Dear Ethan,

Since this involves ASA 9.0, ASDM 7.0 and latest AnyConnect 3.1, I suggest to open a TAC case to gather further information.

Thanks.

Portu.

Found a workaround, it is a bug which will be sent off to developer

With ASA 9.0 and AnyConnect, you have to enabled SSL on the IKEv2 Profile, it seems that disabling this disables the ability to deliver the Profile, with is enabled on the IKEv2 Profile, the actual profiles get delivered without error.

Previously I only allowed IKEv2 connections and had SSL disable on the profile itself, now in order for the profile to get delivered to the end user, it must also be enabled.

Hi Javier,

Has there been any update on this as I'm seeing a similar issue with failure to perform required client update checks? I'm running Cisco Adaptive Security Appliance Software Version 9.5(1)52 with Anyconnect Version 4.1.02011

I'm also seeing the following in the ASA log file.

%ASA-6-113012: AAA user authentication Successful : local database : user = danj
%ASA-6-113003: AAA group policy for user danj is being set to LAB_AnyConnect_Policy
%ASA-6-113011: AAA retrieved user specific group policy (LAB_AnyConnect_Policy) for user = danj
%ASA-6-113009: AAA retrieved default group policy (LAB_AnyConnect_Policy) for user = danj
%ASA-6-113008: AAA transaction status ACCEPT : user = danj
%ASA-4-113029: Group <LAB_AnyConnect_Policy> User <danj> IP <77.64.211.105> Session could not be established: session limit of 2 reached.
%ASA-4-113038: Group <LAB_AnyConnect_Policy> User <danj> IP <77.64.211.105> Unable to create AnyConnect parent session.

Thanks

Dan

This is a license limit issue, you're limited with 2 SSL Sessions, I've noticed that if you're logged into the portal itself it still thinks thats one in some scenarios.  I could disconnect all SSL Sessions, then re-attempt.

Hi Ethan,

I rebooted the firewall, now I get the following messages.

On the Client

Failed to perform required client update checks. Contact your system administrator.

12:49:19 PM Establishing VPN session...
12:49:19 PM The AnyConnect Downloader is performing update checks...
12:49:19 PM Checking for profile updates...
12:49:42 PM Connection attempt has failed.

ASA Logs

Nov 19 2015 12:49:19: %ASA-6-113012: AAA user authentication Successful : local database : user = danj
Nov 19 2015 12:49:19: %ASA-6-113003: AAA group policy for user danj is being set to LAB_AnyConnect_Policy
Nov 19 2015 12:49:19: %ASA-6-113011: AAA retrieved user specific group policy (LAB_AnyConnect_Policy) for user = danj
Nov 19 2015 12:49:19: %ASA-6-113009: AAA retrieved default group policy (LAB_AnyConnect_Policy) for user = danj
Nov 19 2015 12:49:19: %ASA-6-113008: AAA transaction status ACCEPT : user = danj
Nov 19 2015 12:49:19: %ASA-6-734001: DAP: User danj, Addr 77.64.211.105, Connection AnyConnect: The following DAP records were selected for this connection: Test
Nov 19 2015 12:49:19: %ASA-6-113039: Group <LAB_AnyConnect_Policy> User <danj> IP <77.64.211.105> AnyConnect parent session started.
Nov 19 2015 12:49:43: %ASA-6-716002: Group <LAB_AnyConnect_Policy> User <danj> IP <77.64.211.105> WebVPN session terminated: User Requested.
Nov 19 2015 12:49:43: %ASA-4-113019: Group = LAB_AnyConnect, Username = danj, IP = 77.64.211.105, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:00m:24s, Bytes xmt: 482, Bytes rcv: 529, Reason: User Requested

Thanks

Dan

Solution:

On ASA removed the following and client can now connect.

webvpn
no anyconnect profiles value <word> type user