topic Re: ASA5525: Anyconnect was not able to establish a connection to the in Network Security

ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj — Fri, 16 Jul 2021 17:09:03 GMT

Specifications-

Hardware: ASA5525

Software: ASA9.14(1)30

Anyconnect Client: 4.10.00093

Desktop: Windows 10

I have an ASA5525 firewall that I am trying to configure to allow remote VPN using IPSec (ikev2) for a friend of mine. I have not done any configuration of firewalls for many years so I am a bit rusty.

I have an issue where I cannot VPN into the ASA firewall remotely from the Internet. I can go to the web interface, login with local credentials, and download the latest Anyconnect client for windows. However, when I try to VPN using the Anyconnect client with those same local credentials, I get past the initial login password prompt but receive the following error: “Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.”

I’ve searched the web and checked the posted fixes I’ve found but the problem persists (see list of potential fixes below) so I presume that I am missing something in the configuration for VPN and/or IPSec. If anyone out there can help, I would appreciate it. My config file is shown below.

Check LAN Settings on the desktop to make sure the option "Use automatic configure script" is unchecked.
Disable Antivirus and test the VPN
Disable firewall and test the VPN
Stop Internet Connection Service (not running on my system)
Disable Internet Connection Sharping (never enabled on my system)
Update the appropriate VPN registry item to remove “@oem20.inf,%vpnva_Desc%” in the text.
Tried alternate connections (wifi vs hardwired)
configure the ASA profile (.xml file) to be configured for "AllowRemoteUsers"

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

Rob Ingram — Fri, 16 Jul 2021 19:25:09 GMT

@dreyerpj

Does the client computer trust the certificate? You can export from the ASA and import to the client. Make sure you've specified the correct FQDN.

You say you are connecting using ikev2, I assume you've configured the anyconnect profile on the client computer to select IPSec, correct?

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

Marius Gunnerud — Fri, 16 Jul 2021 21:07:35 GMT

Your tunnel-group configuration is incorrect. You are referencing IKEv1 and not IKEv2

tunnel-group VPNPROFILE ipsec-attributes
 ikev1 trust-point SELF_TRUSTPOINT

Your SSL configuration does not reference the outside interface. ssl trust-point SELF-TRUSTPOINT outside

And a side note, your twice NAT / no NAT configuration is not correct. all your NAT statements reference INSIDE1 interface, the other two should reference INSIDE2 and INSIDE3 respectively

** I accidentally clicked on I have this problem too...which I do not

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj — Fri, 16 Jul 2021 21:35:12 GMT

Thanks for those.. I was changing from ikev1 to ikev2 and missed those. I'll give those try and report back.

As for the twice nat, that's what I get when I cut and paste statements. 🙂 I've fixed those as well. Thanks,

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj — Fri, 16 Jul 2021 21:30:20 GMT

Thanks for the info. The client does not block connections to untrusted servers and the client is configured for IPSec.

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj — Tue, 20 Jul 2021 17:20:53 GMT

I changed everything you suggested and still receive the same error message of "Anyconnect was unable to establish a connection to the specified secure gateway." (Connection attempt has failed.)

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

Marius Gunnerud — Tue, 20 Jul 2021 17:40:16 GMT

Did you also add the ssl trust-point configuration?

could you post an up to date full configuration of the ASA (remove any public IPs, usernames and passwords) snd also the output of show disk0 or dir whichever you prefere.

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj — Wed, 21 Jul 2021 12:17:39 GMT

Yes, I did add the ssl trust-point as you suggested. Thank you for asking. I've attached my running config as well as the show disk0 output. Thanks for your help.

Re: ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

Marius Gunnerud — Thu, 22 Jul 2021 20:12:07 GMT

Is this a lab setup or a production environment?

Looks as though your tunnel-group configuration is not correct

tunnel-group VPNPROFILE webvpn-attributes
 group-alias VPNPROFILE enable
tunnel-group VPNPROFILE ipsec-attributes
 ikev2 local-authentication certificate SELF_TRUSTPOINT

remove the ipsec-attributes and under webvpnb-attributes add authentication certificate

Re: ASA5525: Anyconnect was not able to establish a connection to the

dreyerpj — Fri, 13 Aug 2021 12:28:10 GMT

This is a lab setup. I will finish the config and then put it into production.

I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway." However, I found the source of that problem which was in the client profile. if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config. You can see this if you go to ASDM (see attached image).

Since this was the original question in this thread I'll mark this as my answer. Thanks for everyone's assistance in troubleshooting this.

Re: ASA5525: Anyconnect was not able to establish a connection to the

xuhongfei — Wed, 13 Apr 2022 10:09:34 GMT

Hello，Where is the server list in the picture in ASDM