Login problems using anyconnect

traknerud · ‎12-14-2013

I set up a vpn connection using my ASA 5515-x. It's configured to use anyconnect only, and web access just redirects the user to anyconnect client download.

Tested this on my lab computer (using mobile broadband for true external access) and it worked fine.

But now I'm testing with another computer, which is pretty much an identical Win7 laptop. Initial connection worked fine. I could use my browser to access the client download, and once installed it connected automatically. But afer reboot the anyconnect client refused to accept my login credentials. However if I log in using my browser first anyconnect is suddenly happy....?

Any ideas that could explain this behaviour? Is there a config change I need?

Any help is appreciated.

Marcin Latosiewicz · ‎12-15-2013

I'm _guessing_ when you download and install Anyconnect you also download a profile, that profile might be pointing to an incorrect tunnel-group. That's at least a common "bootstrapping" problem.

traknerud · ‎12-15-2013

Thanks for your reply. Checked the tunnel group, and it seems to be correct.

I think it's Certificate related. I'm using self signed certs during the test period, and when accessing with my browser I'm forced to accept that the certificate cannot be verified. No such option pops up using anyconnect. But when I set the option to autoselect certificates the approve/decline box pops up and login works. So I guess the problem is solved.... I'm just not sure exactly why.

But I had to set this option on the client computer. Looking at the profile options for anyconnect on the ASA no such option is available. I can disable auto select cert and let the user choose, but not enable it. In my scenario it should be on by default as I doubt most of my users will figure this out on their own.