cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7949
Views
5
Helpful
11
Replies

Anyconnect error

Hi I have the next error when use the AnyConnect.

The cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect.

this is when I use ipsec with the name, but if I use the ip address it works fine but use de ssl.

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

What version of AnyConnect client are you using?

It sounds like there might be an IPsec (IKEv2) VPN setup on the ASA in addition to the SSL one (or an IPsec IKEv1 VPN for the legacy Cisco VPN client). Older AnyConnect versions (prior to 3.0.0629) do not support IPsec (IKEv2) remote access VPNs (and AnyConnect does not support IPsec (IKEv1) at all).

I use 3.1.04072

OK, so it's probably an older IPsec VPN that's also setup on the ASA. For some reason when you use the FQDN your client hits that and is unable to negotiate an IPsec VPN (as one would expect).

It's hard to say exactly why without seeing the ASA configuration.

What information you need only the anyconnect configuration.

Thanks...

 

That should do it. The configured setup for remote access VPNs should be adequately discernible from the output of:

show run group-policy

show run tunnel-group

This is the configuration

group-policy GroupPolicy_VPN_TEST_ANY internal
group-policy GroupPolicy_VPN_TEST_ANY attributes
 wins-server value 192.168.162.2
 dns-server value 192.168.162.2
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 
 group-lock value VPN_TEST_ANY
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value aumx-commuter-vpn_splitTunnelAcl
 default-domain none
 webvpn
  anyconnect profiles value VPN_TEST_ANY_client_profile type user

 

tunnel-group VPN_TEST_ANY type remote-access
tunnel-group VPN_TEST_ANY general-attributes
 address-pool vpnpool
 default-group-policy GroupPolicy_VPN_TEST_ANY
tunnel-group VPN_TEST_ANY webvpn-attributes
 group-alias VPN_TEST_ANY enable
tunnel-group VPN_TEST_ANY ipsec-attributes
 ikev1 trust-point ASDM_TrustPoint1

You have all possible protocols enabled in your group-policy:

 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 

But you only need ssl-client if your intention is to use the AnyConnect client for an SSL VPN. So there you need to remove the unnecessary ones.

You also have:

tunnel-group VPN_TEST_ANY ipsec-attributes
 ikev1 trust-point ASDM_TrustPoint1

...which is not necessary for SSL VPN and should be removed (*unless you have a site-site VPN using certificates)

But I want to use ipsec this is the reason I have all the protocols.

The Anyconnect only works if I use the ip address.

Hmm.

Does the FQDN you fail to connect with resolve to the IP address? I'm going back to the initial coment you made about "when I use ipsec with the name"

ameallyou2674
Level 1
Level 1

I have the same issue, any updates on this? Did someone already resolve this issue?

 

 

azimuthcap
Level 1
Level 1

I was having this same issue.  Could not connect with the pre-populated profile but could if I manually type in the IP address.

Updated Anyconnect on the client PC from 3.1 to 4.8 and it allowed the connection profile to be use.  Did not have to change anything on the ASA.