Solved: Anyconnect client - URL needs to be re-typed

cisco_lsi · ‎12-02-2016

We've recently migrated our Anyconnect hosting from an ASA to our Cisco 3900e Router. Everything is working beautifully, but I have received a couple of complaints from users based on the Anyconnect client's new behavior.

Namely that when you open up the client it doesn't save the URL of the server that you've connected to before, whereas it would previously.

I certainly did not manually configure the client to do this, but perhaps there's a line of configuration that I missed?

Here is the configuration:

aaa authentication login webvpn-auth group OTP-split local
aaa authorization network webvpn-auth group OTP-split local
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.2.00096-k9.pkg sequence 2
crypto vpn anyconnect flash0:/webvpn/anyconnect-macosx-i386-4.2.00096-k9.pkg sequence 3
crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-64-3.1.14018-k9.pkg sequence 4
ip local pool webvpn-pool 10.194.100.10 10.194.103.254
webvpn gateway Cisco-WebVPN-Gateway
ip address x.x.x.x port 443
ssl encryption aes256-sha1
ssl trustpoint lqdt.com
inservice
!
webvpn context Cisco-WebVPN
title "Liquidity Services WebVPN Gateway"
login-message "Cisco Secure WebVPN"
virtual-template 1
aaa authentication list webvpn-auth
gateway Cisco-WebVPN-Gateway
max-users 1000
!
ssl authenticate verify all
inservice
!
policy group webvpnpolicy
functions svc-enabled
svc address-pool "webvpn-pool" netmask 255.255.252.0
svc default-domain "lsi.local"
svc rekey method new-tunnel
svc split include 10.0.0.0 255.0.0.0
svc dns-server primary 10.194.50.20
svc dns-server secondary 10.194.50.21
default-group-policy webvpnpolicy

!

crypto pki trustpoint VPN_Anyconnect
enrollment selfsigned
subject-name cn=x.x.x.x
revocation-check crl
rsakeypair sslkeys

If any other configs are needed to analyze the issue, let me know and I'll gladly post them.

Thanks!

Richard Burts · ‎12-02-2016

The partial config that you provide does not indicate that you are using the AnyConnect profile in the implementation on your IOS router. And it is not clear whether you had the AnyConnect profile configured when the AnyConnect was using your ASA. I am going to guess that your ASA did utilize the AnyConnect client profile and that your IOS router does not yet use the AnyConnect profile. That would cause the symptom that you are describing. There is a field in the AnyConnect profile that identifies the VPN head end to which the client will connect. The PCs that had used AnyConnect from the ASA would have this profile and would automatically attempt to connect to the old head end. The user would have to type in the new URl, and the client would connect. But at the next connection attempt the client would attempt to use the previous URL. If you configure the AnyConnect profile on the IOS router with the new URL then the clients should work as you expect.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎12-02-2016

The partial config that you provide does not indicate that you are using the AnyConnect profile in the implementation on your IOS router. And it is not clear whether you had the AnyConnect profile configured when the AnyConnect was using your ASA. I am going to guess that your ASA did utilize the AnyConnect client profile and that your IOS router does not yet use the AnyConnect profile. That would cause the symptom that you are describing. There is a field in the AnyConnect profile that identifies the VPN head end to which the client will connect. The PCs that had used AnyConnect from the ASA would have this profile and would automatically attempt to connect to the old head end. The user would have to type in the new URl, and the client would connect. But at the next connection attempt the client would attempt to use the previous URL. If you configure the AnyConnect profile on the IOS router with the new URL then the clients should work as you expect.

HTH

Rick

HTH

Rick