09-12-2016 03:25 AM
Hello,
I'm trying to set up "Start before logon" with the latest anyconnect mobile security client.
If I'm trying to connect to the vpn (ASA 5512) before logging in on the client I get the following error message:
"Anyconnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
The connection works fine when I connect after logging into the client.
What I tried to do:
- Issued several self-signed certificates with my server domain, my asa hostname.domain, my external ip on the asa. No luck.
- Tried to change the client profile setting to "connect" for both trusted and untrusted networks (Automatic VPN Policy). No luck.
I ran out of ideas. I'm probably missing something very basic and simple, but what? Thanks in advance!
09-12-2016 07:42 PM
can you share the webvpn config from the ASA and the xml profile on the client machine.
09-13-2016 12:27 AM
Sure:
webvpn
port 444
enable htp
enable inside
dtls port 444
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 2
anyconnect profiles vamos_anyconnect_client_profile disk0:/vamos_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
cache
disable
error-recovery disable
And the client profile (vamos_anyconnect_client_profile.xml):
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>ciscoasa (IPsec) IPv4</HostName>
<HostAddress>81.xx.xxx.xxx</HostAddress>
<MobileHostEntryInfo>
<NetworkRoaming>true</NetworkRoaming>
<CertificatePolicy>Auto</CertificatePolicy>
<ConnectOnDemand>false</ConnectOnDemand>
<ActivateOnImport>false</ActivateOnImport>
</MobileHostEntryInfo>
</HostEntry>
</ServerList>
</AnyConnectProfile>
09-13-2016 12:49 AM
can you also share your tunnel-group and group-policy config
09-13-2016 01:05 AM
Here is the tunnel-group:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_ips
tunnel-group vamos_anyconnect type remote-access
tunnel-group vamos_anyconnect general-attributes
address-pool vpn_ips
default-group-policy GroupPolicy_vamos_anyconnect
tunnel-group vamos_anyconnect webvpn-attributes
group-alias vamos_anyconnect enable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 general-attributes
default-group-policy GroupPolicy_192.168.0.1
tunnel-group 192.168.0.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 192.168.0.100 type ipsec-l2l
tunnel-group 192.168.0.100 general-attributes
default-group-policy GroupPolicy_192.168.0.100
tunnel-group 192.168.0.100 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Unfortunately I don't know how to export the group policy, I configured it with ASDM.
09-13-2016 08:40 AM
sh run group-policy
09-13-2016 08:47 AM
Result of the command: "sh run group-policy"
group-policy DfltGrpPolicy attributes
dns-server value 81.xx.xxx.x 81.xx.xxx.x
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy excludespecified
address-pools value vpn_ips
webvpn
anyconnect firewall-rule client-interface public value global_access
anyconnect firewall-rule client-interface private value global_access
group-policy GroupPolicy_vamos_anyconnect internal
group-policy GroupPolicy_vamos_anyconnect attributes
wins-server value 192.168.2.1
dns-server value 81.xx.xxx.x 81.xx.xxx.x
vpn-simultaneous-logins 10
vpn-session-timeout none
vpn-filter value vpnfilt-ra
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-lock value vamos_anyconnect
split-tunnel-policy tunnelall
default-domain value vamos-xxxxx.de
split-dns value 192.168.2.1
split-tunnel-all-dns enable
vlan none
webvpn
anyconnect modules value vpngina
anyconnect profiles value vamos_anyconnect_client_profile type user
hidden-shares none
file-entry enable
file-browsing enable
group-policy GroupPolicy_192.168.0.1 internal
group-policy GroupPolicy_192.168.0.1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_192.168.0.100 internal
group-policy GroupPolicy_192.168.0.100 attributes
vpn-tunnel-protocol ikev1 ikev2
09-13-2016 07:56 PM
please upload the dart bundle from the non-working connection attempt
09-14-2016 12:46 AM
I tried to do that, but the upload to the forum doesnt seem to work (no response for almost 2 hours, filesize is less than 6 mb). Is it possible to email the file? Thanks in advance!
09-14-2016 12:57 AM
you can email on pjain2@cisco.com
09-14-2016 01:19 AM
the connection fails due to the below error:
Certificate name verification has failed.
Server Name:
81.14.210.186
Common Name(s):
ciscoasa, 192.168.2.45
09-14-2016 03:24 AM
What kind of certificate do I need to create? Identity or CA?
And subject would be ciscoasa? I just tried to export a certificate which installs fine on my win 10 machine but gives an "wrong password" error on the win7 test client. I'm 100% sure I entered the passwort correctly.
09-14-2016 05:49 PM
can you edit the hostfile and put an entry for ciscoasa resolving to 81.14.210.186
or you can generate a new self-signed cert on the asa with the cn=81.14.210.186 and import that cert on the client machine's trusted Local Computer certificate root store.
09-15-2016 02:08 AM
Still no luck. I did the following:
1) Created 3 self-signed certificates and imported them succesfully.
(cn=81.14.210.186, ciscoas, ciscoasa.vamos-buero.de)
2) Edited hostfile accordingly
The web frontend of the ssl vpn service shows up fine after entering the complete url, so the subdomain should work too.
The strange thing is: the problem only occurs when I'm trying to connect before logging in. It works fine after logging in.
09-15-2016 05:11 AM
how are you importing the self-signed cert on the machine?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: