Anyconnect error

Azariel Rodriguez Parra · ‎06-04-2014

Hi I have the next error when use the AnyConnect.

The cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect.

this is when I use ipsec with the name, but if I use the ip address it works fine but use de ssl.

Marvin Rhoads · ‎06-04-2014

What version of AnyConnect client are you using?

It sounds like there might be an IPsec (IKEv2) VPN setup on the ASA in addition to the SSL one (or an IPsec IKEv1 VPN for the legacy Cisco VPN client). Older AnyConnect versions (prior to 3.0.0629) do not support IPsec (IKEv2) remote access VPNs (and AnyConnect does not support IPsec (IKEv1) at all).

Azariel Rodriguez Parra · ‎06-04-2014

I use 3.1.04072

Marvin Rhoads · ‎06-04-2014

OK, so it's probably an older IPsec VPN that's also setup on the ASA. For some reason when you use the FQDN your client hits that and is unable to negotiate an IPsec VPN (as one would expect).

It's hard to say exactly why without seeing the ASA configuration.

Azariel Rodriguez Parra · ‎06-04-2014

What information you need only the anyconnect configuration.

Thanks...

Marvin Rhoads · ‎06-04-2014

That should do it. The configured setup for remote access VPNs should be adequately discernible from the output of:

show run group-policy

show run tunnel-group

Azariel Rodriguez Parra · ‎06-04-2014

This is the configuration

group-policy GroupPolicy_VPN_TEST_ANY internal
group-policy GroupPolicy_VPN_TEST_ANY attributes
wins-server value 192.168.162.2
dns-server value 192.168.162.2
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-lock value VPN_TEST_ANY
split-tunnel-policy tunnelspecified
split-tunnel-network-list value aumx-commuter-vpn_splitTunnelAcl
default-domain none
webvpn
anyconnect profiles value VPN_TEST_ANY_client_profile type user

tunnel-group VPN_TEST_ANY type remote-access
tunnel-group VPN_TEST_ANY general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_VPN_TEST_ANY
tunnel-group VPN_TEST_ANY webvpn-attributes
group-alias VPN_TEST_ANY enable
tunnel-group VPN_TEST_ANY ipsec-attributes
ikev1 trust-point ASDM_TrustPoint1

Marvin Rhoads · ‎06-04-2014

You have all possible protocols enabled in your group-policy:

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

But you only need ssl-client if your intention is to use the AnyConnect client for an SSL VPN. So there you need to remove the unnecessary ones.

You also have:

tunnel-group VPN_TEST_ANY ipsec-attributes
ikev1 trust-point ASDM_TrustPoint1

...which is not necessary for SSL VPN and should be removed (*unless you have a site-site VPN using certificates)

Azariel Rodriguez Parra · ‎06-04-2014

But I want to use ipsec this is the reason I have all the protocols.

The Anyconnect only works if I use the ip address.

Marvin Rhoads · ‎06-04-2014

Hmm.

Does the FQDN you fail to connect with resolve to the IP address? I'm going back to the initial coment you made about "when I use ipsec with the name"

ameallyou2674 · ‎09-14-2020

I have the same issue, any updates on this? Did someone already resolve this issue?

azimuthcap · ‎05-26-2021

I was having this same issue. Could not connect with the pre-populated profile but could if I manually type in the IP address.

Updated Anyconnect on the client PC from 3.1 to 4.8 and it allowed the connection profile to be use. Did not have to change anything on the ASA.