Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21267
Views
5
Helpful
10
Replies

ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

Go to solution
dreyerpj
Level 1
Level 1

‎07-16-2021 10:09 AM

Specifications-

Hardware:                           ASA5525

Software:                            ASA9.14(1)30

Anyconnect Client:              4.10.00093

Desktop:                             Windows 10

 

I have an ASA5525 firewall that I am trying to configure to allow remote VPN using IPSec (ikev2) for a friend of mine.  I have not done any configuration of firewalls for many years so I am a bit rusty.

 

I have an issue where I cannot VPN into the ASA firewall remotely from the Internet.  I can go to the web interface, login with local credentials, and download the latest Anyconnect client for windows. However, when I try to VPN using the Anyconnect client with those same local credentials, I get past the initial login password prompt but receive the following error: “Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.”

 

I’ve searched the web and checked the posted fixes I’ve found but the problem persists (see list of potential fixes below) so I presume that I am missing something in the configuration for VPN and/or IPSec.  If anyone out there can help, I would appreciate it.  My config file is shown below.

  1. Check LAN Settings on the desktop to make sure the option "Use automatic configure script" is unchecked.
  2. Disable Antivirus and test the VPN
  3. Disable firewall and test the VPN
  4. Stop Internet Connection Service (not running on my system)
  5. Disable Internet Connection Sharping (never enabled on my system)
  6. Update the appropriate VPN registry item to remove “@oem20.inf,%vpnva_Desc%” in the text.
  7. Tried alternate connections (wifi vs hardwired)
  8. configure the ASA profile (.xml file) to be configured for "AllowRemoteUsers"
4 people had this problem
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dreyerpj
Level 1
Level 1
In response to Marius Gunnerud

‎08-08-2021 05:08 AM - edited ‎08-13-2021 05:28 AM

This is a lab setup.  I will finish the config and then put it into production.

 

I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway."  However, I found the source of that problem which was in the client profile.  if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config.  You can see this if you go to ASDM (see attached image).

 

Since this was the original question in this thread I'll mark this as my answer.  Thanks for everyone's assistance in troubleshooting this.

View solution in original post

Preview file
71 KB
0 Helpful
10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎07-16-2021 12:25 PM

@dreyerpj 

Does the client computer trust the certificate? You can export from the ASA and import to the client. Make sure you've specified the correct FQDN.

 

You say you are connecting using ikev2, I assume you've configured the anyconnect profile on the client computer to select IPSec, correct?

 

0 Helpful

Go to solution
dreyerpj
Level 1
Level 1
In response to Rob Ingram

‎07-16-2021 02:29 PM - edited ‎07-16-2021 02:30 PM

Thanks for the info. The client does not block connections to untrusted servers and the client is configured for IPSec.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-16-2021 02:07 PM

Your tunnel-group configuration is incorrect.  You are referencing IKEv1 and not IKEv2

tunnel-group VPNPROFILE ipsec-attributes
 ikev1 trust-point SELF_TRUSTPOINT

Your SSL configuration does not reference the outside interface.  ssl trust-point SELF-TRUSTPOINT outside

 

And a side note, your twice NAT / no NAT configuration is not correct.  all your NAT statements reference INSIDE1 interface, the other two should reference INSIDE2 and INSIDE3 respectively

 

** I accidentally clicked on I have this problem too...which I do not  

--
Please remember to select a correct answer and rate helpful posts

Go to solution
dreyerpj
Level 1
Level 1
In response to Marius Gunnerud

‎07-16-2021 02:28 PM - edited ‎07-16-2021 02:35 PM

Thanks for those..  I was changing from ikev1 to ikev2 and missed those. I'll give those try and report back.

 

As for the twice nat, that's what I get when I cut and paste statements.  I've fixed those as well.  Thanks,

0 Helpful

Go to solution
dreyerpj
Level 1
Level 1
In response to Marius Gunnerud

‎07-20-2021 10:20 AM

I changed everything you suggested and still receive the same error message of "Anyconnect was unable to establish a connection to the specified secure gateway." (Connection attempt has failed.)

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to dreyerpj

‎07-20-2021 10:40 AM

Did you also add the ssl trust-point configuration?

could you post an up to date full configuration of the ASA (remove any public IPs, usernames and passwords) snd also the output of show disk0 or dir whichever you prefere.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
dreyerpj
Level 1
Level 1
In response to Marius Gunnerud

‎07-21-2021 05:14 AM - edited ‎07-21-2021 05:17 AM

Yes, I did add the ssl trust-point as you suggested.  Thank you for asking.  I've attached my running config as well as the show disk0 output.  Thanks for your help.

Preview file
2 KB
Preview file
11 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to dreyerpj

‎07-22-2021 01:11 PM - edited ‎07-22-2021 01:12 PM

Is this a lab setup or a production environment?

Looks as though your tunnel-group configuration is not correct

tunnel-group VPNPROFILE webvpn-attributes
 group-alias VPNPROFILE enable
tunnel-group VPNPROFILE ipsec-attributes
 ikev2 local-authentication certificate SELF_TRUSTPOINT

remove the ipsec-attributes and under webvpnb-attributes add authentication certificate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
dreyerpj
Level 1
Level 1
In response to Marius Gunnerud

‎08-08-2021 05:08 AM - edited ‎08-13-2021 05:28 AM

This is a lab setup.  I will finish the config and then put it into production.

 

I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway."  However, I found the source of that problem which was in the client profile.  if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config.  You can see this if you go to ASDM (see attached image).

 

Since this was the original question in this thread I'll mark this as my answer.  Thanks for everyone's assistance in troubleshooting this.

Preview file
71 KB
0 Helpful

Go to solution
xuhongfei
Level 1
Level 1
In response to dreyerpj

‎04-13-2022 03:09 AM

Hello,Where is the server list in the picture in ASDM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card