07-16-2021 10:09 AM
Specifications-
Hardware: ASA5525
Software: ASA9.14(1)30
Anyconnect Client: 4.10.00093
Desktop: Windows 10
I have an ASA5525 firewall that I am trying to configure to allow remote VPN using IPSec (ikev2) for a friend of mine. I have not done any configuration of firewalls for many years so I am a bit rusty.
I have an issue where I cannot VPN into the ASA firewall remotely from the Internet. I can go to the web interface, login with local credentials, and download the latest Anyconnect client for windows. However, when I try to VPN using the Anyconnect client with those same local credentials, I get past the initial login password prompt but receive the following error: “Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.”
I’ve searched the web and checked the posted fixes I’ve found but the problem persists (see list of potential fixes below) so I presume that I am missing something in the configuration for VPN and/or IPSec. If anyone out there can help, I would appreciate it. My config file is shown below.
Solved! Go to Solution.
08-08-2021 05:08 AM - edited 08-13-2021 05:28 AM
This is a lab setup. I will finish the config and then put it into production.
I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway." However, I found the source of that problem which was in the client profile. if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config. You can see this if you go to ASDM (see attached image).
Since this was the original question in this thread I'll mark this as my answer. Thanks for everyone's assistance in troubleshooting this.
07-16-2021 12:25 PM
Does the client computer trust the certificate? You can export from the ASA and import to the client. Make sure you've specified the correct FQDN.
You say you are connecting using ikev2, I assume you've configured the anyconnect profile on the client computer to select IPSec, correct?
07-16-2021 02:29 PM - edited 07-16-2021 02:30 PM
Thanks for the info. The client does not block connections to untrusted servers and the client is configured for IPSec.
07-16-2021 02:07 PM
Your tunnel-group configuration is incorrect. You are referencing IKEv1 and not IKEv2
tunnel-group VPNPROFILE ipsec-attributes
ikev1 trust-point SELF_TRUSTPOINT
Your SSL configuration does not reference the outside interface. ssl trust-point SELF-TRUSTPOINT outside
And a side note, your twice NAT / no NAT configuration is not correct. all your NAT statements reference INSIDE1 interface, the other two should reference INSIDE2 and INSIDE3 respectively
** I accidentally clicked on I have this problem too...which I do not
07-16-2021 02:28 PM - edited 07-16-2021 02:35 PM
Thanks for those.. I was changing from ikev1 to ikev2 and missed those. I'll give those try and report back.
As for the twice nat, that's what I get when I cut and paste statements.
07-20-2021 10:20 AM
I changed everything you suggested and still receive the same error message of "Anyconnect was unable to establish a connection to the specified secure gateway." (Connection attempt has failed.)
07-20-2021 10:40 AM
Did you also add the ssl trust-point configuration?
could you post an up to date full configuration of the ASA (remove any public IPs, usernames and passwords) snd also the output of show disk0 or dir whichever you prefere.
07-21-2021 05:14 AM - edited 07-21-2021 05:17 AM
07-22-2021 01:11 PM - edited 07-22-2021 01:12 PM
Is this a lab setup or a production environment?
Looks as though your tunnel-group configuration is not correct
tunnel-group VPNPROFILE webvpn-attributes
group-alias VPNPROFILE enable
tunnel-group VPNPROFILE ipsec-attributes
ikev2 local-authentication certificate SELF_TRUSTPOINT
remove the ipsec-attributes and under webvpnb-attributes add authentication certificate
08-08-2021 05:08 AM - edited 08-13-2021 05:28 AM
This is a lab setup. I will finish the config and then put it into production.
I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway." However, I found the source of that problem which was in the client profile. if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config. You can see this if you go to ASDM (see attached image).
Since this was the original question in this thread I'll mark this as my answer. Thanks for everyone's assistance in troubleshooting this.
04-13-2022 03:09 AM
Hello,Where is the server list in the picture in ASDM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide