07-31-2018 05:31 AM - edited 02-21-2020 09:25 PM
Hello,
we've got a ASA5525-X, v 9.8.2-33 and Anyconnect v 4.6.01103, authentication with Cert, SBL working, Anyconnect is connecting to "vpn.company.com/anyconnect", so everything's fine.
Now I want a Test-PC connect to a Test-ASA with an external adress "vpntest.company.com/anyconnect"
So on the Test-ASA I create a Anyconnect-Profile with the external adress in the Server List.
I export the xml-file copy it on the PC under ./Profile/ now I restart the PC, but the PC always connects to the produktive ASA (vpn.company.com/anyconnect), if I manually want to enter the other adress, I can't connect because of cert in machine store.
Question: doesn't the client read the adress from the xml-file? If I check the file, everything is fine.
Any idea where to search?
content of profile.xml:
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>Machine</CertificateStore> <CertificateStoreMac>All</CertificateStoreMac> <CertificateStoreOverride>true</CertificateStoreOverride> <ProxySettings>IgnoreProxy</ProxySettings> <AllowLocalProxyConnections>true</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> <AutoConnectOnStart UserControllable="false">true</AutoConnectOnStart> <MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect> <LocalLanAccess UserControllable="false">false</LocalLanAccess> <DisableCaptivePortalDetection UserControllable="false">true</DisableCaptivePortalDetection> <ClearSmartcardPin UserControllable="false">false</ClearSmartcardPin> <IPProtocolSupport>IPv4</IPProtocolSupport> <AutoReconnect UserControllable="false">true <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior> </AutoReconnect> <AutoUpdate UserControllable="false">true</AutoUpdate> <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> <PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> </PPPExclusion> <EnableScripting UserControllable="false">true <TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent> <EnablePostSBLOnConnectScript>true</EnablePostSBLOnConnectScript> </EnableScripting> <CertificateMatch> <MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU> <ExtendedKeyUsage> <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> </ExtendedKeyUsage> </CertificateMatch> <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> </EnableAutomaticServerSelection> <RetainVpnOnLogoff>false </RetainVpnOnLogoff> <AllowManualHostInput>true</AllowManualHostInput> </ClientInitialization> <ServerList> <HostEntry> <HostName>vpntest.company.com/anyconnect</HostName> <HostAddress>vpntest.company.com</HostAddress> <UserGroup>anyconnect</UserGroup> </HostEntry> </ServerList> </AnyConnectProfile>
Solved! Go to Solution.
08-03-2018 06:40 AM
You may have to delete the preferences.xml and preferences_global.xml, quit the client and try again.
preferences.xml is located under C:\Users\<PCusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
preferences_global.xml is located under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
Preferences file saves some settings from the last gateway it connected to. Deleting this should recreate this once you connect successfully to the testASA.
07-31-2018 08:09 AM
07-31-2018 10:15 PM
Hello Paul,
- DNS resolves different adresses, the test- and prod ASA's are completely seperated
- no, only one active profiles (I changed the other xml-files to .old or so) and I don't want a drop-down for the users, they shouldn't have to enter anything.
- no, no always-on activated
best regards
Karl
08-03-2018 06:40 AM
You may have to delete the preferences.xml and preferences_global.xml, quit the client and try again.
preferences.xml is located under C:\Users\<PCusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
preferences_global.xml is located under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
Preferences file saves some settings from the last gateway it connected to. Deleting this should recreate this once you connect successfully to the testASA.
08-05-2018 11:46 PM
That was it, thank you very much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: