was up to date. Going back to my AnyConnect, this time, it seemed to go through and give me all the pop-ups allowing me to allow Java. -
Hello there.
I am having a problem with Cisco AnyConnect version 3.1.04072. When one of my colleagues disconnects from the VPN session, closes out the program, and then later on, reopens the client, the address that he manually entered did not save and it's defaulting on the two now-defunct VPN servers listed.
Here's an example to see if it makes more sense:
-User opens Cisco AnyConnect. By default, there are two selections available on the pulldown:
SSLVPN.abcdefg.com
access.abcdefg.ca
These two VPN servers are now defunct and we use a new VPN server:
access.abcdefg.com
The user has to manually type it in. He is now able to connect. However, when disconnected. Regardless if the program is closed or not, it does not save the new VPN server address, rather goes back to the default two VPN servers listed.
I've checked XML, HTML, registry keys, sys files, dll files to see if I can change the default servers manually. No sign of it.
I'm hoping that someone out there knows a solution to fix it.
Thanks in advance!Hi Vergel ,
You can create Anyconnect client profile on ASA. In this profile , you can define the hostname/IP that you wish to connect , along with hostname/IP that should be displayed on the client.
In the client profile , you can define these parameters - "HostName" and "HostAddress" as "access.abcdefg.com" so that any user , who tries to connects , will see "access.abcdefg.com" as the name displayed in the anyconnect connect field.
On the client, the xml profile (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) [Win 7] can be seen using those parameters as follows:-
<HostEntry>
<HostName>access.abcdefg.com</HostName>
<HostAddress>access.abcdefg.com</HostAddress>
</HostEntry>
Ref:- http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#89103
Additionally, you can try to delete preferences.xml file to remove the redundant hostnames from the anyconnect connect filed.
Path for preferences.xml is C:\Users\Cisco\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client (Win 7),
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Maybe you are looking for
-
How do I import Google Calendar into iPad calendar?
I have followed the directions on the Google website. I went under Settings>Mail, Calendar & Contacts>Google and selected calendars. I also went to the website, https://www.google.com/calendar/syncselect and followed those directions. I still am u
-
Can someBody HELP me, I came from T-SQL
I got to made some function but doesn't work. I mean is VALID, but I don't get the result that I want. I came from T-SQL developer. I need to make a function that return a value, something like this. Function Duall ( var in varchar2) Return varchar2
-
Button inside movie won't react to rollOver
Hi there, I am developing a sort of panorama movie where the image scrolls around. That is working but when I try to set some hotspots on it by adding buttons in the movieClip I can't get them to react to rollOver action since (onRelease and onPress)
-
Netweaver CE 7.1 (Not trial version)
Hi, I'm trying to find a download link for the full CE 7.1 installation. It appears to be available according to the PAM I have looked at but I cannot find (after searching through the SWDC on service.sap.com) anywhere to actually download it to ins
-
Pages and Numbers keyboard lag?
Have a MacPro purchased one year ago. Running 10.7.5. From the beginning there has always been a keyboard entry lag at times in Pages and Numbers when entering type, and with keyboard shortcuts (copy, paste, save). Trying to figure out why?