How do I use Cisco Anyconnect?
I'm not sure if this is the right place for this.
My work has provided Cisco Anyconnect to access their network. I'm able to download and install successfully but once I establish the connection, then what. I'm connected but nothing seems to happen. How do I actually access my works network? Do I need to connect to a server (Using Go/Connect to a server...)?
Thanks
All Anyconnect does is connect you to you work's network. Once you've established a connection, you should have access to work resources (servers, desktops, printers) by connecting to them as you would if you were at your office.
If there are any special connection requirements to use your work resources, you would need to contact the I/T people at your workplace.
Similar Messages
-
XE connection problem after using Cisco AnyConnect Client
Hello
I have a rather annoying problem connecting to an XE instance AFTER I have disconnected from a VPN via a Cisco AnyConnect VPN Agent.
Sequence of operations:
- start Oracle XE and work normally
- connect to client's vpn
- do other stuff
- DISCONNECT from Client's VPN
-> unable to connect to XE service any more, unless I reboot
The problem does not happen with other vpn clients like Cisco VPN Service, Juniper, Checkpoint.
Details:
- sqlplus connection WITH service name (eg sqlplus user/pwd@XE): FAILURE with ORA-12170
- but...sqlplus connection WITHOUT service name (eg sqlplus user/pwd): SUCCESS (weird !)
- tnsping XE: TNS-12535 error
- lsnrctl status output (sorry, italian localized)
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 22-GIU-2011 14:19
:38
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connessione a (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))
STATO del LISTENER
Alias LISTENER
Versione TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Data di inizio 22-GIU-2011 12:26:15
Tempo di attivitÓ 0 giorni 1 ore 53 min. 22 sec.
Livello trace off
Sicurezza ON: Local OS Authentication
SNMP OFF
Servizio predefinito XE
File di parametri listenerC:\programs\oraclexe\app\oracle\product\10.2.0\server\
network\admin\listener.ora
File di log listener C:\programs\oraclexe\app\oracle\product\10.2.0\server\
network\log\listener.log
Summary table degli endpoint di ascolto...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC_FOR_XEipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=MyPCName)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Summary table dei servizi...
Il servizio "CLRExtProc" ha 1 istanze.
L'istanza "CLRExtProc", stato UNKNOWN, ha 1 handler per questo servizio...
Il servizio "PLSExtProc" ha 1 istanze.
L'istanza "PLSExtProc", stato UNKNOWN, ha 1 handler per questo servizio...
Il servizio "XEXDB" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Il servizio "XE_XPT" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Il servizio "xe" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Environment:
Win7 Pro SP1
Oracle XE 10.2.0
I have stopped the Win firewall and the problem is still there, so it is not a firewall problem
listener.ora configuration
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = C:\programs\oraclexe\app\oracle\product\10.2.0\server)
(PROGRAM = extproc)
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\programs\oraclexe\app\oracle\product\10.2.0\server)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(ADDRESS = (PROTOCOL = TCP)(HOST = MyPCName)(PORT = 1521))
DEFAULT_SERVICE_LISTENER = (XE)
tnsnames.ora
XE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = MyPCName)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
Any help ?Hi;
Pelase close this tread as answered and keep update issue at:
Re: XE connection problem after using Cisco AnyConnect Client
Regard
Helios -
Simple remote connection using Cisco AnyConnect and ISR router
Hi all,
I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?
Basically what I am after is the following
- Remote users install Cisco AnyConnect to establish a VPN connection to HQ
- HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.
I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.
Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.
Cheers
AlvaroIf you insist .. try this:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html -
New vpn conncetion using Cisco Anyconnect Secure Mobility Client
(Not sure if I'm in the right forum.)
I'd like to connect via VPN to complete work tasks while not on the network. My Windows 8 laptop came with Cisco Anyconnect Secure Mobility. How do I or where do I go to add the new settings for this new vpn location? I have connections in the drop down list that I no longer use/need.
The VPN connetion failed due to unsuccessful domain name resolution.Right now I'm testing on a single access point (autonomous) with WEP! The same laptop works fine without the Cisco client. Usually it is several hours, 12 or more when it happens, but I've seen it less than that. And I've seen it up for over a day and a half. At this point I just don't trust the client to roll out to a larger audience.
-
NPAS: How do I use Cisco ASA RADIUS attribute 146?
We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN. We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one. At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
that corresponds to a policy rule in NPAS based on the matched group membership. This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
that doesn't correspond to them, the ASA doesn't set up the session for them.
Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3. This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server. We would like to use this attribute in our policies in NPAS
to help with policy matching. By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
The question becomes, how can I use this upstream RADIUS attribute in my policy conditions? I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work.
These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA). The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
of is matched and authentication is successful. This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.htmlPhilippe:
Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA). Each AD group basically is designed to map to a specific tunnel group. Each RADIUS policy
contains vendor-specific attribute 85 with the name of the tunnel group. So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
- the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA. If the tunnel group name matches the one associated to the user group
you selected from the list in the AnyConnect client, a VPN tunnel is established. Otherwise, the ASA rejects the connection attempt.
Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group. If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
order to gain different access, using tunnel-group-lock or group-lock won't work. This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time. If that name doesn't match the one they picked, the tunnel will not be established. This will happen every time if the tunnel group is
associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
Group-lock (attribute 25) works similarly. In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name). Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies. In this way, people could be members of more than one of the AD security groups related to VPN at a time. The
problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible. -
How do I use Cisco Registered Email Service with 10.7?
I received a email via someone using Cisco Registered Email/Envelope Service. The authentication process required the latest version of JAVA for 10.7, which I downloaded and installed. When I try to logon, the screen hangs with the message "Loading Envelope Tools." If I press "open" again it states "Inactive tools." The alternate method is to open the mail via a secure Web site, which I can open, but I am unable to download attachments. To download attachments, I am directed to a page that begins with "x-msg:" and I get a message that says: "Safari can't open the address .. . because MAC OX doesn't recognize Internet Addresses starting with "x-msg:"
Thanks for the info Roger, this is indeed did work for me (at least the part about signing in on apple.com, haven't tried the rest). Since Apple does not allow for the merging of Apple IDs, my plan is to use the old me.com address (from the free trial) with iCloud but then forward all the messages from the old me.com to my current Apple ID. Problem is all my devices are already associated with iCloud. So... if I want to activate iCloud using the old me.com, how do I do it?
I have two ideas: 1) as you suggest, signing out and signing back in through the iCloud preference pane (either on Mac OS or iOS); but I'm worried this will have consequence - will I be able to sign back in to my main Apple ID account after doing this?
2) create a new user on my Mac and then sign in to iCloud with the old me.com address there, then delete the account.
Thanks for any help with this. -
Connections drop when using Cisco Anyconnect Secure Mobility Client
Folks I have a strange issues. I have a few laptops that I'm testing using the Cisco AnyConnect Secure Mobility Client Network Access Manager. We like the interface and overall are happy, but have one nagging issue. Periodically the connection drops when using the client, and the only way to reconnect is to choose the Network repair option on the client. That fixes it just fine, but we shouldn't have to do this. The same clients using the built in WIndows supplicant do not have this problem. We are on version 3.0.07059.
Right now I'm testing on a single access point (autonomous) with WEP! The same laptop works fine without the Cisco client. Usually it is several hours, 12 or more when it happens, but I've seen it less than that. And I've seen it up for over a day and a half. At this point I just don't trust the client to roll out to a larger audience.
-
How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?
Hi
The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
How to setup MARS to monitor ASA with IPS with active standby topology?
Thanks!Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew. -
How do I use Cisco MARS to monitor two FWSMs in two Cat6500 in failover ?
Hello,
I understad that I can add both Catalysts to MARS and that I can add primary FWSM as a module to primary catalyst as well. But how can I add secondary FWSM.
Any ideas appreciated
ThanksIf you have already configured the primary, you don't have to configure the secondary. No need to configure the secondary as it is not recommended to do so, In case of a failover the secondary firewall will automatically take over the active configuration( EX: IP address) of the primary so the source of the syslogs will remain the same
-
Setting up IPsec VPNs to use with Cisco Anyconnect
So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accountingHi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
Problem using SunRay with Cisco AnyConnect VPN Client
I am using Cisco AnyConnect VPN Client Version 2.5.3046
I have a PC and a SunRay connected to my router. I use VPN to connect my SunRay and my PC to my work computer. My PC works fine, I am able to connect to the internet and also run cisco VPN to connect to my work computer. But when I try to use my SunRay, I get a window on the screen with the message:
VPN IKE Phase 1 agg I msg1This window keeps moving around on the screen. I am not able to connect my SunRay through VPN to my work computer. Any idea what could be wrong and how I can fix this?2.2 is definitely better.
On one PC, I'm fine. On another -- very similar -- it tells me it can't start the VPN even after uninstalling and re-installing and everything else I can think of, with plenty of re-boots inbetween.
Aaaaarrrrrrggggggghhhh. -
Cisco anyconnect secure mobility client + caching
Hi,
We have recently implemented wifi at our location, all working fine with the below exception. we have cisco anyconnect secure mobility client installed on all laptops for VPN access. we are facing a problem as the vpn client is caching the credentilas i.e inorder to connect to the corp wifi, we need ot add a profile in the anyconnect client with the SSID, security and 802.1x configuration bcoz my WIFI infra is setup to use ISE as the authentication manager and WLC is integrated with ISE. First time when someone tries to connect to wifi, it prompts for the credentials. but for the subsequent connections it is not prompting for the credentials and somehow it is picking from the cache or somewhere. How can i disable this? I want the users to be prompted for credentials whenever they try to connect to the corp wifi? FYI, we are using cisco anyconnect secure moile client 3.0.5 version.
Thanks,
SridharI'm guessing that it is this setting...
Go to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client and edit the AnyConnectLocalPolicy.xml.
Change this line to:
All
It's probably best to use the AnyConnect Profile Editor to do this and I'm also not sure if this is something that can be pushed from the gateway to all machines. -
Cisco anyconnect driver uninstall
We have deployed anyconnect in our company. The isseu is, when a user tries to connect VPN using cisco anyconnect VPN, the driver somehow gets uninstalled. When the "accpet" banner is clicked after that the driver is automatically getting uninstalled. The error message says that" the drive has encountered any issue. Please reboot the machine". Checked the device manager, the cisco netowrk adapter got uninstalled.
Not able to understand why its happening.
Can anyone help with this.
Attached is the error message which pop-up.Hi Adeolu,
Thanks a lot for your response. I've run through all the suggestions on the Cisco site, as well as what Google found relating to my VPN error condition. None of them helped. I then uninstalled Microsoft Security Essentials, but could not reinstall it. There's something amiss with my PC. I worked on that issue up to last weekend, where I decided I can't waste any more time on that issue, and attempted to restore my system from a saved image on my external backup drive from mid-January.
I was shocked to find that, while the restore indicated the process succeeded, when I attempted to reboot my computer, it came back with an error to the effect that the system did not boot successfully last time, would I like to repair the system, or boot windows normally. To make a long story short, neither options worked. I spent a bunch of time trying to restore the boot manager and master boot record, but nothing worked. The partition was set to bootable/active...
As a side note, I suspected I may have a hardware failure of some sort. I swapped out memories, hard drives and DVD drives, but the result was always the same. The system image appeared to reinstall the Windows partition, but it still would not boot from that drive.
I've given up and am in the process of restoring Windows from scratch. I didn't want to go that route due to all the time it's going to consume (updates, installing software, eventually reinstalling Cisco AnyConnect client), but there's a limit to how much time I can spend on such things.
The main lesson I learned from all this is don't trust the Microsoft System Image backup as a reliable way to restore the computer after something bad happens. There's a really good chance when you need it, it won't work. I'm going to use Ghost 32 to create reliable system images in the future.
Thanks again.
Gene -
Cisco Anyconnect Secure Mobility Client crashes on Mac 10.8.5
Hi,
I have a Macbook Pro with Mountain Lion 10.8.5 OS installed. I am using Cisco Anyconnect Secure Mobility Client as a VPN to access my company's network (Intranet). Had been using this software for more than 2 Months and all of a sudden now when I use this Secure Mobility Client, the application is crashing and I get the following error message:
Process: Cisco AnyConnect Secure Mobility Client [1340]
Path: /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
Identifier: com.cisco.vpn
Version: 3.0.10055
Code Type: X86 (Native)
Parent Process: launchd [152]
Date/Time: 2013-11-10 11:18:57.739 +0530
OS Version: Mac OS X 10.8.5 (12F45)
Report Version: 10
Interval Since Last Report: 6277 sec
Crashes Since Last Report: 2
Per-App Crashes Since Last Report: 2
Crashed Thread: 6
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
VM Regions Near 0x4:
--> __PAGEZERO 0000000000000000-0000000000001000 [ 4K] ---/--- SM=NUL /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
__TEXT 0000000000001000-0000000000025000 [ 144K] r-x/rwx SM=COW /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x96fcf7ce mach_msg_trap + 10
1 libsystem_kernel.dylib 0x96fcecac mach_msg + 68
2 com.apple.CoreFoundation 0x990e1f79 __CFRunLoopServiceMachPort + 185
3 com.apple.CoreFoundation 0x990e795f __CFRunLoopRun + 1247
4 com.apple.CoreFoundation 0x990e701a CFRunLoopRunSpecific + 378
5 com.apple.CoreFoundation 0x990e6e8b CFRunLoopRunInMode + 123
6 com.apple.HIToolbox 0x97821f5a RunCurrentEventLoopInMode + 242
7 com.apple.HIToolbox 0x97821cc9 ReceiveNextEventCommon + 374
8 com.apple.HIToolbox 0x97821b44 BlockUntilNextEventMatchingListInMode + 88
9 com.apple.AppKit 0x91d9193a _DPSNextEvent + 724
10 com.apple.AppKit 0x91d9116c -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 119
11 com.apple.AppKit 0x91d875cc -[NSApplication run] + 855I have identical problem on 10.7.5 OS and AnyConnect 3.1.04074
Just started happening yesterday.
Please post if you find a solution. -
Hi,
I use Cisco AnyConnect Secure Mobility Client 3.1.05170 to connect to my company network and it has been working successfully for a while and until Sunday evening Feb 8.
Today, this solution is no longer working and I've reproduced the same issue on 3 different Mac's which have 10.10.2 (on 2 Mac's) and 10.9.5 (on 1 Mac).
I can navigate on internet without any problem but when I launch the connection in Cisco AnyConnect Secure Mobility Client, it time outs and I get the following errors:
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type information sent to the user: Contacting <company server name removed for security reasons>.
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnui[7926]: Initiating VPN connection to the secure gateway https://<company server name removed for security reasons>
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host <company server name removed for security reasons>, profile myaccess1.xml)
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 718 Invoked Function: CHostLocator::resolveHostNameAlt Return Code: -29294571 (0xFE410015) Description: DNSREQUEST_ERROR_EMPTY_RESPONSE
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: getHostIPAddrByName File: ../../vpn/Common/IPC/SocketSupport.cpp Line: 322 Invoked Function: ::getaddrinfo Return Code: 35 (0x00000023) Description: unknown
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function: CSocketSupport::getHostIPAddrByName Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: ResolveHostname File: ../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::resolveHostName Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO failed to resolve host name <company server name removed for security reasons> to IPv6 address
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: logResolutionResult File: ../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host <company server name removed for security reasons> has been resolved to IP address 144.24.19.20
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Writing to hosts file: 144.24.19.20 <company server name removed for security reasons> ###Cisco AnyConnect VPN client modified this file. Please do not modify contents until this comment is removed.
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4893 The requested VPN connection to <company server name removed for security reasons> will target the following IP protocols and addresses: primary - IPv4 (address 144.24.19.20), secondary - N/A.
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: getUserName File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 1939 PasswordEntry username is nwipfli
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: PeerCertVerifyCB File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 857 Return success from VerifyServerCertificate
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: SendRequest File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 1422 Invoked Function: curl_easy_perform Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT 28 : Error
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: sendRequest File: ../../vpn/Api/ConnectIfc.cpp Line: 3191 Invoked Function: CTransport::SendRequest Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: connect File: ../../vpn/Api/ConnectIfc.cpp Line: 481 Invoked Function: ConnectIfc::sendRequest Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: TranslateStatusCode File: ../../vpn/Api/ConnectIfc.cpp Line: 3008 Invoked Function: TranslateStatusCode Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT Connection attempt has timed out. Please verify Internet connectivity.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: doConnectIfcConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1963 Invoked Function: ConnectIfc::connect Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type warning sent to the user: Connection attempt has failed.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2614 Content type (unknown) received. Response type (host unreachable) from <company server name removed for security reasons>:
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type warning sent to the user: Unable to contact <company server name removed for security reasons>.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2724 Unable to contact <company server name removed for security reasons>
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type error sent to the user: Connection attempt has timed out. Please verify Internet connectivity.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2050 ConnectMgr::processIfcData failed
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.
Any idea about a solution ?
Thanks in advance
NicolasThere seem to be much more problems with 3.1.04049
Especially with certificate authentication.
I opened some TAC cases.
Try 3.1.04063 that came out at 07-24-13.
TAC said that there are some fixes in it...
Maybe you are looking for
-
How can I move apps from my iPod touch tô my iPhone?
I am giving my old iPhone to my son to replace his iPod touch. How can I move all of his apps to the iPhone?
-
Yahoo Mail On iPad - Attachments Appearing As Question Marks
A relative of mine has a Yahoo! Mail account which she uses for e-mail on her iPad. She's had a problem recently that some of the attachments (JPGs) she's received haven't appeared in the Mail app on the iPad. Instead, they've shown up as question ma
-
hi all, recently i've been given the assignment of sync one Active Directory to one OID. Said so seams easy ..... ...... so I installed a fresh copy of Win2000 adv server with Active Directory PLUS another Win2000 adv server with Oracle AS infra. The
-
Retrieve Distinct Values using XQuery
The following query is returning me duplicate rows. How can we retrieve the distinct values? Can we use Distinct somewhere in this query? Please help me. SELECT XMLQuery('<Update> { for $demo in (ora:view("TableA")), $demo_audit in ora:view("TableA_A
-
dear sap guru, Service purchase requistion text filed is not coming to related with that gate entry pass. For Example, in PR, we are putting in Header coloumn, about material details, quantity. It is not coming to Gate entry pass. How we can get this