Hello all.
I have one problem. I was trying cisco ASA 5525 multiple context mode with APEX licence for Cisco Any connect.
More details about my anyconnect scheme. I'm using cisco ISE 2.3 for Anyconnect Posture. And i make authorization to ISE. And it is working fine to Cisco ASA in single mode, but if I was trying to connect to ASA in multiple context I was getting error "Connection attempt has failed".
I know that beetwen ASA multiple context mode and VPN have some trouble, but i'm using 9.6.4 microcode version:
New Features added in ASA 9.6(2)
| Feature |
Description |
| Pre-fill/Username-from-cert feature for multiple context mode |
AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.
|
| Flash Virtualization for Remote Access VPN |
Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available. |
| AnyConnect client profiles supported in multi-context devices |
AnyConnect client profiles are supported in multi-context devices. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later. |
| Stateful failover for AnyConnect connections in multiple context mode |
Stateful failover is now supported for AnyConnect connections in multiple context mode. |
| Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode |
You can now configure DAP per context in multiple context mode. |
| Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode |
You can now configure CoA per context in multiple context mode. |
| Remote Access VPN localization is supported in multiple context mode |
Localization is supported globally. There is only one set of localization files that are shared across different contexts.
|
| Packet capture storage per context is supported. |
The purpose of this feature is to allow user to copy a capture directly from a context to the external storage or to the context private storage on flash. This feature also enables to copy the raw capture to the external packet capture tools such as wire-shark from within a context.
|
Anyconnect configuration on my asa 5525 is below :
ip local poolVPN_POOL 192.168.29.10-192.168.29.254 mask 255.255.255.0
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0 (certificate is)
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.129.251 192.168.129.252
default-domain value xxx.xx
group-policy GroupPolicy_VPN-ISE internal
group-policy GroupPolicy_VPN-ISE attributes
wins-server none
dns-server value 192.168.129.251 192.168.129.252
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value xxx.xx
split-dns value 192.168.129.251 192.168.129.252
dynamic-access-policy-record DfltAccessPolicy
tunnel-group VPN-ISE type remote-access
tunnel-group VPN-ISE general-attributes
address-pool VPN_VPN_POOL
authentication-server-group ISE
default-group-policy GroupPolicy_VPN-ISE
tunnel-group VPN-ISE webvpn-attributes
group-alias VPN-ISE enable
