Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10018
Views
0
Helpful
6
Replies

AnyConnect session can't be established on AWS instance

Go to solution
zexinfinite
Level 1
Level 1

‎03-06-2020 07:29 PM

Hi all,

 

I've established AnyConnect service on Cisco ASAv in my lab, and I can establish SSLVPN connection from my mobile phone and the VM with CentOS7.

 

But I would like to establish SSLVPN connection from AWS instance with CentOS7, but it can not establish connection with below message.

 

I also try to check log on ASAv, and it display session has been terminated from client.

 

I also try to change parameter from "LocalUsersOnly" into "AllowRemoteUsers", but it still not working.

 

May I know does anyone has been experienced this issue and solved it?

 

 

===================================

[centos@AWS Instance ~]$ /opt/cisco/anyconnect/bin/vpn connect vpn.test.com
Cisco AnyConnect Secure Mobility Client (version 4.8.02045) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc. All Rights Reserved.


>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (vpn.test.com) for login information...
>> notice: Contacting vpn.test.com.
AnyConnect cannot verify server: vpn.test.com
- Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

Always trust this server and import the certificate? [y/n]: n

>> Please enter your username and password.

Username: [vpntest]
Password:
>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
The AnyConnect Downloader updates have been completed.
Please wait while the VPN connection is established...
>> state: Connecting
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Initiating connection...
>> state: Disconnecting
>> state: Disconnected
>> notice: Disconnect in progress, please wait...
>> error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established.
>> notice: Ready to connect.
VPN>

[centos@AWS Instance ~]$

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎03-07-2020 12:07 AM

error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established.

 

By default, only local users may connect via any connect client. You need to edit the anyconnect client profile. Please change the LinuxVPNEstablishment parameter to "AllowRemoteUsers" instead of "LocalUsersOnly.

anyconnect_linux.PNG

please do not forget to rate.

View solution in original post

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to zexinfinite

‎03-09-2020 11:27 PM

Hi,

 

   Based on this message "Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway", try the following:

      - ensure the ASA's certificate is trusted by your AWS instance

      - as AWS may have some restrictions (like use only more secure algorithms), try to configure the following, and if it connects, look in the " show vpn-sessiondb" on the ASA for which ciphers have been used, and afterwards change the commands to use only specific ciphers:

 

ssl server-version any

ssl client-version any

ssl encryption (and here put most secure algorithms to being with, least secure at the end)

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Sheraz.Salim
VIP
VIP

‎03-07-2020 12:07 AM

error: VPN establishment capability for a remote user is disabled. A VPN connection will not be established.

 

By default, only local users may connect via any connect client. You need to edit the anyconnect client profile. Please change the LinuxVPNEstablishment parameter to "AllowRemoteUsers" instead of "LocalUsersOnly.

anyconnect_linux.PNG

please do not forget to rate.
0 Helpful

Go to solution
zexinfinite
Level 1
Level 1
In response to Sheraz.Salim

‎03-08-2020 01:36 AM

Thank you!

 

I try to create client profile and apply to group policy, but it will occur error message then terminate the session.

May I know where can I check why this client terminate connection?

 

>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator.
>> notice: Connection attempt has failed.
>> error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
>> state: Disconnected

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to zexinfinite

‎03-09-2020 11:27 PM

Hi,

 

   Based on this message "Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway", try the following:

      - ensure the ASA's certificate is trusted by your AWS instance

      - as AWS may have some restrictions (like use only more secure algorithms), try to configure the following, and if it connects, look in the " show vpn-sessiondb" on the ASA for which ciphers have been used, and afterwards change the commands to use only specific ciphers:

 

ssl server-version any

ssl client-version any

ssl encryption (and here put most secure algorithms to being with, least secure at the end)

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
zexinfinite
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 02:56 AM

Hi  Cristian,

 

Thank you for your support!  I've fixed this issue after I import certificate from ASA to AWS, and I also adjust client profile to allow remote user, thank you!

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to zexinfinite

‎03-19-2020 04:58 AM

Glad it helped.

0 Helpful

Go to solution
00uqlppniqR1iMPpY5d6
Level 1
Level 1
In response to Cristian Matei

‎05-14-2021 01:16 AM

I have the same issue except the vpn server I want to connect to only provides only a username and password.

Can the ASA certificate only be provided by the vpn server side ? (Because I do not have access to the vpn server side)

And how is this certificate added to the aws instance ?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card