Cisco VPN :: ASA 5520 - AnyConnect Check Endpoint Attributes Not Working
Mar 12, 2013
While user's connecting through AnyConnect, AnyConnect doesn`t check endpoint attributes. I've configured checking process of "notepad.exe", but it doesn`t work. There is no checking process of "notepad.exe" in output debug dab trace (see attach).
ASA 5520 ver 8.4(1)
We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50) 001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpn_user Group=VPNGROUP Client_public_addr=<client public ip> Server_public_addr=<server public ip> 004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
We have about 160 users setup using the Anyconnect client connecting to a ASA 5510. We are using split tunneling and also using the Websense endpoint client. Every now and again after installing the endpoint client we are unable to connect the AnyConnect. It asks for credentials waits for a while and then fails with the error "AnyConnect was not able to establish a connection to the specified secure gateway.Please try again later."
If we uninstall the endpoint client it works again and normally after reinstall it fails again ( I know). Eventually it just works and then its fine.
We have logged a call with websense and sent packet traces of working and none working . Then only thing they came back with is if we filtered the non working trace with port 80 you could see a few RST,ACK coming from the ASA to the client so they blamed the Cisco components.
In my organization we have 2 sites. These 2 sites have ASA 5520s, and the l2l between each ASA. The interface that is forming the VPN tunnel is on the ASA, NATed on the router. These ASAs sit behind the router, which are then connected to the ISPs. Recently, we had to change the ISP that we were creating the tunnel on, from Comcast to Sprint on our remote site. I re NATed the interface, and the l2l tunnel came back up after editing the tunnel-group, crypto maps, and reapplying the crypto map to the interface. However, our remote access VPN no longer works on the ASA that we changed the IP on. The other side was never changed, and still works fine. When I tried using debug cry isa and debug cry ip sec on the firewall, nothing shows when we attempt to connect. We are using IPsec over TCP. On the ASDM log, it says: Deny TCP (no connection) from xx.xx.xx.xx/49907 to xx.xx.xx.xx/10000 flags RST on interface WAN.
The VPN worked fine before, could it be an ACL thing? All we changed was the IP so that's what I'm inclined to believe, but on the router none of the interfaces have an ACL that's applied to them. It can't be on the ASA, because I believe we have the option to ignore the ACL enabled, but I might be incorrect about this. I'm new at ASA/VPNs in general.
I would upload the configs, but is there a pertinent output that would work, or just a general sh run?
i allowed one of internal ip using static nat and public ip is 22.214.171.124 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 126.96.36.199? I have the cisco 5520 asa firewall.
2 x ASA5520 with SSM20 . using AnyConnect 3 , users are not getting disconnected from ASA even after the vpn client is closed . Users would not be able to login from the same ip until the session is active. Manual clearing of the session enable the user to log back in .
I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
Is there any requirement like LDAP or AD is required for MAC authentication?
I have an ASA 5520 soft 8.2(3) when i try to configure the any connect I don't get the SSL and the telnet options for the connection. bare in mind that i don't have the any connect software on my asa nor do i have any certificate. is it essential to get a certificate. do i have to buy it knowing that it will only be used by our company's partners. if not how do i get it
We are currently using Cisco VPN Client. I'm looking to migrate to Cisco Any Connect. Our ASA 5520 has 750 IPSec and 2 SSL license. I also have approximately 40 IPSec site to site VPN's on this. ,Will anyconnect interfere with the site to site tunnels?,If I setup anyconnect with the IPSec instead of SSL do I still need to purchase the premium or essentials license?,Lets say if I do have to get the license and I get essentials will it cause any issues with the site to site VPNs?
We have an ASA 5520 with two VPN profiles working fine.Since some users are now working with Windows 8, VPN clients for Cisco ASA is not able to connect.I have read there are problems for such VPN Clients in that OS, and I should use now Anyconnect for them to connect. I thought we had anyconnect working also, because some users can connect to a web page they can do some kind of connections to internal servers, (web, telnet, rdp, etc) so I installed cisco anyconnect VPN client in a laptop and try to connect (same IP and port I used for that web page) but after signing I get the message AnyConnect is not enabled on the VPN Server.So I tried to follow a configuration guide for Anyconnect, but there's a step in which I am trapped, these are the steps: Click Configuration, and then click Remote Access VPN.
My client is upgrading from anyconnect 2.5.2014 to 3.1.00495. The ASA is running ASA 5520 version 8.2(5)33 and is in an active/standby failover pair.when trying to push out the new 3.1 from the pair to windows 7 and XP machines, he gets the error "Failed to get configuration from secure gateway. Contact your system administrator". When he tries to push 2.5.2014 and 2.5.6005 out from the pair this works fine.When pushing the 3.1 out from a stand-alone test ASA 5520 it works fine.
We have bought L-ASA-AC-PH-5520=Anyconnect Vpn Phone License for our Cisco Phones but when we entered this license into our ASA it shows th following i.e enabled for linksys phones. Is there a diff part no to enable vpn for cisco phones. [code]
We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4). It works pretty good but I can only get it to work on a profile basis on the clients laptops. We are running windows 7 and if multiple users need VPN i have to install the certificate for each user. I have changed the xml profile to read the certificate store to "all" and true for certificate store override. I am installing the certificate in the trusted root certificate store. Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?
I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055.
We currently have a setup where users connect to the inside of a firewall using the ipsec client. We are moving them to the anyconnect client but are unable to get it to work, we cannot even get a webvpn page on the inside.
When trying to connect with anyconnect the ASA reports an IKE initiator fail on the inside. and no tcp connection flag. We cannot get any response with Webvpn either I have tried using a different tcp port on webvpn but then the asa denies the traffic even though there are no rules denying.
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
We upgraded and re-configured two existing ASA5520 platforms in order to provide an SSL VPN solution for one of our customers.
The customer opted to deploy AnyConnect Essentials the functionality / features they required for day one were catered for in the Essentials license and budget constraints meant Premium licensing could not be included in the original deployment.
The licenses added to the system were: L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) ASA-AC-M-5520 AnyConnect Mobile - ASA 5520 (req. Essentials or Premium)
The customer is now seeing a growing number of mobile devices and wishes to support the BYOD culture growing within the business; as a result we now need to use features available in AnyConnect Premium. I am aware from reading the following document [URL] that AnyConnect Essentials and Premium licenses cannot co-exist on an ASA; I need to ensure we purchase the appropriate upgrade for the customer.
Is there an SKU to upgrade / migrate an existing Essentials deployment to Premium? I've reviewed the licensing guide and price list but cannot find a method which enables this transition.
I currently have a Cisco 5520 ASA which is up and running and the users are able to connect to Anyconnect to VPN into the network. However, users plugged into the internal network inside the ASA are unable to connect to the vpn address and download the Anyconnect Client. I think this may be to do with reverse NAT missing?
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
I have a VPN setup thru a Cisco 5520, Windows clients connect just find and the end users configure there browser to use our internal proxy servers. Users with the MAC OS X Anyconnect client can connect, they configure their Mac to use our proxy server, but the broswers will not work, clients can reach networks and resources behind the VPN gateway and have access to the Proxy(Tried a telnet to that hostname/port). I am running ASA 8.3(2), Anyconnect(OS X) 3.1.01065.
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
I have 50 SSL Premium licenses on my ASA 5520 running 8.4. I want to run Anyconnect on IPAD- and IPHONE-devices but it seems that this requires a Mobile-license on top of the premium-license. Is it possible to receive an evaluation-license for this? It will take a few days to receive permanent licenses and I want to user this now.