Many thanks for the complete 1 stop all you need to know about OGS / Kudos !!
Also Very much appreciate the great , on point , extremely useful comments left by @Atri Basu
More details can be found in this rich article created by Atri :
... View more
I had this happen to me today. I fluked the fix by going to the Task Manager/Services and I found my Cisco Any Connect had stopped running. I right clicked, selected Start and away it went. Problem fixed.
Hope it is as easy for you.
... View more
Thanks -- out of the 4 examples I found on the internet, this was the only one that actually worked. Seems the Pass is a requirement for ISAKMP, thus needing to create the zone-pair in opposite direction as well.
... View more
I am trying to connect a Windows 10 PC to our IPSEC VPN. We have an ASA 5510 on version 7.2. I attempted using the Windows built-in VPN client, and it is unable to connect. The error is "Can't connect to VPN. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
How can I get the Windows 10 PC connected to the VPN, since I am on 7.2, and not 8.2?
... View more
I achieved this by using the following OID's:
How many concurrent sessions does the platform support (I.e: how many sessions is it licensed for)
OID = 22.214.171.124.126.96.36.199.392.1.1 (crasMaxSessionsSupportable)
Description = The maximum number of remote access sessions that may be supported on this device. If the device imposes no arbitrary limit on the maximum number of sessions, it should return a value of 0.
How many concurrent users does the platform support (I.e: how many users is it licensed for)
OID = 188.8.131.52.184.108.40.206.392.1.2 (crasMaxUsersSupportable)
Description = The maximum number of remote access users for whom Remote Access sessions may be supported on this device. If the device imposes no arbitrary limit on the maximum number of users, it should return a value of 0.
OID = 220.127.116.11.18.104.22.168.392.1.1 (crasNumSessions)
Description = The number of currently active sessions. A session is a connection terminating on the managed entity which has been established to provide remote access connectivity to a user. A session is said to be 'active' if it is ready to carry application traffic between the user and the managed entity. A session which is not active is defined to be 'dormant'.How many concurrent sessions are there ?
This way you can easily track if your VPN-utilization (sessions & users) is trending towards your license-limit or HW-limit.
... View more
Thank you for your great post.
I can connect with AnyConnect IKEv2 when I follow preocedures.
There is no UserGroup in your sample profile, but is it not any problem IKEv2 works?
I have read the note in the link below but I am thinking the UserGroup is only used with a Group-url setting in a configuration.
Or when I use IKEv2, should I always set UserGroup in a profile regardless of which tunnel-group selections use?
The UserGroup must match the name of the tunnelgroup to which the IKEv2 connection falls. If they do not match, the connection often fails and the debugs indicate a Diffie-Hellman (DH) group mismatch or a similar false negative.
... View more
Feature Infomration: The Simple Certificate Enrollment Protocol is a protocol designed to make the issuing and revocation of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically and with as little intervention from network adminstrators. For VPN deployments require certificate authentication using the enterprise CA or any 3rd party CA which supports, SCEP, this means the users can now request for signed certs from their client machines without having to involve their network adminstrators. If the user wants to configure the ASA as the CA server itself then SCEP is not what you're looking for, please refer to the following document instead: The Local CA As of ASA v8.3 there are two methods of SCEP that are supported: 1. the old method also called legacy SCEP is what will be discussed in this document. 2. SCEP proxy, is the newer method where the ASA proxies the certificate enrollment request on behalf of the client. This process is neater as it doesn't require an extra tunnel group and is also more secure. However the downside is that SCEP proxy only works with AC v3.x. This means that the current AC client version for mobile devices doesn't support SCEP proxy. You'll find more information related to the feature parity between mobile clients and the latest AC client version documented in bug #CSCtj95743(check the j-comments). Note: If the user requires certificate enrollment for anything other than mobile devices, always use SCEP proxy over legacy SCEP. Only in cases where it isn't supported due to either ASA or client versions should you configure legacy SCEP, and even then in case of the former upgrade the ASA code is the better option. This document will only configure a configuration of the first method, Legacy SCEP. Configuration Steps: When using Legacy SCEP, there are a few things that you have to keep in mind: 1. After the client has recieved the signed certificate, for the ASA to be able to authenticate the client it should recognise the CA that signed the certificate so you need to ensure that the ASA has also enrolled with the CA server. The process of enrolling the ASA should be the first step as it established two things: a. the CA is configured correctly and able to issue certificates via SCEP(if you use URL for enrollment method) b. the ASA is able to communicate with the CA, so if your client isn't able to then it's an issue between the client and the ASA. 2. When the client attempts its first connection it will not have a signed certificate, so there has to be some other way to authenticate the client. 3. during the certificate enrollment process, the ASA plays no role whatsoever. It only serves as the VPN aggregator so that the client can build a tunnel to securely obtain the signed certificate. Once the tunnel has established, the client has to be able to reach the CA server otherwise it will not be able to enroll. Step 1: Enroll the ASA This step is relatively easy and doesn't require anything new. You can find more details on how to enroll the ASA to a 3rd party CA here: Enrolling the Cisco ASA to a CA Using SCEP Step 2: Configure the tunnel to use for enrollment As I mentioned before, for the client to be able to get a certificate it should be able to build a secure tunnel with the ASA using some other method of authentication. To do this you need to configure one tunnel-group that will only be used for the very first connection attempt when the client makes a cert request. Here's a snapshot of the configuration I use to define this tunnel-group, the important lines are marked in bold-italics: rtpvpnoutbound6(config)# sh run user username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0 rtpvpnoutbound6# sh run group-policy gp_certenroll group-policy gp_certenroll internal group-policy gp_certenroll attributes wins-server none dns-server value <dns-server-ip-address> vpn-tunnel-protocol ikev2 ssl-client ssl-clientless group-lock value certenroll split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_certenroll default-domain value cisco.com webvpn anyconnect profiles value pro-sceplegacy type user rtpvpnoutbound6# sh run access-l acl_certenroll access-list acl_certenroll remark to allow access to the CA server access-list acl_certenroll standard permit host <ca-server-ipaddress> rtpvpnoutbound6# sh run all tun certenroll tunnel-group certenroll type remote-access tunnel-group certenroll general-attributes address-pool ap_fw-policy authentication-server-group LOCAL secondary-authentication-server-group none default-group-policy gp_certenroll tunnel-group certenroll webvpn-attributes authentication aaa group-alias certenroll enable Here's the client profile that I've used, you can either paste this into a notepad file and then import it into the ASA or you can configure it using the ASDM directly: <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>All</CertificateStore> <CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings> <AllowLocalProxyConnections>true</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart> <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> <LocalLanAccess UserControllable="true">false</LocalLanAccess> <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> <AutoReconnect UserControllable="false">true <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior> </AutoReconnect> <AutoUpdate UserControllable="false">true</AutoUpdate> <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> <PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> </PPPExclusion> <EnableScripting UserControllable="false">false</EnableScripting> <CertificateEnrollment> <AutomaticSCEPHost>rtpvpnoutbound6.cisco.com/certenroll</AutomaticSCEPHost> <CAURL PromptForChallengePW="false" >scep_url</CAURL> <CertificateImportStore>All</CertificateImportStore> <CertificateSCEP> <Name_CN>%USER%</Name_CN> <KeySize>2048</KeySize> <DisplayGetCertButton>true</DisplayGetCertButton> </CertificateSCEP> </CertificateEnrollment> <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> </EnableAutomaticServerSelection> <RetainVpnOnLogoff>false</RetainVpnOnLogoff> </ClientInitialization> <ServerList> <HostEntry> <HostName>rtpvpnoutbound6.cisco.com</HostName> <HostAddress>rtpvpnoutbound6.cisco.com</HostAddress> </HostEntry> </ServerList> </AnyConnectProfile> Note: You'll notice that's i've not configured a group-url for this tunnel group. This is important because legacy SCEP will not work the URL, you have to select the tunnel group with using it's alias. Step 3: Configure the tunnel that will actually be used by the client for connection user certificates for authentication Once the client has recieved the signed ID certificate it can now connect using cert authentication. But the actually tunnel-group that the client will actually use to connnect has still not been configured. This configuration is very similar to how you configure any other connection-profile(this term is synonymous with tunnel-group and not to be confused with client profile) which uses cert authentication. Here's a snapshot of the configuration I've used for this tunnel: rtpvpnoutbound6(config)# show run access-l acl_fw-policy access-list acl_fw-policy standard permit 192.168.1.0 255.255.255.0 rtpvpnoutbound6(config)# show run group-p gp_legacyscep group-policy gp_legacyscep internal group-policy gp_legacyscep attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_fw-policy default-domain value cisco.com webvpn anyconnect modules value dart rtpvpnoutbound6(config)# show run tunnel tg_legacyscep tunnel-group tg_legacyscep type remote-access tunnel-group tg_legacyscep general-attributes address-pool ap_fw-policy default-group-policy gp_legacyscep tunnel-group tg_legacyscep webvpn-attributes authentication certificate group-alias legacyscep enable group-url https://rtpvpnoutbound6.cisco.com/legacyscep enable Verification: As of when going to press, the only situation one should use legacy scep is when using mobile devices so this section only deals with mobile clients. When you attempt to connect the first time, just put in the ASA's hostname or ip address and then select "certenroll" or whatever group alias you configured in step 2. Here you'll be prompted for a username and password and you'll have the "get certicate" button. Once you hit this button, if you check your client logs, you should see the following: [06-22-12 11:23:45:121] <Information> - Contacting https://rtpvpnoutbound6.cisco.com. [06-22-12 11:23:45:324] <Warning> - No valid certificates available for authentication. [06-22-12 11:23:51:767] <Information> - Establishing VPN session... [06-22-12 11:23:51:879] <Information> - Establishing VPN session... [06-22-12 11:23:51:884] <Information> - Establishing VPN - Initiating connection... [06-22-12 11:23:52:066] <Information> - Establishing VPN - Examining system... [06-22-12 11:23:52:069] <Information> - Establishing VPN - Activating VPN adapter... [06-22-12 11:23:52:594] <Information> - Establishing VPN - Configuring system... [06-22-12 11:23:52:627] <Information> - Establishing VPN... [06-22-12 11:23:52:734] <Information> - VPN session established to https://rtpvpnoutbound6.cisco.com. [06-22-12 11:23:52:764] <Information> - Certificate Enrollment - Initiating, Please Wait. [06-22-12 11:23:52:771] <Information> - Certificate Enrollment - Request forwarded. [06-22-12 11:23:55:642] <Information> - Certificate Enrollment - Storing Certificate. [06-22-12 11:24:02:756] <Error> - Certificate Enrollment - Certificate successfully imported. Please manually associate the certificate with your profile and reconnect. Even though the last message says "error" it's infact only to inform the user that this step is necessary for that client to be used for the next connection attempt which will be to the second connection profile configured in step 3.
... View more
To configure on Demand or other additional mobile settings for Anyconnect clients from the ASA, one can use the profile Editor to configure the settings by following the steps enumerated below: However, if you are unable to find this option "Addition mobile-only settings" don't get too worried. Most likely what's happened is the version of Anyconnect package installed on the ASA is 2.5.x. While this is understandable since the iphone or ipad AC client version is also only 2.5.x., unforutnately this is also the reason behind you not being able to see the above option. This option was only integrated into the profile editor for AC 3.x packages. So if you were to install a 3.x Anyconnect package on your ASA, everything would work just fine. Do I need to update clients on all devices then? Now, you might be wondering, so does that mean I have to upgrade all my existing non-mobile clients to this version?? NOPE. ASA only requires that a 3.x package be installed in the ASA, not that it be in use by a client. So you can continue to use your existing client version, just add the 3.x client at the bottom of the list, by tweaking the order number in the command: anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg <order_no> As long as this order no is greater than the other versions installed on the ASA, this version should never be used. You can do the same thing on ASDM by moving the packages up and down in the window shown below: And voila... you know have the functionality of the 3.x profile editor without having to update your client versions. On a side note, it is definitely a good idea to consider moving to the 3.x code version. Where do I download Ancyonnect client v 3.x from? You can get the 3.x client from Cisco.com, however, unlike the 2.x clients, the 3.x client isn't called Anyconnect VPN client, instead it is called Anyconnect Secure Mobility Client:
... View more
Sorry for the delay in getting back to you guys, but I just came across this post. As of IOS XE3.10, using a GRE Tunnel as a join interface is not supported on ASR1000. The join interface must be a POS interface, GigE interface, GigE sub-interface, Port-channel interface, or Port-channel sub-interface. While you may be able to configure a GRE tunnel interface as the join interface and have it work successfully, it is not an officially supported configuration. This is due to the fact that we need to be able to detect all conditions where an OTV router looses connectivity to the other OTV routers via the join interface. We can do this for the interface types listed but not for the logical interfaces (including Loopbacks, GRE tunnels, etc). You can however configure GetVPN on the phyiscal join interfaces to provide the encryption,
... View more