Hi Juan, Maybe you could use something like optimal gateway selection(OGS). OGS is a feature that can be used in order to determine which gateway has the lowest Round Trip Time (RTT) and connect to that gateway. One can use the OGS feature in order to minimize latency for Internet traffic without user intervention. You can have one URL with some backup URL’s for the OGS process. Links for reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116721-technote-ogs-00.html https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html   Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi Pawan, The .pfx can be installed by using ASDM. In order to install it using the CLI you first need to convert the file to be base64, you can do it with OpenSSL and using the following command: openssl base64 -in certificate.pfx -out certificate.p12 Then, you use the following commands on the CLI of the ASA: ASA(config)# crypto ca trustpoint SSL-Trustpoint-PKCS12 ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# exit ASA(config)# crypto ca import SSL-Trustpoint-PKCS12 <base64 format file> Quit   Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer. ... View more

Yes, that is correct.    Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer.     ... View more

Hi Potter Scott, The main porpuse of having DAP’s configured is to permit the connection based on some rules and if none is matched, just send the connections to the default DAP where we set the action to “Terminate”. With this being said, you can set the action to “Continue” for this LUA and set the default DAP to “Terminate”. If the user is not compliant of the LUA’s DAP, the HS will continue to check for a match until it reaches the default, with action terminate. Final result: No personal firewall installed = connection goes to the default DAP with action to terminate, VPN connection will not connect.     Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi niLuxx, There is a limitation on the ASA to do management over ASDM/SSH if the traffic is coming from a VPN and you try to reach an interface which is part of a BVI interface: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307   The workaround is: Use a L3 interface for management-access through a S2S tunnel.   Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi Janiax,   See the following link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-hostscan.pdf   The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The HostScan application gathers this information. Posture assessment requires HostScan to be installed on the host.   Licensing for Host Scan These are the AnyConnect licensing requirements for the posture module:   • AnyConnect Apex for basic Host Scan. • AnyConnect Plus is required for ◦Remediation ◦Mobile Device Management   As a summary: Yo need the APEX license.   DAP’s with Hostscan for the O.S check.   The HS package on the flash and subsequently applied under webvpn “hostscan image flash:/<name>.pkg, not the anyconnect but the hostscan.pkg file.  The error seen is basically because there is no proper HS image applied.  The show vpn-sessiondb anyconnect command will only detect the O.S once the VPN is connected but will not filter allow/deny such conn by itself, HS is needed.     Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi Kraven,   I agree with Ben, it may be an issue with the registry keys being kind of corrupted; however, I have never tried deleting/modifying them. It is also possible that this issue is related to bug CSCvb59209. In order to see full details, including the workaround you’ll need to log in with a Cisco account.   Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi,    It could be a NAT/PAT missing, coming from that interface and taking the outside interface as a way out.   It makes sense that the VPN continues to work since the VPN does not need a NAT to work properly, it is always bypassed with a NAT-exemption or just not configuring any NAT on that interface.    If the PAT missing is not the issue, we would need to take a look at the config of the ASA.    Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi Kpruett,   If you meant that you need to modify the tunnel to be route-based; plus, you need to be responder only, the configuration is pretty simple. Static Virtual Tunnel Interface with IPsec: Example https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html For the ISAKMP phase (phase1), you can use the same parameters already configured: crypto isakmp policy 10 encr aes 192 authentication pre-share group 2 crypto isakmp policy 20 encr aes 256 authentication pre-share group 2 crypto isakmp key password12345 address 2.2.2.1 crypto isakmp key password54321 address 3.3.3.1 For the IPSEC phase(phase2) you need to get rid of the crypto map and configure a tunnel interface and an ipsec profile which is placed under the tunnel interface: crypto ipsec profile ipsec_profile set transform-set tunnel-one-trans set pfs group2 responder-only interface Tunnel0  ip address X.X.X.X X.X.X.X  tunnel source X.X.X.X (WAN IP)  tunnel destination 2.2.2.1  tunnel mode ipsec ipv4  tunnel protection ipsec profile ipsec_profile Lastly, regarding the ACL you have on the crypto map(interesting traffic) for the routed-based VPN, it is based on routes which means that you need to either configure a routing protocol (ospf,eigrp) or configure static routes.   Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi, You can enable the debugging for that specific peer only. Commands: IKEv1: debug crypto condition peer X.X.X.X debug crypto ikev1 200 IKEv2: debug crypto condition peer X.X.X.X debug crypto ikev2 platform 100 debug crypto ikev2 protocol 100 Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi, It can be done. Here is the link that explains the steps to configure the dynamic to static IPSEC: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html If you are using ASA version 8.3+, the only thing that changes is the NAT config. For this scenario, twice NAT is needed (because of the overlapping interesting traffic) and NAT-T must be enabled. Twice NAT: https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html Rate if it helps. Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi,   The security appliance uses this value to logically sequence the access lists when aggregating the Network and Web-Type ACLs from multiple DAP records. The security appliance orders the records from highest to lowest priority number, with lowest at the bottom of the table. For instance, a DAP record with a value of 4 has a higher priority than a record with a value of 2. You cannot manually sort them.   When multiple DAP records are selected, the access-lists attributes specified in the Network (Firewall) ACL are aggregated to create a Dynamic Access-List for the DAP Firewall ACL. In the same way, the access-lists attributes specified in the Web-Type (Clientless) ACL are aggregated to create a Dynamic Access-List for the DAP Clientless ACL.   Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more

Hi Matt, This was determined to be an issue with yubikey, not a Cisco problem. In order to fix it, please, do the following: We can disable the "Smartcard Removal Feature" using the smartcard-removal-disconnect command:   group-policy name attributes smartcard-removal-disconnect disable.   Rate if it helps.   Regards, Josue Brenes TAC - VPN Engineer. ... View more