ā09-29-2022 02:04 AM
Hello everybody,
our customer has a FMC 6.6.5 with two Firepower1120 running 6.6.5 in a HA cluster.
Many AnyConnect users (and me) are using a certain URL-alias in their AnyConnect client
and the customer wants to disable this URL-alias.
When I go to Devices / VPN / RemoteAccess and open the only entry I see the
DefaultWEBVPNGroup connection profile they are using. I click on the pencil
but under "Aliases" the "Alias URLs" is empty (see attached)!
When I go to the Firepower1120 CLI and enter the command:
> show running-config | include <alias_name>
I get the following back:
crypto ca trustpoint <alias_name>
keypair <alias_name>
crypto ca trustpoint <alias_name>-1
keypair <alias_name>
crypto ca certificate chain <alias_name>
crypto ca certificate chain <alias_name>-1
group-url https://<alias_name>/duo enable
I know that on the CLI cannot be configured much.
How can I disable the URL-alias for the AnyConnect users?
Thanks a lot for every hint!
Greetings,
R.
Solved! Go to Solution.
ā09-29-2022 07:40 AM
You should see all these tunnel groups in the "Connection Profile" TAB on FMC. In the screenshot you shared before it was only showing the "DefaultWEBVPNGroup" settings, however, from the CLI output you shared it is definitely showing that there are other tunnel groups configured on the device. If you go to the FMC Devices > VPN > Remote Access and you select your VPN policy, you should see the other tunnel groups listed in the "Connection Profile" tab. From there you can click on the connection profile called "duo" and remove the alias from there.
ā09-29-2022 05:56 AM - edited ā09-29-2022 05:57 AM
Interesting! Would you mind to share the sanitized output of the command "sho run tunnel-group" for review please? from the FTD CLI you can type "system support diagnostic-cli", this will take you to the "ASA" CLI. In there type enable and hit enter without typing any password and then finally run the command "show run tunnel-group".
ā09-29-2022 07:03 AM
Hi Aref,
thanks for your reply!
Here comes the requested output (with deleted public IP address and deleted URL-alias):
firewall-01# show run tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool pool-anyconnect-user
authentication-server-group DUO
default-group-policy gp-ac-user
tunnel-group <public_IP-addr> type ipsec-l2l
tunnel-group <public_IP-addr> general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group <public_IP-addr> ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group duo type remote-access
tunnel-group duo general-attributes
address-pool pool-anyconnect-user
authentication-server-group DUO
default-group-policy gp-ac-user
tunnel-group duo webvpn-attributes
group-url https://<alias_name>/duo enable
tunnel-group AnyConnectAzureSAML type remote-access
tunnel-group AnyConnectAzureSAML general-attributes
address-pool pool-anyconnect-user
authentication-server-group Knowis-AD
default-group-policy gp-ac-user
Hope this will enlight the situation.
Thanks a lot!
Bye
R.
ā09-29-2022 07:40 AM
You should see all these tunnel groups in the "Connection Profile" TAB on FMC. In the screenshot you shared before it was only showing the "DefaultWEBVPNGroup" settings, however, from the CLI output you shared it is definitely showing that there are other tunnel groups configured on the device. If you go to the FMC Devices > VPN > Remote Access and you select your VPN policy, you should see the other tunnel groups listed in the "Connection Profile" tab. From there you can click on the connection profile called "duo" and remove the alias from there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide