Martin,I am still getting the

dharmendra2shah · ‎04-29-2014

Experts,

We are in a process of replacing Cisco IPSec (IKEv1) VPN client with Cisco Secure Anyconnect Mobility Client using SSL technology. We are pre-deploying the VPN client with the vpnconfiguration.xml file to the end users. In this way we control the VPN settings for the users. We have also provided the FQDN (resolvable on the Internet) of our ASA firewall (VPN Concentrator) in the vpnconfiguration.xml file.

When the user tries to connect using the vpnconfiguration.xml file he receives a message “invalid host entry. please re-enter”. Even if we put the IP address of the ASA firewall in the vpnconfiguration.xml file we get the same error message.

However if we manually enter the FQDN in the Cisco Secure Anyconnect Mobility Client.

We are not sure we are missing.

Ds

Marvin Rhoads · ‎04-29-2014

Did you create the XML file manually or use the AnyConnect Profile editor?

Are you putting it (in place of the underscore) the "<HostAddress>_______</HostAddress>" field of the XML file?

dharmendra2shah · ‎04-29-2014

Marvin,

We are using the profile editor provided in the Cisco ASA firewall.

See below snapshot of the partial .xml file . Let me know your thoughts.

    <ServerList>
       <HostEntry>
           <HostName>XXX-VPN-Test-Users</HostName>
           <HostAddress>XXX.XX.34.132</HostAddress>
           <UserGroup>XXX-VPN-Test-Users</UserGroup>
       </HostEntry>
   </ServerList>
</AnyConnectProfile>

Marvin Rhoads · ‎04-29-2014

That snapshot looks OK re the host bit.

I do notice it is missing the "<PrimaryProtocol>SSL</PrimaryProtocol>" (or it could say IPsec for an IKEv2 VPN) that I would also expect within the ServerList section. I have 20 profiles on my client (yes 20 - I've worked on lots of client networks remotely) and every one of them has the PrimaryProtocol field populated. Here is a link the to the Admin Guide reference on that section.

dharmendra2shah · ‎04-29-2014

Martin,

I am still getting the same error message. What am I missing?

<ServerList>
        <HostEntry>
            <HostName>XXX-VPN-Test-Users</HostName>
            <HostAddress>XXX.XX.34.132</HostAddress>
            <UserGroup>XXX-VPN-Test-Users</UserGroup>
        <PrimaryProtocol>SSL</PrimaryProtocol>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

Ds

dharmendra2shah · ‎04-30-2014

Marvin,

I ended up opening a TAC case with Cisco. It appears that I was missing the following RED highlighted portion in the tunnel group configuration :

tunnel-group XXX-VPN-Test-Users webvpn-attributes
group-alias XXX-VPN-Test-Users enable
group-url https://XXX.XXX.XXX.XXX.XXX/XXX-VPN-Test-Users enable

I thought you would be interested in knowing.

Ds

Marvin Rhoads · ‎04-30-2014

Thanks for advising us of the resolution. It's difficult at times to give a good solution when only seeing snippets of the configuration. Your resolution helps show others the important bit here. +5

spnadelman · ‎08-20-2014

I can confirm that this solution worked for me as well. I used ASDM. This is how I did it.

In ASDM, go to Configuration > Remote Access VPN.
Expand "Network (Client) Access", then select "AnyConnect Connection Profiles".
Select the connection profile you wish to edit, then click Edit.
Expand "Advanced", then select "SSL VPN".
In the "Group URLs" section, add the URL.
- The URL need to be in the following format: https://[VPN hostname or IP address]/[Group Name]

cisco secure anyconnect mobility client error "invalid host entry. please re-enter”