cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9318
Views
5
Helpful
10
Replies

ASA5525: Anyconnect was not able to establish a connection to the specified secure gateway.

dreyerpj
Beginner
Beginner

Specifications-

Hardware:                           ASA5525

Software:                            ASA9.14(1)30

Anyconnect Client:              4.10.00093

Desktop:                             Windows 10

 

I have an ASA5525 firewall that I am trying to configure to allow remote VPN using IPSec (ikev2) for a friend of mine.  I have not done any configuration of firewalls for many years so I am a bit rusty.

 

I have an issue where I cannot VPN into the ASA firewall remotely from the Internet.  I can go to the web interface, login with local credentials, and download the latest Anyconnect client for windows. However, when I try to VPN using the Anyconnect client with those same local credentials, I get past the initial login password prompt but receive the following error: “Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.”

 

I’ve searched the web and checked the posted fixes I’ve found but the problem persists (see list of potential fixes below) so I presume that I am missing something in the configuration for VPN and/or IPSec.  If anyone out there can help, I would appreciate it.  My config file is shown below.

  1. Check LAN Settings on the desktop to make sure the option "Use automatic configure script" is unchecked.
  2. Disable Antivirus and test the VPN
  3. Disable firewall and test the VPN
  4. Stop Internet Connection Service (not running on my system)
  5. Disable Internet Connection Sharping (never enabled on my system)
  6. Update the appropriate VPN registry item to remove “@oem20.inf,%vpnva_Desc%” in the text.
  7. Tried alternate connections (wifi vs hardwired)
  8. configure the ASA profile (.xml file) to be configured for "AllowRemoteUsers"
1 Accepted Solution

Accepted Solutions

This is a lab setup.  I will finish the config and then put it into production.

 

I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway."  However, I found the source of that problem which was in the client profile.  if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config.  You can see this if you go to ASDM (see attached image).

 

Since this was the original question in this thread I'll mark this as my answer.  Thanks for everyone's assistance in troubleshooting this.

View solution in original post

10 Replies 10

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@dreyerpj 

Does the client computer trust the certificate? You can export from the ASA and import to the client. Make sure you've specified the correct FQDN.

 

You say you are connecting using ikev2, I assume you've configured the anyconnect profile on the client computer to select IPSec, correct?

 

Thanks for the info. The client does not block connections to untrusted servers and the client is configured for IPSec.

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

Your tunnel-group configuration is incorrect.  You are referencing IKEv1 and not IKEv2

tunnel-group VPNPROFILE ipsec-attributes
 ikev1 trust-point SELF_TRUSTPOINT

Your SSL configuration does not reference the outside interface.  ssl trust-point SELF-TRUSTPOINT outside

 

And a side note, your twice NAT / no NAT configuration is not correct.  all your NAT statements reference INSIDE1 interface, the other two should reference INSIDE2 and INSIDE3 respectively

 

** I accidentally clicked on I have this problem too...which I do not  

--
Please remember to select a correct answer and rate helpful posts

Thanks for those..  I was changing from ikev1 to ikev2 and missed those. I'll give those try and report back.

 

As for the twice nat, that's what I get when I cut and paste statements.  I've fixed those as well.  Thanks,

I changed everything you suggested and still receive the same error message of "Anyconnect was unable to establish a connection to the specified secure gateway." (Connection attempt has failed.)

Did you also add the ssl trust-point configuration?

could you post an up to date full configuration of the ASA (remove any public IPs, usernames and passwords) snd also the output of show disk0 or dir whichever you prefere.

--
Please remember to select a correct answer and rate helpful posts

Yes, I did add the ssl trust-point as you suggested.  Thank you for asking.  I've attached my running config as well as the show disk0 output.  Thanks for your help.

Is this a lab setup or a production environment?

Looks as though your tunnel-group configuration is not correct

tunnel-group VPNPROFILE webvpn-attributes
 group-alias VPNPROFILE enable
tunnel-group VPNPROFILE ipsec-attributes
 ikev2 local-authentication certificate SELF_TRUSTPOINT

remove the ipsec-attributes and under webvpnb-attributes add authentication certificate

--
Please remember to select a correct answer and rate helpful posts

This is a lab setup.  I will finish the config and then put it into production.

 

I tried everything you suggested and then started getting the same error I had at the beginning of this thread. "AnyConnect was not able to establish a connection to the specified secure gateway."  However, I found the source of that problem which was in the client profile.  if you are doing IPSec you have to uncheck the "ASA gateway" check box in the server list section of the client config.  You can see this if you go to ASDM (see attached image).

 

Since this was the original question in this thread I'll mark this as my answer.  Thanks for everyone's assistance in troubleshooting this.

Hello,Where is the server list in the picture in ASDM

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: