Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
4
Replies

Anyconnect Essentials vs Premium - PLEASE HELP!!!!

GoHealth Operations
Level 1
Level 1

‎05-20-2024 02:04 PM

We have a Cisco ASA 5525-X that has a 750 user Anyconnect Premium license on it.  Currently using it for VPN connectivity.  It works great.  We have a couple profiles setup.  They connect to the FQDN, login, it downloads the XML profile, and connects.  Subsequent VPN connects will use the entry saved in Anyconnect.

We are now trying to migrate the VPN services from the ASA 5525-X at one location, to another.  The new site has a 750 Anyconnect Essentials license on it.  The new ASA uses the same SSL certs as the current production.  Its on the same versions of code.  Its only the SSL license that is different.

We have imported the configs, changed IP, and have it up and running.  If I disable "anyconnect-essentials" under webvpn, so it uses the default 2 premium licenses, everything simply works.  We setup the local host file on my laptop to point vpn.domain.com to my new IP address, hit connect, and it goes.  The trouble is, we have to flip to VPN essentials, because we only have 2 lines of premium.

When we flip to anyconnect-essentials, when I try to hit connect, I don't even get a username/password prompt, it just errors out with a message that says IPsec VPN connection was terminated due to an authentication failure or timeout.  It never actually prompts username/pass.  it just errors.  Yet, if I flip back over to anyconnect premium license,( no anyconnect-essentials) it then works without issue.

I am able to connect to the system if I type vpn.domain.com in my connection bar, but once it connect and downloads the saved profile, the profile entry won't allow connection.

Looking at the XML, there is nothing that looks wrong.

I am getting the feeling there is some feature that requires premium still enabled somewhere, which is why it's failing with the XML saved entry.

 

Thoughts???  We have been trying all sorts of settings and have found no working combo

Labels:
0 Helpful
4 Replies 4

GoHealth Operations
Level 1
Level 1

‎05-20-2024 02:05 PM

And to be clear, we are using the Windows/MAC Secure Mobility Clients on the PCs.

0 Helpful

Sheraz.Salim
VIP
VIP

‎05-20-2024 02:32 PM

vpn.PNG

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#toc-hId--1280920323

It looks like the issue might be related to licensing requirements, specifically needing Cisco Secure Client Plus or Apex licenses for certain features that were previously covered under the AnyConnect Premium license.
Understanding Licensing Differences

AnyConnect Essentials:
Supports basic VPN connectivity.
Limited feature set, mainly focused on providing secure remote access.

AnyConnect Plus:
Includes more advanced features like endpoint posture assessments, network visibility, and VPN load balancing.
Suitable for deployments requiring more than just basic connectivity.

AnyConnect Apex:
Provides the most comprehensive feature set.
Includes features like advanced malware protection, network access manager, and secure mobility.

Migration Steps To resolve the issue, you will need to ensure that the new ASA is appropriately licensed with either Cisco Secure Client Plus or Apex if your deployment relies on features beyond what Essentials provides.



please do not forget to rate.
0 Helpful

GoHealth Operations
Level 1
Level 1
In response to Sheraz.Salim

‎05-20-2024 03:45 PM

Sheraz,

Thank you for the response ...  I guess that is the key here.  What I'm missing is what about my config doesn't work for Essentials.  I am simply trying to do a standard IKEV2 or SSL standard VPN tunnel from the Secure Client on my desktop to the VPN endpoint.  What's happening now is if I connect directly to vpn.domain.com, it works.  But then it populates a profile, and that profile then fails to connect.

I guess I need to understand specifically what about the profile is causing the issue.  Or more importantly, is it the use of "profiles" that causes it.  Like I said, if I connect directly, it works exactly how I expect it to.  

0 Helpful

Sheraz.Salim
VIP
VIP
In response to GoHealth Operations

‎05-21-2024 02:08 AM

The connection works directly but fails when using the profile, it does seem likely that there is something in the profile configuration that is incompatible with the AnyConnect.

Create a very basic profile that includes only the essential settings

<AnyConnectProfile>
    <ClientInitialization>
        <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <ServerList>
            <HostEntry>
                <HostName>My VPN</HostName>
                <HostAddress>vpn.domain.com</HostAddress>
            </HostEntry>
        </ServerList>
    </ClientInitialization>
</AnyConnectProfile>

Can you also setup the debug

debug webvpn anyconnect 255
debug crypto ikev1 255
debug crypto ikev2 255
debug ssl 255

 

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents