SCEP Anyconnect version 3 MS CA

Hi All
Im using anyconnect and SCEP proxy on the ASA, trying to get identity certs from a windows CA. I want the certs to have a common name of the user id of the person requesting, basically to take the username as the common name. Is there a way to take the login name across into the comman name as part of the cert request. In the anyconnect client profile you have the option of enrollment but if i set the Cn her it would use this for everybody ?
I want to use authentication based on certs. So each user requires their own cert based on common name. I presume then i can revoke the cert to prevent authentication ?
Any help would be great.
David

David,
Use the following wild card in the XML profile against CN
%USER%
regards
Anoop

Similar Messages

  • Where is the AnyConnect Version 4.0 Client

    I see the release notes for Anyconnect version 4.0 are up and ISE 1.3 is also released (which can use Anconnect 4.0  for posture assessment) but all the download links point to Anyconnect 3.1. So where can I get the 4.0 client?

    Problem is fixed.
    Please check the AnyConnect Secure Mobility Client 4.x download page now.

  • Unable to uninstall AnyConnect Version 2.5.0217

    I can't uninstall this or upgrade to another version because of missing msi file, also found the
    anyconnect-win-2.5.0217-pre-deploy-k9.msi file on the internet and cannot uninstall with that either.

    Ive tired other's like ccleaner with no luck, finally able to fix the issue!!! thanks a millon

  • SCEP 2012 version confusion

    Hi all,
    Just trying to get my thoughts straight around SCEP as I've seen some rather confusing things in SCCM 2012 R2 CU1 (upgraded from 2012 SP1) regarding client versions.
    Under the Forefront Endpoint Protection 2010 product are updates for both the SCEP and FEP clients. I'm presuming that for my purposes, the FEP Client updates are irrelevant.
    In SCCM from an ADR looking at Forefront Endpoint Protection 2010 temporarily configured to get everything from the last 9 months, there is only: "Update for SCEP Client 4.3.215.0" showing, but until yesterday there was a "Update for SCEP
    Client 4.4.304" which has now become expired. My PC is showing 4.3.220 which isn't listed at all!
    SCCM is declaring that all my clients require the expired 4.4.304 version.
    This seems very odd with the version numbering.
    Can anyone shed some light on this please, as confused is an understatement.
    Thanks
    Gary

    The different versions installed might be caused by different hotfixes installed on the clients.
    I assume that the problems you're seeing now with the different available updates for the EP client will be fixed today (I'm also only seeing the 4.3.215.0 now). Starting today there will be a new update released for the EP client, see for more information:
    http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/anti-malware-platform-updates-for-endpoint-protection-will-be-released-to-mu.aspx
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Anyconnect version 3.1.01065

    I want to deploy anyconnect via GPO since it is MSI format.  What I need to know is how do I have it put in the hostname and change the preferences so Block connections to untrusted servers is unchecked?                    

    Hi Dustin,
    Are you unable to connect to AC or is it crashing after the establishment of the VPN connection? Do you encounter any issues after or while connecting to AC? From the logs, it looks like that VPN connection is built fine.
    We would need more information regarding this. I would like you to collect DART logs from the affected machine.
    This is how you should go about collecting the DART:
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.html#wp1070440
    If you do not want to push the DART installation from the ASA, you can install it manually on the machine by running the .msi installer file by the name 'anyconnect-dart-win-3.1.xxx-k9.msi' which can be found under the below package:
    anyconnect-win-3.1.01065-pre-deploy-k9.iso
    IMP Note: Please clear all the event viewer logs (especially AC Secure Mobility client logs) before collecting the DART.
    Once you've cleared the logs, connect to AC and disconnect (if it's connecting at all) and run the DART tool.
    HTH!
    Regards,
    Nick

  • Anyconnect SCEP Auto-enrollment Issue

    Hello Everyone,
    I have been trying to configure cisco`s any connect client with SCEP Auto-enrollment with no success. I followed all the steps necessary to complete the configuration but still no success. What happens to me is, enrollment happens fine, certificate is downloaded according to what it should be but when I try to use it to authenticate and connect to my VPN it seems the certificate is not valid and not forwarded to the ASA, every time I reconnect the Anyconnect enrolls me to a new certificate, which means that if I repeat the process a 1000 times I`ll most likely have 1000 new certificates. Being trying for a while now and nothing seems to work with it. Can anyone tell me anything that could help me?
    I am using windows 2k12 with NDES module installed, the certificate template being used is a custom IPSEC Offline request template, the asa sends the enrollment request according to what it should be and the enrollment happens fine, the problem is that I cannot match the certificate for some reason.
    Anyone that can help me?

    Scep-proxy was not integrated into the ASA until 8.4
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html#wp1318578
    If you want to do legacy scep, this should work.  Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes.

  • Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

    I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
    I am able to create the VPN connection but the connection will not allow data to be transferred.
    Stats from a manual connection:
    Cisco AnyConnect Secure Mobility Client Version 3.1.04072
    VPN Stats
        Bytes Received:  14375
        Bytes Sent:  0
        Compressed Bytes Received:  0
        Compressed Bytes Sent:  0
        Compressed Packets Received:  0
        Compressed Packets Sent:  0
        Control Bytes Received:  0
        Control Bytes Sent:  0
        Control Packets Received:  0
        Control Packets Sent:  0
        Encrypted Bytes Received:  7820
        Encrypted Bytes Sent:  1207
        Encrypted Packets Received:  9
        Encrypted Packets Sent:  3
        Inbound Bypassed Packets:  0
        Inbound Discarded Packets:  0
        Outbound Bypassed Packets:  0
        Outbound Discarded Packets:  0
        Packets Received:  4
        Packets Sent:  0
        Time Connected:  00:03:01
    Protocol Info
        Inactive Protocol
            Protocol Cipher:  RSA_3DES_168_SHA1
            Protocol Compression:  None
            Protocol State:  Disconnected
            Protocol:  DTLS
        Active Protocol
            Protocol Cipher:  RSA_3DES_168_SHA1
            Protocol Compression:  Deflate
            Protocol State:  Connected
            Protocol:  TLS
    OS Version
        Windows 8 : WinNT 6.2.9200
    Log from the data transmission software:
    24/12/2013 12:51:13 - Application version = 1.11.28.0
    24/12/2013 12:51:13 - Lodgement Library Version =  1.11.28.0
    24/12/2013 12:51:13 - Connection Method =  INTERNET
    24/12/2013 12:51:13 - DIS Connection Type = Automatic
    24/12/2013 12:51:13 - VPN Client =  ACTIVE
    24/12/2013 12:51:13 - Check Available Connections =  NOT ACTIVE
    24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
    24/12/2013 12:51:13 - Language: English (Australia)
    24/12/2013 12:51:13 -
    24/12/2013 12:51:13 - Connected to ISP via LAN
    24/12/2013 12:51:13 - Checking for presence of VPN client.
    24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
    24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
    24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
    24/12/2013 12:51:18 -
    24/12/2013 12:51:18 - Checking Cisco AnyConnect  version.
    24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
    24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.
    24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
    24/12/2013 12:51:19 -
    24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
    24/12/2013 12:51:19 -
    24/12/2013 12:51:19 - Initializing the VPN connection.
    24/12/2013 12:51:19 - Ready to connect.
    24/12/2013 12:51:19 - Ready to connect.
    24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
    24/12/2013 12:51:23 - Authenticating user.
    24/12/2013 12:51:23 - Connected to VPN concentrator.
    24/12/2013 12:51:23 - Establishing VPN session...
    24/12/2013 12:51:23 - Checking for profile updates...
    24/12/2013 12:51:23 - Checking for product updates...
    24/12/2013 12:51:23 - Checking for customization updates...
    24/12/2013 12:51:23 - Performing any required updates...
    24/12/2013 12:51:23 - Establishing VPN session...
    24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
    24/12/2013 12:51:24 - Establishing VPN - Examining system...
    24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
    24/12/2013 12:51:24 - Establishing VPN - Configuring system...
    24/12/2013 12:51:24 - Establishing VPN...
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connection to VPN client return code = 0.
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
    24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
    Connection timed out.
    24/12/2013 12:51:46 -
    24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
    24/12/2013 12:51:46 - Disconnect in progress, please wait...
    24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
    24/12/2013 12:51:47 - Detached.
    24/12/2013 12:51:47 - Disconnected from VPN concentrator.
    24/12/2013 12:51:47 - *****************************************************
    24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
    24/12/2013 12:51:47 - *****************************************************
    Issue history:
    - Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
    - Upgrade to Windows 8.1 stopped the VPN client working
    - Refreshed system back to Windows 8 and reinstalled all software
    - Cisco VPN client would not install on system
    - Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
    - Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
    - Data transmission software returns error code #10060
    Any assistance would be greatly appreciated.

    anyone found the fix for this?

  • Cisco 1841 SSL VPN and Anyconnect Help

    I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks
    Current configuration : 7741 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname buchanan1841
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    no logging buffered
    enable secret 5 XXXXXXX
    enable password XXXX
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authentication login ciscocp_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa session-id common
    crypto pki trustpoint buchanan_Certificate
    enrollment selfsigned
    revocation-check crl
    rsakeypair buchanan_rsakey_pairname
    crypto pki certificate chain buchanan_Certificate
    certificate self-signed 01
      30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
      170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
      311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
      0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
      AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
      79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
      0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
      68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
      97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
      DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
      4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
      3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
            quit
    dot11 syslog
    ip source-route
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username buchanan privilege 15 password 0 XXXXX
    username cybera password 0 cybera
    username skapple privilege 15 secret 5 XXXXXXXXXX
    username buckys secret 5 XXXXXXXXXXX
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key p2uprEswaspus address XXXXXX
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set cybera esp-3des esp-md5-hmac
    crypto ipsec profile cybera
    set transform-set cybera
    archive
    log config
      hidekeys
    ip ssh version 1
    interface Tunnel0
    description Cybera WAN - IPSEC Tunnel
    ip address x.x.x.x 255.255.255.252
    ip virtual-reassembly
    tunnel source x.x.x.x
    tunnel destination x.x.x.x
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile cybera
    interface FastEthernet0/0
    description LAN Connection
    ip address 192.168.1.254 255.255.255.0
    ip helper-address 192.168.1.2
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1
    description WAN Connection
    ip address x.x.x.x 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface ATM0/0/0
    no ip address
    shutdown
    atm restart timer 300
    no atm ilmi-keepalive
    interface Virtual-Template2
    ip unnumbered FastEthernet0/0
    ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
    ip local pool LAN_POOL 192.168.1.50 192.168.1.99
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    ip route 4.71.21.0 255.255.255.224 x.x.x.x
    ip route 10.4.0.0 255.255.0.0 x.x.x.x
    ip route 10.5.0.0 255.255.0.0 x.x.x.x
    ip route x.x.x.x 255.255.240.0 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip http server
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
    ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
    access-list 1 permit 192.168.1.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    password xxxxx
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address x.x.x.x port 443
    http-redirect port 80
    ssl trustpoint buchanan_Certificate
    inservice
    webvpn install svc flash:/webvpn/anyconnect-w
    in-3.1.04059-k9.pkg sequence 1
    webvpn context employees
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "LAN_POOL"
       svc default-domain "buchanan.local"
       svc keep-client-installed
       svc dns-server primary 192.168.1.2
       svc wins-server primary 192.168.1.2
    virtual-template 2
    default-group-policy policy_1
    aaa authentication list ciscocp_vpn_xauth_ml_2
    gateway gateway_1
    max-users 10
    inservice
    endbuchanan1841#

    Perhaps you have changed the host-/domainname after the certificate was created?
    I'd generate a new one ...
    Michael
    Please rate all helpful posts

  • Not able to access Internet or Internal network via SSL AnyConnect

    After connecting succesfully with Cisco AnyConnect version 3.0.05152 I am unable to access internal resources. Below is the configuration of the ASA.
    Any input on the below would be appreciated
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.04 16:15:58 =~=~=~=~=~=~=~=~=~=~=~=
    sh run
    : Saved
    ASA Version 9.1(4)
    hostname ASA
    domain-name hb.local
    enable password pEuUQweb2zEldXkE encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd pEuUQweb2zEldXkE encrypted
    names
    ip local pool Remote_VPN_DHCP_Pool 172.16.253.100-172.16.253.150 mask 255.255.255.0
    interface Ethernet0/0
    description *** Internet ***
    nameif publicWAN
    security-level 0
    ip address X.X.X.X X.X.X.X.
    interface Ethernet0/1
    description *** Guest Wireless Network ***
    nameif guest
    security-level 50
    ip address 10.0.254.1 255.255.255.0
    interface Ethernet0/2
    description *** Uplink to Branches ***
    nameif Branches
    security-level 100
    ip address 192.168.254.1 255.255.255.0
    interface Ethernet0/3
    description *** Uplink to JHA ***
    nameif JHA
    security-level 0
    ip address 10.0.8.1 255.255.255.0
    interface Management0/0
    description *** Managemnet Interface - NOT USED ***
    management-only
    shutdown
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns domain-lookup publicWAN
    dns domain-lookup guest
    dns domain-lookup Branches
    dns domain-lookup JHA
    dns server-group DefaultDNS
    name-server 172.16.1.2
    domain-name hb.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj-10.0.0.0
    subnet 10.0.0.0 255.255.255.0
    object network obj_guest
    subnet 10.0.254.0 255.255.255.0
    object network obj-172.16.1.0
    subnet 172.16.1.0 255.255.255.0
    object network obj-172.16.1.5
    host 172.16.1.5
    object network obj-172.16.1.5-01
    host 172.16.1.5
    access-list Branches extended permit icmp any4 any4
    access-list Branches extended permit ip any4 any4
    access-list JHA extended permit ip any4 any4
    access-list JHA extended permit icmp any4 any4
    access-list guest extended deny ip any4 10.0.1.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.2.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.3.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.4.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.5.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.6.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.7.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.8.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.9.0 255.255.255.0
    access-list guest extended deny ip any4 10.0.10.0 255.255.255.0
    access-list guest extended deny ip any4 172.16.0.0 255.255.0.0
    access-list guest extended permit ip any4 any4
    access-list guest extended permit icmp any4 any4
    access-list traffic_send_ips_module extended permit ip any4 any4
    access-list outside extended permit tcp any4 host 172.16.1.5 eq https
    access-list outside extended permit tcp X.X.X.X 255.255.255.0 host 172.16.1.5 eq smtp
    access-list outside extended permit tcp X.X.X.X. 255.255.255.0 host 172.16.1.5 eq smtp
    access-list outside extended deny ip any4 any4 log interval 30
    pager lines 50
    logging enable
    logging timestamp
    logging monitor warnings
    logging buffered informational
    logging trap warnings
    logging asdm informational
    logging queue 2048
    logging device-id hostname
    logging host Branches 172.16.1.80
    flow-export destination Branches 172.16.1.80 2055
    flow-export template timeout-rate 15
    mtu publicWAN 1500
    mtu guest 1500
    mtu Branches 1500
    mtu JHA 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any publicWAN
    asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network obj_any
    nat (any,publicWAN) dynamic interface
    object network obj-10.0.0.0
    nat (Branches,JHA) static 10.0.0.0
    object network obj_guest
    nat (guest,publicWAN) dynamic interface
    object network obj-172.16.1.0
    nat (Branches,JHA) static 172.16.1.0
    object network obj-172.16.1.5
    nat (Branches,publicWAN) static interface service tcp smtp smtp
    object network obj-172.16.1.5-01
    nat (Branches,publicWAN) static interface service tcp https https
    access-group outside in interface publicWAN
    access-group guest in interface guest
    access-group Branches in interface Branches
    access-group JHA in interface JHA
    route publicWAN 0.0.0.0 0.0.0.0 X.X.X.X. 1
    route Branches 10.0.0.0 255.255.0.0 192.168.254.2 1
    route Branches 10.0.5.0 255.255.255.0 192.168.254.2 1
    route Branches 10.28.11.0 255.255.255.0 192.168.254.2 1
    route Branches 10.55.4.0 255.255.255.0 192.168.254.2 1
    route Branches 10.55.6.0 255.255.255.0 192.168.254.2 1
    route Branches 10.57.4.0 255.255.255.0 192.168.254.2 1
    route Branches 10.57.6.0 255.255.255.0 192.168.254.2 1
    route Branches 10.71.4.0 255.255.255.0 192.168.254.2 1
    route Branches 10.71.6.0 255.255.255.0 192.168.254.2 1
    route JHA 10.150.0.0 255.255.0.0 10.0.8.254 1
    route JHA 10.251.4.0 255.255.255.0 10.0.8.254 1
    route Branches 172.16.0.0 255.255.0.0 192.168.254.2 1
    route Branches 172.28.0.0 255.255.0.0 192.168.254.2 1
    route Branches 172.28.250.0 255.255.255.0 192.168.254.2 1
    route Branches 192.9.200.0 255.255.255.0 192.168.254.2 1
    route Branches 192.9.201.0 255.255.255.0 192.168.254.2 1
    route Branches 192.9.220.0 255.255.255.0 192.168.254.2 1
    route Branches 200.0.0.0 255.255.0.0 192.168.254.2 1
    route Branches 200.0.11.0 255.255.255.0 192.168.254.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    webvpn
      always-on-vpn profile-setting
    aaa-server HB_LDAP_Group protocol ldap
    aaa-server HB_LDAP_Group (Branches) host 172.16.1.2
    server-port 636
    ldap-base-dn CN=VPN LDAP,OU=HB Users,DC=hb,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn VPN LDAP
    ldap-over-ssl enable
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 10.0.0.0 255.255.0.0 Branches
    http 172.16.0.0 255.255.0.0 Branches
    snmp-server host Branches 172.16.1.80 community *****
    snmp-server location Seagoville
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec start stop
    snmp-server enable traps entity config-change fru-insert fru-remove
    snmp-server enable traps remote-access session-threshold-exceeded
    sysopt connection timewait
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh scopy enable
    ssh 0.0.0.0 0.0.0.0 publicWAN
    ssh 10.0.0.0 255.255.0.0 Branches
    ssh 172.16.0.0 255.255.0.0 Branches
    ssh 192.168.1.0 255.255.255.0 management
    ssh timeout 5
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd domain hb.local
    dhcpd address 10.0.254.100-10.0.254.200 guest
    dhcpd dns 12.127.17.72 12.127.17.73 interface guest
    dhcpd enable guest
    threat-detection rate acl-drop rate-interval 600 average-rate 5 burst-rate 10
    threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 129.6.15.28 source publicWAN
    webvpn
    port 4443
    enable publicWAN
    enable Branches
    anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
    anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    wins-server none
    dns-server value 172.16.1.2
    vpn-tunnel-protocol ikev2 ssl-client
    default-domain value hb.local
    split-tunnel-all-dns enable
    username HBAdmin password azFWMwV/tQh/YjoW encrypted
    tunnel-group Remote_VPN_Users type remote-access
    tunnel-group Remote_VPN_Users general-attributes
    address-pool Remote_VPN_DHCP_Pool
    authentication-server-group HB_LDAP_Group LOCAL
    default-group-policy GroupPolicy1
    dhcp-server 172.16.1.2
    tunnel-group Remote_VPN_Users webvpn-attributes
    group-alias RemoteVPNUsers enable
    class-map inspection_default
    match default-inspection-traffic
    class-map ips_module_class_map
    match access-list traffic_send_ips_module
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect http
      inspect icmp
      inspect ip-options
    class ips_module_class_map
      ips inline fail-open
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1c38a95ce10dab97ac6ad2e99823f5a2
    : end
    ASA#            exit
    Logoff

    Looks like you are missing the nonat statement.  Try adding the following and test (adjust the source subnet to match your needs)
    object network VPN_range
    range 172.16.253.100 172.16.253
    nat (Branches,publicWAN) source static obj-10.0.0.0 obj-10.0.0.0 destination static VPN_range VPN_range
    Please remember to rate and select a correct answer

  • AnyConnect VPN on Mac - Can't SSH to Virtualbox Virtual Machines

    Hi,
    I'm running AnyConnect version 3.1.05170 on my Mac.  I'm also doing SW Development on multiple Virtual Machines on my Mac via VirtualBox.  When I connect via VPN, I can no longer SSH to my Virtual Machines.  I'm sure there is a rules setting or something that is killing my "Host Only Network" in VirtualBox so I can no longer access them.  The worst part is that even if I Quit the AnyConnect Client, I still can't SSH to my Virtual Machines, so whatever rule is put in place doesn't go away when I disconnect the tunnel.
    Has anyone witnessed this or have a suggestion on how to go about solving it?
    Thanks,
    - Curt

    Hello,
    I just encountered the same problem. To solve it, I checked the box "Allow Local (LAN) access when using VPN (if configured)" in the preferences of AnyConnect.
    It's working fine for me but I am using Parallels and not VirtualBox.
    Regards
    David

  • Anyconnect Client profile files deleted after client upgrade

    L.S.
    I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
    The ASA I am connecting to is a 5510 running ASA OS 8.4.5
    The problem I have is the following:
    We are using machine certificate authentication combined with RADIUS user authentication.
    The machine certificates are stored in the Machine/Personal container in the local machine.
    By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
    We do not want to have the user run the client as administrator (in elevated mode) all the time.
    Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
    With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
    the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
    The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
    The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
    The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
    The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
    The VPN is established.
    However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
    This means the user cannot connect without using elevated rights the next time he wants to connect.
    If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
    Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

    Hi poiu720408 ,
    1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
    2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
    3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
    Please rate helpful post !
    Hope this helps
    - Randy -

  • Windows 8.1 64-Bit AnyConnect Crash

    Running Windows 8.1 (64-bit) with AnyConnect version 3.1.05170
    I can connect without issue, but after an indeterminate amount of time and seemingly unrelated to whatever task I'm working on, the system crashes.  BSOD with the little sad face.
    I've seen at least one other post regarding this issue but, for some reason, when I tried to reply there, the UI didn't let me enter any text.  Just prompted for a file upload.
    Is there a fix for this issue available?
    Thanks.
    J

    I have the same configuration and problem even with 3.1.06073 (latest).  My VPNwill connect and start and then hang.  If I look at the statistics I'll see Bytes being sent but the Received count will stop at 19880 bytes.  I have been able to work around this sometimes by re-installing but that doesn't always work.  Usually I just have to keep trying, uninstalling, re-installing and eventually it'll start working.  This is very frustrating.

  • ISE 1.2 Posture Assessment with AnyConnect Client

    Hi Experts,
    I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
    Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
    if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
    Thanks in advance

    ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

  • Cisco AnyConnect WEB/SSL VPN - does not launch after Apple's security update on Mac OS 10.7 and 10.6

    AnyConnect version: 2.5.2001
    Mac OS versions: 10.7.2 and 10.6.8
    We used to invoke Cisco AnyConnect VPN via the Safari browser for the SSL URL and it used to work fine on Mac OS 10.6 and 10.7. Apple released a security update on 8/Nov/2011 (see: http://support.apple.com/kb/HT5045) and after applying the update, invoking AnyConnect from the browser no longer invokes the AnyConnect application on the machine. The browser stops at this page repeatedly:
    I have installed AnyConnect on my machine and am able to invoke it explicitly, but browser login just fails to do that. I have tried re-installing AnyConnect, but the problem still persists.
    Any help would be highly appreciated as we are in a show-stopped situation because of this issue.
    Thanks
    Vivek.

    This is an old issue, but I ran into it continually this month while trying to use AnyConnect on my Mac 10.8+ version.
    For me, the solution was:
    I realized that I should have seen a pop-up warning me about the dangers of using Java etc. etc but it seemed as if my computer was blocking it automatically without giving me the option.
    I went to the Java page (Java.com) and clicked on "Do I have Java?" The plug-in was inactive, so clicking it allowed me to check that my Java was up to date. Going back to my AnyConnect, this time, it seemed to go through and give me all the pop-ups allowing me to allow Java.

  • Cisco AnyConnect Secured Mobility Client not saving the VPN url after disconnecting from session/restarting client

    Hello there.
    I am having a problem with Cisco AnyConnect version 3.1.04072. When one of my colleagues disconnects from the VPN session, closes out the program, and then later on, reopens the client, the address that he manually entered did not save and it's defaulting on the two now-defunct VPN servers listed.
    Here's an example to see if it makes more sense:
    -User opens Cisco AnyConnect. By default, there are two selections available on the pulldown:
    SSLVPN.abcdefg.com
    access.abcdefg.ca
    These two VPN servers are now defunct and we use a new VPN server:
    access.abcdefg.com
    The user has to manually type it in. He is now able to connect. However, when disconnected. Regardless if the program is closed or not, it does not save the new VPN server address, rather goes back to the default two VPN servers listed.
    I've checked XML, HTML, registry keys, sys files, dll files to see if I can change the default servers manually. No sign of it.
    I'm hoping that someone out there knows a solution to fix it.
    Thanks in advance!

    Hi Vergel ,
    You can create Anyconnect client profile on ASA. In this profile , you can define the hostname/IP that you wish to connect , along with hostname/IP that should be displayed on the client.
    In the client profile , you can define these parameters - "HostName" and "HostAddress" as "access.abcdefg.com" so that any user , who tries to connects , will see "access.abcdefg.com" as the name displayed in the anyconnect connect field.
    On the client, the xml profile (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) [Win 7] can be seen using those parameters as follows:-
            <HostEntry>
                <HostName>access.abcdefg.com</HostName>
                <HostAddress>access.abcdefg.com</HostAddress>
            </HostEntry>
    Ref:- http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#89103
    Additionally, you can try to delete preferences.xml file to remove the redundant hostnames from the anyconnect connect filed.
    Path for preferences.xml is C:\Users\Cisco\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client (Win 7),
    Hope this helps.
    Regards,
    Dinesh Moudgil
    P.S. Please rate helpful posts.

Maybe you are looking for

  • Hyper-V Cluster Name offline

    We have a 2012 Hyper-V cluster that isn't online and we can't migrate VMs to the other Hyper-V host.  We see event errors in the Failover Cluster Manager: The description for Event ID 1069 from source Microsoft-Windows-FailoverClustering cannot be fo

  • Application Document-Payload link.

    Hi Experts,      We are doing a idoc(Invoice) to file scenario. If the user wants to find the payload for a particular application document , is there any transaction in XI(Assuming that the user has acces to XI)? In other words, any search engine to

  • CS4 exporting magic?

    I hope someone who knows a lot more than I do about codecs and compression can answer this question.  I imported footage from my Canon XLH1 (1440 x 1080), 29.97 fps, progressive mode, tape media, MPEG-2 compression on the tape with a 4:2:0 color spac

  • How to convert the webpage to website

    I had created my website locally eg file:///C:/Users/user/Documents/Unnamed%20Site%202/homepage.html# But I need to change it to website eg www.example.com so that I can include a search function withinin my website. I do not have a server too. Is th

  • Itunes not working with 64 bit operating system

    Does anybody know how 2 or when itunes will work or can work with a 64 bit system. I had no problems when I first downloaded itunes on my computer about 4 months ago. Then I updated itunes and it doesnt install properly. On the disclaimer it says it