Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2276
Views
0
Helpful
5
Replies

Anyconnect On ASA using IPSec(IKEv2) With Certificates

dradhika
Cisco Employee
Cisco Employee

‎03-25-2011 09:36 AM - edited ‎02-21-2020 05:15 PM

Hi,

  I am trying to connect to ASA device which has self signed certificate with ipsec/ikev2. However could not succeed either from IE or from Anyconnect standalone client.

  With debug logs I could only figure out AAA/SHIM Invalid Access Protocol.

  Below are the configurations on the device. Can someone check if there is some problem in the configuration?

thanks,

Radhika

Labels:
83941-anyconnect_ipsec_issue.txt.zip
0 Helpful
5 Replies 5

Shilpa Gupta
Cisco Employee
Cisco Employee

‎03-25-2011 10:30 AM

Hi Radhika,

Please try to remove all the existing AnyConnect profiles on the machine and try to connect again. If still we are not able to connect, then remove "authentication certificate" under tunnel-group  and try to make connection again.

Again if we see the issue, then collect the following logs and paste here:-

 debug crypto ikev2 protocol 4
debug crypto ikev2 platform 4 
 debug aaa shim 4

Thanks,
Shilpa
0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee
In response to Shilpa Gupta

‎03-25-2011 10:53 AM

Hi Radhika,

Also make sure that you are using port 600 for making VPN connection.

Thanks,

Shilpa

0 Helpful

dradhika
Cisco Employee
Cisco Employee
In response to Shilpa Gupta

‎03-25-2011 06:32 PM

Hi Shilpa,

    With the above debug commands enabled I could just see "AAA/SHIM: Invalid Access Protocol."

    I tried all the combination you mentioned already. However it does not work.

   Connection can be established if "AAA Authentication" is removed and "vpn-tunnel-protocol ikev2 ssl-client" is configured under group-policy.

   by entering the user credentials. However it is an SSL Connection and not Ikev2 tunnel that "show vpn-sessiondb anyconnect" shows.

  Could not understand why IKEv2 is not getting established.   

Thanks,

Radhika.

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee
In response to dradhika

‎03-28-2011 06:21 AM

Hi Radhika,

I tested the ikev2 connection in my lab and I am able to connect successfully.

Could  you only enable ikev2 under group-policy and use the authentication as local itself and test if you are able to make ikev2 connection.

Thanks,

Shilpa

0 Helpful

dradhika
Cisco Employee
Cisco Employee
In response to Shilpa Gupta

‎03-31-2011 08:58 PM

Hi Shilpa,

   I found the problem. Its because the "Protocol" in profile is mentioned as "IPSec" instead of "IPsec".

   After changing it I could establish the connection.

 

   However I can connect after installing Anyconnect from the Browser.

   With stand alone it does not seem to connect using IPSec.

   Do you have any idea what could be the problem?

Thanks,

Radhika

0 Helpful
Customers Also Viewed These Support Documents