topic AnyConnect session can't be established on AWS instance in Network Security

AnyConnect session can't be established on AWS instance

zexinfinite — Sat, 07 Mar 2020 03:29:21 GMT

Hi all,

I've established AnyConnect service on Cisco ASAv in my lab, and I can establish SSLVPN connection from my mobile phone and the VM with CentOS7.

But I would like to establish SSLVPN connection from AWS instance with CentOS7, but it can not establish connection with below message.

I also try to check log on ASAv, and it display session has been terminated from client.

I also try to change parameter from "LocalUsersOnly" into "AllowRemoteUsers", but it still not working.

May I know does anyone has been experienced this issue and solved it?

===================================

[centos@AWS Instance ~]$ /opt/cisco/anyconnect/bin/vpn connect vpn.test.com
Cisco AnyConnect Secure Mobility Client (version 4.8.02045) .

>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (vpn.test.com) for login information...
>> notice: Contacting vpn.test.com.
AnyConnect cannot verify server: vpn.test.com
- Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

Always trust this server and import the certificate? [y/n]: n

>> Please enter your username and password.

Username: [vpntest]
Password:
>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
The AnyConnect Downloader updates have been completed.
Please wait while the VPN connection is established...
>> state: Connecting
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Initiating connection...
>> state: Disconnecting
>> state: Disconnected
>> notice: Disconnect in progress, please wait...
>> error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established.
>> notice: Ready to connect.
VPN>

[centos@AWS Instance ~]$

Re: AnyConnect session can't be established on AWS instance

Sheraz.Salim — Sat, 07 Mar 2020 08:07:35 GMT

error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established.

By default, only local users may connect via any connect client. You need to edit the anyconnect client profile. Please change the LinuxVPNEstablishment parameter to "AllowRemoteUsers" instead of "LocalUsersOnly.

Re: AnyConnect session can't be established on AWS instance

zexinfinite — Sun, 08 Mar 2020 09:36:01 GMT

Thank you!

I try to create client profile and apply to group policy, but it will occur error message then terminate the session.

May I know where can I check why this client terminate connection?

>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator.
>> notice: Connection attempt has failed.
>> error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
>> state: Disconnected

Re: AnyConnect session can't be established on AWS instance

Cristian Matei — Tue, 10 Mar 2020 06:27:20 GMT

Hi,

Based on this message "Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway", try the following:

- ensure the ASA's certificate is trusted by your AWS instance

- as AWS may have some restrictions (like use only more secure algorithms), try to configure the following, and if it connects, look in the " show vpn-sessiondb" on the ASA for which ciphers have been used, and afterwards change the commands to use only specific ciphers:

ssl server-version any

ssl client-version any

ssl encryption (and here put most secure algorithms to being with, least secure at the end)

Regards,

Cristian Matei.

Re: AnyConnect session can't be established on AWS instance

zexinfinite — Thu, 19 Mar 2020 09:56:43 GMT

Hi Cristian,

Thank you for your support! I've fixed this issue after I import certificate from ASA to AWS, and I also adjust client profile to allow remote user, thank you!

Re: AnyConnect session can't be established on AWS instance

Cristian Matei — Thu, 19 Mar 2020 11:58:24 GMT

Glad it helped.

Re: AnyConnect session can't be established on AWS instance

00uqlppniqR1iMPpY5d6 — Fri, 14 May 2021 08:16:41 GMT

I have the same issue except the vpn server I want to connect to only provides only a username and password.

Can the ASA certificate only be provided by the vpn server side ? (Because I do not have access to the vpn server side)

And how is this certificate added to the aws instance ?