Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
45552
Views
5
Helpful
18
Replies

Local network not trustworthy

vamos_fernholz
Level 1
Level 1

‎09-12-2016 03:25 AM

Hello,

I'm trying to set up "Start before logon" with the latest anyconnect mobile security client.

If I'm trying to connect to the vpn (ASA 5512) before logging in on the client I get the following error message:

"Anyconnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

The connection works fine when I connect after logging into the client. 

What I tried to do:

- Issued several self-signed certificates with my server domain, my asa hostname.domain, my external ip on the asa. No luck.

- Tried to change the client profile setting to "connect" for both trusted and untrusted networks (Automatic VPN Policy). No luck.

I ran out of ideas. I'm probably missing something very basic and simple, but what? Thanks in advance!

8 people had this problem
Labels:
0 Helpful
18 Replies 18

pjain2
Cisco Employee
Cisco Employee

‎09-12-2016 07:42 PM

can you share the webvpn config from the ASA and the xml profile on the client machine.

0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-13-2016 12:27 AM

Sure:

webvpn
port 444
enable htp
enable inside
dtls port 444
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 2
anyconnect profiles vamos_anyconnect_client_profile disk0:/vamos_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
cache
disable
error-recovery disable

And the client profile (vamos_anyconnect_client_profile.xml):

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>ciscoasa (IPsec) IPv4</HostName>
<HostAddress>81.xx.xxx.xxx</HostAddress>
<MobileHostEntryInfo>
<NetworkRoaming>true</NetworkRoaming>
<CertificatePolicy>Auto</CertificatePolicy>
<ConnectOnDemand>false</ConnectOnDemand>
<ActivateOnImport>false</ActivateOnImport>
</MobileHostEntryInfo>
</HostEntry>
</ServerList>
</AnyConnectProfile>

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-13-2016 12:49 AM

can you also share your tunnel-group and group-policy config

0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-13-2016 01:05 AM

Here is the tunnel-group:

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_ips
tunnel-group vamos_anyconnect type remote-access
tunnel-group vamos_anyconnect general-attributes
address-pool vpn_ips
default-group-policy GroupPolicy_vamos_anyconnect
tunnel-group vamos_anyconnect webvpn-attributes
group-alias vamos_anyconnect enable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 general-attributes
default-group-policy GroupPolicy_192.168.0.1
tunnel-group 192.168.0.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 192.168.0.100 type ipsec-l2l
tunnel-group 192.168.0.100 general-attributes
default-group-policy GroupPolicy_192.168.0.100
tunnel-group 192.168.0.100 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Unfortunately I don't know how to export the group policy, I configured it with ASDM.

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-13-2016 08:40 AM

sh run group-policy

0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-13-2016 08:47 AM

Result of the command: "sh run group-policy"

group-policy DfltGrpPolicy attributes
dns-server value 81.xx.xxx.x 81.xx.xxx.x
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy excludespecified
address-pools value vpn_ips
webvpn
anyconnect firewall-rule client-interface public value global_access
anyconnect firewall-rule client-interface private value global_access
group-policy GroupPolicy_vamos_anyconnect internal
group-policy GroupPolicy_vamos_anyconnect attributes
wins-server value 192.168.2.1
dns-server value 81.xx.xxx.x 81.xx.xxx.x
vpn-simultaneous-logins 10
vpn-session-timeout none
vpn-filter value vpnfilt-ra
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-lock value vamos_anyconnect
split-tunnel-policy tunnelall
default-domain value vamos-xxxxx.de
split-dns value 192.168.2.1
split-tunnel-all-dns enable
vlan none
webvpn
anyconnect modules value vpngina
anyconnect profiles value vamos_anyconnect_client_profile type user
hidden-shares none
file-entry enable
file-browsing enable
group-policy GroupPolicy_192.168.0.1 internal
group-policy GroupPolicy_192.168.0.1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_192.168.0.100 internal
group-policy GroupPolicy_192.168.0.100 attributes
vpn-tunnel-protocol ikev1 ikev2

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-13-2016 07:56 PM

please upload the dart bundle from the non-working connection attempt

0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-14-2016 12:46 AM

I tried to do that, but the upload to the forum doesnt seem to work (no response for almost 2 hours, filesize is less than 6 mb). Is it possible to email the file? Thanks in advance!

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-14-2016 12:57 AM

you can email on pjain2@cisco.com

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-14-2016 01:19 AM

the connection fails due to the below error:

Certificate name verification has failed.

Server Name:
81.14.210.186
Common Name(s):
ciscoasa, 192.168.2.45

  • ASA certificate must be added to Local Computer certificate store (Trusted Root Certification Authorities).
  • Certificate's subject CN must match the DNS resolved name. Editing hosts file is also OK.
0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-14-2016 03:24 AM

What kind of certificate do I need to create? Identity or CA?

And subject would be ciscoasa? I just tried to export a certificate which installs fine on my win 10 machine but gives an "wrong password" error on the win7 test client. I'm 100% sure I entered the passwort correctly.

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-14-2016 05:49 PM

can you edit the hostfile and put an entry for ciscoasa resolving to 81.14.210.186

or you can generate a new self-signed cert on the asa with the cn=81.14.210.186 and import that cert on the client machine's trusted Local Computer certificate root store.

0 Helpful

vamos_fernholz
Level 1
Level 1
In response to pjain2

‎09-15-2016 02:08 AM

Still no luck. I did the following:

1) Created 3 self-signed certificates and imported them succesfully. 

(cn=81.14.210.186, ciscoas, ciscoasa.vamos-buero.de)

2) Edited hostfile accordingly

The web frontend of the ssl vpn service shows up fine after entering the complete url, so the subdomain should work too.

The strange thing is: the problem only occurs when I'm trying to connect before logging in. It works fine after logging in.

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to vamos_fernholz

‎09-15-2016 05:11 AM

how are you importing the self-signed cert on the machine?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents