cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
9818
Views
0
Helpful
2
Replies
Highlighted
Beginner

anyconnect no assigned address

I posted this a year or two ago but got no hits. Hoping there's finally a solution.

Client logs in with Anyconnect, gets an ip address, successfully connects with no problem. Everything works...

...until the user clicks "Disconnect". If he immediately tries to log in again he gets this error:

"The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires reauthentication. The following message was received from the secure gateway: No assigned address."

The amount of time he has to wait until the error goes away and he can log in again is exactly equal to the idle timeout setting in the Group Profile.

Looking on the ASA under Monitoring -> VPN Statistics -> Sessions -> All Remote Access, the session remains there until the idle timeout expires, at which point it goes away and the client is able to log in again.

On the same screen above, if I manually disconnect the client, he's able to log in again immediately.

If I go to the radius server and assign him a different IP address, he's able to log in again and will show up in the above session table with two entries, one for each IP address. This behaviour only seems to happen when a user is handed the same IP address from the radius server, e.g. if he's assigned a static IP, or if he's given the same dynamic IP address.

Tried Anyconnect client versions 3.0.11042, 3.1.13015, and 4.2.01022.

Tried on an ASA5505 with ASA version 8.2.5, also on an ASA5506X with ASA version 9.5.2.

Why doesn't the entry simply go away when he clicks "disconnect"? Is there a way to force it to disconnect in the session table? Very frustrating!

Thanks in advance,

Mike

2 REPLIES 2
Highlighted
Beginner

I was running into the same issue and didn't see a solution, so I hope this helps someone else.

 

With the assumption that you have a single address assigned to the user, edit the group profile and set simultaneous logins to 1.  When the user logs back in, it will force the disconnected session out and the new session will be allowed to have the assigned address again.

 

David

Highlighted
Frequent Contributor

Hello,

 

While dealing myself with this error I find useful this command:

 

vpn01# show ip local pool POOL_VPN_224
Begin End Mask Free Held In use
10.22.11.224 10.22.11.239 255.255.255.240 12 0 4

 

So what does this command tells me is that from the 16 IPs of the pool 4 are taken and 12 free.

Use it and check accordingly.

 

Content for Community-Ad