10-11-2016 11:50 PM - edited 02-21-2020 09:00 PM
I've been fighting AnyConnect IKEv2 RA-VPN for a few days. I can't get it to work. The client always connect using SSL. If I disable SSL in the Connection Profile the client can't connect at all (it says "login mechanism not allowed" or something like that).
The changed the connection profile to "IPSec", but I get the feeling the client profile is not pushed to the client after the change.
Info about setup:
- I use ASA 9.4(2), on a 5515-x in failover config. AnyConnect client is version 4.3, on Windows.
- VPN is the only module used
- The local database is used atm, while experimenting (will use DAP later on when it's in production)
Is there a way to force an updated client profile to the client? I thought it was downloaded to the client when you try to login. Or is there a way to see the client profile on the client?
Solved! Go to Solution.
10-12-2016 09:16 AM
Hi Erik Ekman,
You can check the profile on the client going to this path:
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
The profile should be downloaded or updated when you establish a connection with AnyConnect.
This config guide can help you a lot in case you are missing any step:
https://supportforums.cisco.com/document/74111/asa-anyconnect-ikev2-configuration-example
Hope this info helps!!
Rate if helps you!!
-JP-
10-12-2016 09:16 AM
Hi Erik Ekman,
You can check the profile on the client going to this path:
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
The profile should be downloaded or updated when you establish a connection with AnyConnect.
This config guide can help you a lot in case you are missing any step:
https://supportforums.cisco.com/document/74111/asa-anyconnect-ikev2-configuration-example
Hope this info helps!!
Rate if helps you!!
-JP-
10-18-2016 02:16 PM
Hi Erik,
If this is a pure IKEv2 environment and no SSL is allowed, the VPN profile will not be downloaded upon connection. The VPNdownloader requires SSL access to the ASA to download the profile. I would reccomend that you pre-deploy the client profile to the PC and test.
Steve S.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide