08-20-2020 01:37 PM
I am configuring always on VPN with TND on a Cisco ASA 5508, the client downloads the profile correctly, and correctly recognises when it is on a trusted network, however when we move to an untrusted network I get the error
"anyconnect cannot confirm it is connect to your secure gateway. The local network may not be trustworthy. Please try another network."
We have a valid cert from GoDaddy on the ASA.
08-20-2020 03:34 PM
08-20-2020 05:01 PM
Sure, here you go..
We want the client to connect everytime you are not on a trusted network. If they do not connect, they have no internet access
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>true
<TrustedDNSDomains>lmqtech.local</TrustedDNSDomains>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<AlwaysOn>true
<ConnectFailurePolicy>Closed
<AllowCaptivePortalRemediation>false
<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>
</AllowCaptivePortalRemediation>
<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
</ConnectFailurePolicy>
<AllowVPNDisconnect>false</AllowVPNDisconnect>
</AlwaysOn>
</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>CN</Name>
<Pattern>Go Daddy Secure</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>vpn.<omited>..com</HostName>
<HostAddress>vpn.<omited>.com</HostAddress>
<UserGroup>ANYCONNECT</UserGroup>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
08-20-2020 06:01 PM
08-21-2020 06:10 AM
Thank you for the response and it does work as you suggested, however it still allows users to browse the internet if they chose not to authenticate.
08-22-2020 08:30 PM
08-23-2020 06:32 AM
When I am on a trusted network it works fine, says "on a trusted network" when I move to an untrusted network it says a VPN connection is required and tries to connect.. when it connect it says "Anyconnect cannot confirm that you are connecting to a trusted gateway, the local network may not be trustworthy. In the DART file I found the following:
But as far as I can tell everything in the certificate appears to be as it should be
Description : Function: COpenSSLCertificate::VerifyKeyUsage
File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\vpn\commoncrypt\certificates\opensslcertificate.cpp
Line: 1848
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate
08-23-2020 05:07 PM
08-23-2020 05:26 PM
sent, thanks
08-23-2020 05:57 PM
08-23-2020 06:11 PM
All resolves fine.. if I run a debug it just shows connecting and then disconnecting
08-23-2020 06:32 PM
08-23-2020 06:41 PM
If I connect to an untrusted network it tries to connect but fails producing the error "Anyconnect is unable to verify that it is connected to your secure gateway".. If I watch the connection from the ASA I see it connect and then disconnect. If I disable always on it works fine.
08-23-2020 07:04 PM
08-23-2020 07:39 PM
Nothing shows, although if I look in ASDM I do see SSL connection attempts which just disconnect.. nothing for "debug webvpn" or "debug webvpn anyconnect" though
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide