Cisco Firewall :: 5520 AnyConnect Mobile Not Handling Certificates Correctly
Oct 31, 2012
I have an SSL VPN set up on my ASA 5520 with a self signed cert. When I run the AnyConnect install on my desktop machine I have click through a few windows to accept the certificate. When I connect through the mobile client on Android, the connection goes right through without a prompt to import/choose/download a certificate. I'm able to connect but I'm wondering if the phone has actually recieved a certificate. I'm in the 'Advanced Connection Editor' screen and the certificate setting says "Automatic".
I have 50 SSL Premium licenses on my ASA 5520 running 8.4. I want to run Anyconnect on IPAD- and IPHONE-devices but it seems that this requires a Mobile-license on top of the premium-license. Is it possible to receive an evaluation-license for this? It will take a few days to receive permanent licenses and I want to user this now.
I recently implemented an ASA 5520 HA pair with CSC-SSM-20s in each non stateful per cisco. The CSC management sits in a management subnet 192.168.4.0/24 with the management interface of the ASA as its default gateway in the same subnet. Ever since the implementation frequently webpages will not load correctly, the formating will not look right and pictures will be red x. If you hit f5 to refresh the pages loads fine. If I add a deny any any eq 80 rule before the permit any any eq 80 the issue appears to go away. TAC can't seem to find anything worng. All we want to do is use a simple web content filter with the check boxes in the global filtering policy. ASA is running 8.2(5) and CSC is running 6.3.1172.0. Everything else works fine SVC and rules and such. [code]
I have a problem with my ASDM Logging(ASA5520, System image file is "disk0:/asa804-k8.bin").If i generate any traffic, the ASDM do not show the packets correctly. For example, if i generate a icmp traffic from interface inside to outsite, the ASDM does not show the packets, when it shows it apperars just in one direction.
I need to setup an ASA 5520 to correctly NAT over two wan links. The idea sounds pretty straingforward but it does not, I have only 2 IPs that are involved with the NAT
I have 2 interfaces that sould be applied to it let's say outside1, outside2. The server is reacheable through each outside interface, the outside interfaces is selected uppon dynamic routing and that is working OK.
So if link outside1 is up the Nat follows this schema 192.168.1.10(inside) -- 172.16.1.10(outside1)
that works fine, but I want that automagically changes over when the link outside1 is down to 192.168.1.10(inside) -- 172.16.1.10(outside2).I know I can't have a NAT with 2 IPs and 2 different interfaces (ASDM doesn't allow me to), is there a way to implement this??
We're looking to deploy a certificate-based VPN solution for users with mobile devices (iPhone, iPad, and Android devices at minimum).We currently have CheckPoint firewalls (with VPN capabilities, currently unused), SonicWall, and Aventail devices at our disposal, but would not be against adding new equipment if the solution is secure, easy to deploy, and easy to manage.We want to use client certificates for authentication, though we currently have no infrastructure in place for such a thing.I'm looking for starting points/reference documents to learn to deploy:
* Certificate infrastructure, including a secure and manageable way to deploy certificates to devices, and revoke them if devices are lost or stolen.
* VPN concentrator configuration guides (whether it be Cisco or one of our existing VPN-capable devices).
I'm having an issue with intermediate certificates from GoDaddy when connecting from some browsers of mobile devices:Browser in Android 2.3.3;Safari in iOS 4.2.1;Chrome 18 in Android 4.0.In a PC there's no problem, only from the above mobile devices. The intermediate certificate isn't downloaded from the ACE 4710 resulting in a "SSL Certificate Not Trusted" error.Since GoDaddy has no instructions to resolve the issue from a Cisco ACE.
Recently we updated to the Anyconnect 3.0 client. I see the new 3.1 client is out and we are currently testing it for production. My question though is since updating to 3.0 our end users receive a message at the bottom of their client stating "No valid certificates available for authentication" They can still VPN in since we dont do certificate based authentication but we have been getting tons of questions on this. I would like to stop these messages from appearing and I am not sure if its just how the new client behaves or if its something configured on our ASA's.
Does changing the device certificate for AnyConnect Connection Profiles break any established AnyConnect connections, or is it transparent to the users?
I have an ASA 5520 soft 8.2(3) when i try to configure the any connect I don't get the SSL and the telnet options for the connection. bare in mind that i don't have the any connect software on my asa nor do i have any certificate. is it essential to get a certificate. do i have to buy it knowing that it will only be used by our company's partners. if not how do i get it
So i setup a failover active / passive with 2 ASA5520's
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
output of secondary asa : Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active
I have ASA 5520 running ver 8.3.(2)8 and configured for AnyConnect VPN. While testing for iPads and iPhones we noticed that on connecting it disconnects few times before finally connecting. These are the messages logged in the ASA.I don't see authenticatio as an issue. Results are better with wifi compared to 3G. [Code]
We have an ASA 5520 using for VPN & would like make use ASA's local CA to manage certificate.Do you know if there's any limitation on number of certificates that the local CA supports ?
I have ASA 5505 (8.4)I set up SSL AnyConnect VPN. I am able to connect from PC and MAC desktop computers using AnyConnect client but when I try use mobile device I am receiving error.Do I need buy the L-ASA-AC-M-5505=license?I see in description Platform: WindowsMy question is would it work with Apple mobile devices (iPhone, iPad)?
I have consulted a Cisco partner, as well as two different sources at Cisco and it seems remarkably difficult to find solid answers on anyconnect mobile licensing. I've got a pair of 5550s running 8.3.2 in active/standby. Based on the following license configuration, what do I need to support mobile clients? Anyconnect for mobile is obvious. Essentials? Since changes in 8.3 can I get away with one anyconnect for mobile license or do I need one per firewall? How many mobile clients would I be licensed for, 2500 per firewall? [code]
how to configure AnyConnect on an ASA5505, but I wanted to check before to make sure I was going the right direction.
Setup: I have a very simple setup and basic goal. I currently just have one laptop on E0/1 of my ASA5505 and then the ASA configured with a static IP plugged to the Internet. I have the ASA correctly configured and can browse the web through the laptop. I also have the AnyConnect and AnyConnect Mobile licenses as well.
Goal: I want to set up AnyConnect on the ASA5505 and just establish a successful connection from an android mobile device running the necessary AnyConnect software from the market.
There are lots of guides for specifc set ups, but as described, I want to keep this as simple as possible.
[URL]
Also, I'm more comfortable with the CLI. Is it simpler to use the ASDM wizard for this?
I am setting up an ASA5505 to allow a VPN with certificate from AnyConnect Secure Mobility Client (iPad)However I get a "No License" message back from the ASA, on the iPad - Anyconnect.I remember reading the ASA5505 came with two licenses.
I currently have a HA pair of ASA5510's, as I understand it the 2 free premium licenses can be used by the mobile client as long as the ASA has the license for the mobile clients?
Can any one confirm that my understanding is correct, or would i need to buy a seperate Premium license a long with the mobile client license to enable this functionality?
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
is there a easy to install SSL certificate on ASA, rather than enroll with a public CA? ASDM has a place to import certificates. Can I just upload a SSL certificate I got from my CA to ASA, withou setup CA enrollment? And if yes, how can I generate a SSL certificate request from my ASA 8.2?
2 x ASA5520 with SSM20 . using AnyConnect 3 , users are not getting disconnected from ASA even after the vpn client is closed . Users would not be able to login from the same ip until the session is active. Manual clearing of the session enable the user to log back in .
I am running Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.4(1). This will be used as a VPN gateway. I am having troubles installing our cert. I can install the cert, but it never connects witht he correct key. It references trustpoint0 when it is trustpoint1. I deleted all trustpoints and it still happens. That.vpngw4# sh run | begin rustcrypto ca trustpoint ASDM_TrustPoint0crl configurecrypto ca trustpoint ASDM_TrustPoint1keypair ASDM_TrustPoint0crl configurecrypto ca certificate chain ASDM_TrustPoint1certificate 0f8e62 308203d5.8c quitI deleted both trust points and when I do a sh run both are gone, but when I then import the cert (via ASDM) it creates trustpoint0 again.
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
Is there any requirement like LDAP or AD is required for MAC authentication?
We are currently using Cisco VPN Client. I'm looking to migrate to Cisco Any Connect. Our ASA 5520 has 750 IPSec and 2 SSL license. I also have approximately 40 IPSec site to site VPN's on this. ,Will anyconnect interfere with the site to site tunnels?,If I setup anyconnect with the IPSec instead of SSL do I still need to purchase the premium or essentials license?,Lets say if I do have to get the license and I get essentials will it cause any issues with the site to site VPNs?
We have an ASA 5520 with two VPN profiles working fine.Since some users are now working with Windows 8, VPN clients for Cisco ASA is not able to connect.I have read there are problems for such VPN Clients in that OS, and I should use now Anyconnect for them to connect. I thought we had anyconnect working also, because some users can connect to a web page they can do some kind of connections to internal servers, (web, telnet, rdp, etc) so I installed cisco anyconnect VPN client in a laptop and try to connect (same IP and port I used for that web page) but after signing I get the message AnyConnect is not enabled on the VPN Server.So I tried to follow a configuration guide for Anyconnect, but there's a step in which I am trapped, these are the steps: Click Configuration, and then click Remote Access VPN.
My client is upgrading from anyconnect 2.5.2014 to 3.1.00495. The ASA is running ASA 5520 version 8.2(5)33 and is in an active/standby failover pair.when trying to push out the new 3.1 from the pair to windows 7 and XP machines, he gets the error "Failed to get configuration from secure gateway. Contact your system administrator". When he tries to push 2.5.2014 and 2.5.6005 out from the pair this works fine.When pushing the 3.1 out from a stand-alone test ASA 5520 it works fine.
We have bought L-ASA-AC-PH-5520=Anyconnect Vpn Phone License for our Cisco Phones but when we entered this license into our ASA it shows th following i.e enabled for linksys phones. Is there a diff part no to enable vpn for cisco phones. [code]
When I try to add CAS to CAM a cannot choose a OOB Virtual Gateway or OOB Real-IP Gateway, because these operation modes are absent in Type list.What can be reason it?
We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4). It works pretty good but I can only get it to work on a profile basis on the clients laptops. We are running windows 7 and if multiple users need VPN i have to install the certificate for each user. I have changed the xml profile to read the certificate store to "all" and true for certificate store override. I am installing the certificate in the trusted root certificate store. Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?
