11-02-2012 09:38 AM - edited 02-21-2020 06:27 PM
I have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling.
Help - I have no Apple OS experience on this.
Thanks,
Marc
11-05-2012 10:44 AM
Marc
My first suggestion would be to ask you to confirm that you do have the MAC versions of the client loaded and configured on the ASA.
My second suggestion would be that we might be able to find more about the problem if you post the relevant parts of the ASA config.
HTH
Rick
11-05-2012 11:32 AM
Thanks for your reply;
Here are the relevant parts of the ASA config:
crypto ipsec transform-set fdoe3desset esp-3des esp-md5-hmac
crypto ipsec transform-set doe-sha esp-3des esp-sha-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set remoteset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map fdoedynmap 65530 set transform-set remoteset
crypto dynamic-map fdoedynmap 65530 set security-association lifetime seconds 7200
crypto map remotemap 65535 ipsec-isakmp dynamic fdoedynmap
crypto map remotemap interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name ------------------
keypair doesslkey
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name --------------------
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 3600
** snip **
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
webvpn
enable outside
csd image disk0:/csd_3.6.6203-k9.pkg
csd enable
svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
svc image disk0:/anyconnect-linux-3.0.10055-k9.pkg 3
svc enable
group-policy fdoe_vpn internal
group-policy fdoe_vpn attributes
wins-server value xx.xx.xx.xx
dns-server value yy.yy.yy.yy
vpn-idle-timeout 240
vpn-session-timeout 720
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value fldoe.int
The user has an AnyConnect client installed on his Apple laptop; I wasn't aware that there was a component that needed to be installed in the ASA for AnyConnect clients to work. Am I confusing AnyConnect with another web SSL VPN application for the ASA 5550?
11-05-2012 12:37 PM
Marc
Thank you for the additional information. The component that I was looking for was this one
svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
That part of the config looks fine.
I see that csd is enabled. It would be logical that posture errors would come from this. But I am not familiar enough with csd to give much advice about this. I hope someone else will have advice about this.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide