Anyconnect 3.0 Always on error

Bel Marsad · ‎05-18-2011

Hi,

I have problem to implementing Always on with Anyconnect V3.0, in fact without enabling always on every things works well (authentication to ASA with machine certificate) but as soon I enable Always on, there is a error message with the client seeing (connection attempt failed. Please try again) (The secure gateway is responding, but Anyconnect could not establish a VPN session, Please retry.) and in client advanced setting under Message History I have error message (No valid certificates available for authentication) . but if I try with browser its work fine

The certificate is valid because if I disable always on I can connect either by client or by browser to VPN.

Could you help me please, I’m trying to resolve this issue from two week and a lot of research time without success.

Thanks in advance

luiz.polli · ‎01-09-2012

Hello Bel Marsad,

I have the same problem, Did you resolve this issue?

tsekela · ‎02-28-2012

We have the same problem. As soon as 'always on' was turned on, all the clients could not connect at one time or another (hit and miss). Quick fix is to delete the XML profile in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile*.xml, then reconnect.

ASA 8.4(2)8

AnyConnect 3.0.4235

Windows 7

We are testing adding a Group Policy to add our ASA public URL to Trusted Sites in IE.

I think we determined, the restrictive nature of Always On was not letting the client get to the internet to validate the SSL cert on the ASA. The client cert is valid, that is not the problem. Make sure it is in Trusted Sites, so it does not have to validate the cert (I think). Though we still may have problems trying to, or needing to, download the CRL from the root server (out on the internet).

Here is the notes on the ASA about Always On:

If "Always ON VPN" is editable, then Untrusted Network Policy must be set to "connect".

"Always on VPN" requires Trusted DNS Domain or Server.

"Always on VPN" requires a valid server certificate configured on the ASA; otherwise, it fails and logs an event indicating the certificate is invalid. Ensure your server certificates can pass strict mode if you configure always-on VPN.

"Always on VPN" requires a host to be defined.

I still have some investigation to do between how 'strict mode' and Trusted Sites interact. I hope this helps somebody.

DEAN WETHERALD · ‎09-19-2012

Any success with this issue?

Thanks

Dean

tsekela · ‎09-19-2012

After a TAC case we ended up upgrading the client to 3.0.07059 and that corrected this issue. I cant validate the technicalities of why it wouldnt work at v .4235, only that .07059 allowed the XML profile to be updated and an entry in the log file now upon connecting about retrieving CRL list.

Good luck.

jintao99 · ‎09-27-2012

Please read this FAQ, it explained what strict certificate checking means when enable Always on.

https://supportforums.cisco.com/docs/DOC-15425

Make sure your CRL is accessible by AnyConnect client from Internet. That's one of the first steps when AC is verifying the ASA's cert. If you are using an internal CA issued cert for your ASA, I'd suggest that you switch to public CAs certs. I'm testing with Entrust trial cert, and it's working fine.