Anyconnect client and IKEv2

Gustavo Villegas · ‎07-03-2012

Hi there ... I've set up a remote VPN access with IKEv2 using Anyconnect client 3.0.8. The issue I have is following

I establish connection to myvpn.mydomain.com ... choose the IKEv2 group and connect, no problem. Profile is downloaded to my laptop. Everything is fine

My client profile has a server list, configured following

Host name: myvpn-ike

Host Address: myvpn.mydomain.com

When I disconnect after first time, and I try to connect again, Anyconnect opens with "myvpn-ike" on the box where I should enter the endpoint to connect, and here's the problem

I click connect, it tries, I'm prompted for username and password, and I get error "login denied, authorized connection mechanism" ... if I try again, but instead of using the "myvpn-ike" , I re-type "myvpn.mydomain.com" , I connect with no problem.

what is wrong on the setting? it tells me login denied, but when I debug on the ASA side, I don't see any error related to that. All I see is AAA authentication being successful

I have also tried to set Host Name as "myvpn.mydomain.com", same as Host Address .... same thing, it doesn't connect. But if I re-type it, it goes through

Thanks for any advice

Marvin Rhoads · ‎07-03-2012

It sounds like there may be something in the profile that's not formed consistent with the ASA settings. Would it be possible to post your profile (.xml file) and the contents of your AnyConnect client's message history (for an unsuccessful and successful connection)?

Gustavo Villegas · ‎07-03-2012

see below succesful connection ... failing one, and the xml profile

thanks for the help

[Wed Jul 04 00:04:01 2012] Contacting portal.domain.com.

[Wed Jul 04 00:04:01 2012] Please enter your username and password.

[Wed Jul 04 00:04:05 2012] Establishing VPN session...

[Wed Jul 04 00:04:06 2012] Checking for profile updates...

[Wed Jul 04 00:04:06 2012] Checking for product updates...

[Wed Jul 04 00:04:06 2012] Checking for customization updates...

[Wed Jul 04 00:04:06 2012] Performing any required updates...

[Wed Jul 04 00:04:06 2012] Establishing VPN session...

[Wed Jul 04 00:04:06 2012] Establishing VPN - Initiating connection...

[Wed Jul 04 00:04:06 2012] Establishing VPN - Examining system...

[Wed Jul 04 00:04:06 2012] Establishing VPN - Activating VPN adapter...

[Wed Jul 04 00:04:06 2012] Establishing VPN - Configuring system...

[Wed Jul 04 00:04:06 2012] Establishing VPN...

[Wed Jul 04 00:04:07 2012] Connected to portal.domain.com.

[Wed Jul 04 00:04:42 2012] Contacting portal-ike.

[Wed Jul 04 00:04:42 2012] Please enter your username and password.

[Wed Jul 04 00:04:48 2012] Login denied, unauthorized connection mechanism, contact your administrator.

_________________________________________-

http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

false

All

false

Native

true

12

false

true

false

true

DisconnectOnSuspend

true

Automatic

SingleLocalLogon

LocalUsersOnly

false

Disable

false

20

4

false

portal-ike

portal.domain.com

IPsec

Marvin Rhoads · ‎07-04-2012

Strange.

Choosing the HostName portal-ike in the AnyConnect client connection drop down box should refer your client to use portal.domain.com per the profile you posted. That all looks OK to me. Given that it works when overriding the drop down box with manually typing in the HostAddress leads me to believe your ASA is setup OK.

You don't have any host file entry for portal-ike that points your client to someplace other than portal.domain.com do you?

I would try seeing what packets are leaving your PC and to where using Wireshark when you try the unsuccessful attempt. (You could similarly do it with a packet capture on the ASA end.)

Gustavo Villegas · ‎07-04-2012

That's the strangest part. I don't have any host file entry. Actually, when I use the drop-down option, I see the request going to ASA and ASA processing the log in. ASA actually authenticates the account properly, and right after, it kills the connection with no error on the ASA debug. Only on client side it says "wrong mechanism"

When I over write the drop down menu, the debug first part show same as when it fails, with the difference that instead of dropping, it keeps going and establishes the VPN

I even tried to set up host entry as "portal.mydomain.com" ... it also fails ...

It's clear the ASA VPN setting is fine. My certificate is a *.mydomain.com (so I've ruled out cert issues as well)

I'm lost at this point to the point to grab a new ASA and start from scratch

Marvin Rhoads · ‎07-04-2012

Your troubleshooting steps thus far appear sound to me.

It seems you should be able to turn on a debug at the ASA to gather additional information as to why it believe it necessary to terminate your connection when using the portal-ike selection. Have you thought about or tried some of the "debug crypto" commands?

If you have multiple users or peers, first use the "debug crypto condition " to keep the output of subsequent debug crypto commands limited to the ones relevant to your username.