Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
57865
Views
0
Helpful
17
Replies

Always on VPN - Anyconnect cannot confirm it is connected to your secure gateway

lmqtechnology
Level 1
Level 1

‎08-20-2020 01:37 PM

I am configuring always on VPN with TND on a Cisco ASA 5508, the client downloads the profile correctly, and correctly recognises when it is on a trusted network, however when we move to an untrusted network I get the error

 

"anyconnect cannot confirm it is connect to your secure gateway.  The local network may not be trustworthy.  Please try another network."

We have a valid cert from GoDaddy on the ASA.

5 people had this problem
0 Helpful
17 Replies 17

Francesco Molino
VIP Alumni
VIP Alumni

‎08-20-2020 03:34 PM

Hi

What do you want to achieve?
If you want anyconnect to build up the VPN automatically when on untrusted network, you can use Automatic VPN, always on isn’t necessary.

Can you share your XML profile please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-20-2020 05:01 PM

Sure, here you go..

 

We want the client to connect everytime you are not on a trusted network.  If they do not connect, they have no internet access

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>true
<TrustedDNSDomains>lmqtech.local</TrustedDNSDomains>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<AlwaysOn>true
<ConnectFailurePolicy>Closed
<AllowCaptivePortalRemediation>false
<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>
</AllowCaptivePortalRemediation>
<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
</ConnectFailurePolicy>
<AllowVPNDisconnect>false</AllowVPNDisconnect>
</AlwaysOn>
</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>CN</Name>
<Pattern>Go Daddy Secure</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>vpn.<omited>..com</HostName>
<HostAddress>vpn.<omited>.com</HostAddress>
<UserGroup>ANYCONNECT</UserGroup>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-20-2020 06:01 PM

So if you want your users to be automatically connected when on an untrusted network, you can remove always on (set it to False) and keep the rest.
Disabling always on will remove at least these 2 lines:
<AlwaysOn>true
<ConnectFailurePolicy>Closed

After that, with this XML profile (as you have set the domain for automatic VPN), when a user step into the office, Anyconnect will disconnect and user will be able to work, when he goes back home, anyconnect will come up right away as it will detect the network as untrusted.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-21-2020 06:10 AM

Thank you for the response and it does work as you suggested, however it still allows users to browse the internet if they chose not to authenticate.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-22-2020 08:30 PM

So, in this case, if you want to deny any traffic while not connect you must use always on.

So what happens when you're on a trusted network and go to untrusted? and the invert? Do you see something happening with anyconnect client? Have you exported a DART troubleshooting file?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-23-2020 06:32 AM

When I am on a trusted network it works fine, says "on a trusted network"  when I move to an untrusted network it says a VPN connection is required and tries to connect.. when it connect it says "Anyconnect cannot confirm that you are connecting to a trusted gateway, the local network may not be trustworthy.   In the DART file I found the following:

But as far as I can tell everything in the certificate appears to be as it should be


Description : Function: COpenSSLCertificate::VerifyKeyUsage
File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\vpn\commoncrypt\certificates\opensslcertificate.cpp
Line: 1848
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-23-2020 05:07 PM

Can you PM me the url of your VPN so I can check the certificate that is showing?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-23-2020 05:26 PM

sent, thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-23-2020 05:57 PM

Ok the certificate looks good.
When you are in a untrusted domain, how do you resolve your fqdn? Is it giving the good public ip?
If you connect directly to your untrusted network (let’s say your phone in tethering), is it getting connected?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-23-2020 06:11 PM

All resolves fine.. if I run a debug it just shows connecting and then disconnecting 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-23-2020 06:32 PM

I’m not sure I’m getting you.
If you connect directly on an untrusted network, like your phone, is it working or not?
If you disable always on features, is it working?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-23-2020 06:41 PM

If I connect to an untrusted network it tries to connect but fails producing the error "Anyconnect is unable to verify that it is connected to your secure gateway".. If I watch the connection from the ASA I see it connect and then disconnect.  If I disable always on it works fine.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to lmqtechnology

‎08-23-2020 07:04 PM

Can you run a debug webvpn and debug webvpn anyconnect? And then share the output please. Put the output in a text file that you will attach to the post.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

lmqtechnology
Level 1
Level 1
In response to Francesco Molino

‎08-23-2020 07:39 PM

Nothing shows, although if I look in ASDM I do see SSL connection attempts which just disconnect.. nothing for "debug webvpn" or "debug webvpn anyconnect" though

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card