Re: Cisco ASA 5520 SSL client VPN errors

Adam Hudson · ‎10-08-2012

We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.

I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.

I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.

Attached is a sanitized version of my config. Any help is appreciated.

Javier Portuguez · ‎10-08-2012

Hi Adam,

I do not see any SSL profile:

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

tunnel-group VPN5 type remote-access

tunnel-group VPN5 general-attributes

address-pool VPN5Pool

default-group-policy VPN5GrpPolicy

dhcp-server 11.2.1.38

Which profile do you need to set up for AnyConnect?

The AnyConnect client seems to be properly enabled.

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1

svc enable

Thanks.

Portu.

Message was edited by: Javier Portuguez

Adam Hudson · ‎10-08-2012

VPN5 needs to be set up. What needs to be configured?

Adam Hudson · ‎10-08-2012

Running through the debug logs of AnyConnect on the droid I see lines like "

Line: 934 No profile available for host " Which further confuses me because I have both usernames for this profile and an Anyconnect Client Profile. Intial Google results are talking about working with alternative OSs like ubuntu and linux distros. I'm working off Android and would be working off Windows XP if I could get to the login page.

Javier Portuguez · ‎10-08-2012

Adam,

Please do the following:

webvpn

tunnel-group-list enable

!

tunnel-group VPN5 webvpn-attributes

group-alias vpn5 enable

!

When you try to connect, you should see a dropdown menu with the "vpn5" name.

Let me know.

Thanks.

Adam Hudson · ‎10-09-2012

Javier, I added these lines. I still cannot get to the outside interface web page. Also now when I try to get in through my Android AnyConnect comes back with "could not connect to the server" instead of a "login invalid" error.

Adam Hudson · ‎10-09-2012

Going over the AnyConnect logs in Android I'm still getting a "no profile host available for "

Adam Hudson · ‎10-09-2012

Googled around more, results still mostly show people working Linux, CentOS, etc. A few of those people talk about problems with a proxy setting which I don't believe I have. Others just needed to update the client and I'm at the latest version.

Any help is appreciated. I normally don't use the wizard as I'm a fan of the command line but for a task like setting up a VPN connection I thought this would be easier, it worked fairly smoothly last time. This time...not so much. Currently researching how to manually program the VPN in...

Diego Armando Cambronero Arias · ‎10-09-2012

I would try to re create a selfsigned certificate and re-enable ssl on the outside. You should at least get the home sslvpn web page. Can you attach th txt and not a zip so I can take a look from my iphone

Sent from Cisco Technical Support iPhone App

Adam Hudson · ‎10-09-2012

I attached the file as .txt, the forum page zips the file up. I see no way of turning off this option.

I can try to recreate a self signed certificate, I don't exactly know what you mean by re-enabling ssl.

Thanks for your response.

Diego Armando Cambronero Arias · ‎10-09-2012

I see the txt again :S

Sent from Cisco Technical Support iPhone App

Diego Armando Cambronero Arias · ‎10-09-2012

I meant zip. I see the zip

Sent from Cisco Technical Support iPhone App

Adam Hudson · ‎10-09-2012

See above comment. Reading up on how to generate a certficate.

Diego Armando Cambronero Arias · ‎10-09-2012

Under webvpn

Enable outside

That is how you enable it.

Here are the steps to config the vpn

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Sent from Cisco Technical Support iPhone App

Adam Hudson · ‎10-09-2012

After watching a few youtube videos on the SSL AnyConnect VPN it doesn't look like I've done anything wrong or unusual.

I've added a self-signed certificate, I still don't get anything when I go to my outside interface IP, when I try to log in through my android I get a drop down for VPN5, select it, try to enter either of my users set up for VPN5, logins fail. I enter a username set up for the defaultgrppolicy and it connects me right in eventhough that policy doesn't contain any VPN5 references.

Somehow the default VPN group is blocking or confusing the device, stopping it from using my VPN5 group.

Confused to say the least.