Re: Configuring the Anyconnect XML for Management VPN

FinnW · ‎03-25-2019

Hi There,

I am wanting to configure the XML for the VPN Management Tunnel in the new version of Anyconnect.

But I am getting this error Management Connection State: Disconnected (invalid VPN configuration)

I have created the XML VpnMgmtTunProfile.xml and put it in the MgmtTun folder, but I noticed in the whitepaper it talks about potential issues if you have a different automatic VPN policy in the XML.

We don't enforce our users to connect to VPN on launch, so I don't have any auto connect config in the standard XML.

So in the MGMT XML I have put

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>

Will this conflict with the standard XML, it should it connect and disconnect as normal according to the trusted DNS domains and servers?

Thanks

Rahul Govindan · ‎03-25-2019

The TND settings for the user tunnel are not mandatory AFAIK, just preferred to be the same. According to the Admin guide:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7.pdf

For a consistent user experience, we recommend that you use identical TND settings in both user and management VPN tunnel profiles.

Your error message seems to be related to Split tunneling config not enable on the GP connected to the Management tunnel group. Again referencing the same guide:

Disconnected (invalid VPN configuration)—An invalid split tunneling configuration was encountered
upon management tunnel establishment.

What does the ASA side config look like for the Management tunnel?

FinnW · ‎03-26-2019

Hey Rahul,

I got our network engineer to add the custom attribute ManagementTunnelAllAllowed and im still getting the invalid error.

What information specifically do you want from the ASA, as I don't have access and would need to ask our network guy to provide it.

Thanks

Rahul Govindan · ‎03-26-2019

Tunnel-group and group-policy config on the ASA for management tunnel.

lap · ‎05-29-2019

Hi Rahul,

Did you find any solution for this issue. I have exactly the same issue? I think I did all the config correctly but I get the same error.

Regards,

Laurent

stsargen · ‎05-29-2019

Please post a screenshot of you AnyConnect Custom Attribute Names from ASDM.

lap · ‎05-29-2019

Thank you very much for your reply.

Please find attached the screenshot.

stsargen · ‎05-29-2019

The Name should be "true" and the value should be "true". In your screenshot the Name=Value and the Values = "true/true"

The documentation for this is confusing.

See screenshot.

lap · ‎05-29-2019

I have tried with name true and value true but it didn´t make a difference. My issue was related to IPv6 not enabled on the client as I described below. But the question is why does management VPN need IPv6 enabled on the client machine to work?

Regards,

Laurent

lap · ‎05-29-2019

Ok. It looks like the issue is related to IPv6. IPv6 was disabled on the local Windows 10 machine I was testing on and I could see in the Anyconnect logs (generated from diagnostics) that Anyconnect was complaining about IPv6 not being configured/activated on the client:

Sure enough IPv6 was disabled on the Windows 10 machine with a GPO. After we did enable it everything was working and the client was connected. I just want to understand why IPv6 is a requirement for management VPN to work, Cisco any info on that?

I have attached a full konfig of the setup if someone runs into the same issue :-)

Regards,

Laurent

Regards,

Laurent