Anyconnect not working for Mac OS X users

drumrb0y · ‎11-02-2012

I have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling.

Help - I have no Apple OS experience on this.

Thanks,

Marc

Richard Burts · ‎11-05-2012

Marc

My first suggestion would be to ask you to confirm that you do have the MAC versions of the client loaded and configured on the ASA.

My second suggestion would be that we might be able to find more about the problem if you post the relevant parts of the ASA config.

HTH

Rick

HTH

Rick

drumrb0y · ‎11-05-2012

Thanks for your reply;

Here are the relevant parts of the ASA config:

crypto ipsec transform-set fdoe3desset esp-3des esp-md5-hmac

crypto ipsec transform-set doe-sha esp-3des esp-sha-hmac

crypto ipsec transform-set des-sha esp-des esp-sha-hmac

crypto ipsec transform-set remoteset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map fdoedynmap 65530 set transform-set remoteset

crypto dynamic-map fdoedynmap 65530 set security-association lifetime seconds 7200

crypto map remotemap 65535 ipsec-isakmp dynamic fdoedynmap

crypto map remotemap interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name ------------------

keypair doesslkey

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

subject-name --------------------

crl configure

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 3600

** snip **

crypto isakmp policy 70

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

webvpn

enable outside

csd image disk0:/csd_3.6.6203-k9.pkg

csd enable

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2

svc image disk0:/anyconnect-linux-3.0.10055-k9.pkg 3

svc enable

group-policy fdoe_vpn internal

group-policy fdoe_vpn attributes

wins-server value xx.xx.xx.xx

dns-server value yy.yy.yy.yy

vpn-idle-timeout 240

vpn-session-timeout 720

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value fldoe.int

The user has an AnyConnect client installed on his Apple laptop; I wasn't aware that there was a component that needed to be installed in the ASA for AnyConnect clients to work. Am I confusing AnyConnect with another web SSL VPN application for the ASA 5550?

Richard Burts · ‎11-05-2012

Marc

Thank you for the additional information. The component that I was looking for was this one

svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2

That part of the config looks fine.

I see that csd is enabled. It would be logical that posture errors would come from this. But I am not familiar enough with csd to give much advice about this. I hope someone else will have advice about this.

HTH

Rick

HTH

Rick