cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
10
Replies

Trying to enable AnyConnect Alias

BoomShakaLak
Level 1
Level 1

I have an existing AnyConnect connection profile that works and has worked as expected for a long time.  FTD3110 running 7.4.1.1 managed by FMC. 

I am now implementing a tunnel-all policy with the exact same settings as the working policy (except for profile name and a different client policy).  However, when connecting to the VPN when testing we are not presented with a dropdown list to choose the Connection profile we want to connect to (i.e. split-tunnel or tunnel-all).

"Allow Users to select connection profile while logging in" is selected under Access Interfaces, and each profile has an Alias configured and enabled.  Am I missing something else?

1 Accepted Solution

Accepted Solutions

I would check the output of "debug webvpn saml 255" when trying the one that does not authenticate. Also, raise VPN logging level to debug in your platform syslog policy.

View solution in original post

10 Replies 10

@BoomShakaLak if you have the aliases and "Allow Users to select connection profile while logging in" configured then when a user connects to the FQDN it should display the drop-down list to choose which connection profile to select.

If you have no drop-down list at all and anyconnect/secure client just prompts for username/password that would imply either the aliases are not enabled or "Allow Users to select connection profile while logging in" is not working or not enabled. Or it is a bug.

From the FTD CLI run "show running-config webvpn" and confirm "tunnel-group-list enable" command is present. Also run "show running-config tunnel-group" and confirm the aliases are enabled "group-alias <name> enable" for each connection profile/tunnel group.

@Rob IngramThank you for your reply.  Tunnel-group-list is enabled and both connection profiles have aliases that are enabled...So not entirely sure why this is not working.  I dont suppose it could have something to do with SAML to Azure MFA being used for authentication?  I would think that selecting the connection profile would happen before authentication happens.

show running-config webvpn | in tunnel-group-list
tunnel-group-list enable

show run tunnel-group | in alias
group-alias vpn.company.com enable
group-alias tunnel-all_vpn.company.com enable

 

Are you using SAML for both profiles? If so, are you using the same or different SAML IDPs?

Yes we are using SAML for both profiles.  Currently it is the same SAML IDP.

I wonder if your xml profile is automatically directing you to the existing connection profile / tunnel-group that's being used by the original SAML IDP.

Also, how is the SAML side setup? Normally we have to specify each tunnel-group (tg) explicitly in the SAML metadata.

We have two separate Enterprise Applications configured for each tunnel group (let's call them "split_tunnel" and "tunnel_all").

I have noticed that when I go to test, by going to https://vpn.company.com:<port-number> I have the option to select which profile I want to connect to.  However, the new profile does not allow me to authenticate, in fact nothing happens when I click logon, seems like the page just refreshes.

I have also noticed that the Login, Entra ID, and Logout URLs are exactly the same for both applications in Azure.  I am not entirely sure if that is an issue.  However, the Identifier (Entity ID) and reply URL are different on both.

I remember with the ASA we could go to /<connection_profile_name> and authenticate, but this seems like is not possible with FTD.

I would check the output of "debug webvpn saml 255" when trying the one that does not authenticate. Also, raise VPN logging level to debug in your platform syslog policy.

debug webvpn saml pointed me in the right direction.  Issue was with the certificate, though I am not sure why.  Re-issued the certificates for all instances and authentication started working.  I have a different issue now, but will post that in a separate topic.  Thanks!

How would the serverlist in the .xml client profile look for two connection profiles?  Currently I only have the HostName, and HostAddress values configured as I am not able to access either profile if I add the UserGroup (connection profile)

Jitendra Kumar
Spotlight
Spotlight

You can create multiple profiles within the RA VPN configuration if you need to provide variable services to different user groups, or if you have various authentication sources. For example, if your organization merges with a different organization that uses different authentication servers, you can create a profile for the new group that uses those authentication servers.

An RA VPN connection profile allows your users to connect to your inside networks when they are on external networks, such as their home network. Create separate profiles to accommodate different authentication methods.

Thanks,
Jitendra
Review Cisco Networking for a $25 gift card