Solved: Re: AnyConnect VPN; Cannot obtain IP address

jsf · ‎08-27-2018

Product: ASA-5508-X / v9.7(1)4

Hello,

After configuring a VPN on the defined product I am receiving the following error message from the AnyConnect client, and I'm stuck as to where to go from here:

AnyConnect was not able to establish a connection to the specified secure gateway.  
Please try connecting again.

The secure gateway has rejected the connection attempt.  A new connection attempt 
to the same or another secure gateway is needed, which required re-authentication.  
The following message was received from the secure gateway: No assigned address.

Below is my configuration:

: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.7(1)4 
!
hostname hostname
domain-name hostname.com
enable password password
names

!
interface GigabitEthernet1/1
 description Main outside interface
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name domainname.com
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.2.64_26 NETWORK_OBJ_172.16.2.64_26 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 172.16.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint_SelfSigned
 enrollment self
 fqdn domain.com
 subject-name CN=domain.com
 keypair SSL-DOMAIN-KEYPAIR
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint_SelfSigned
 certificate start-finish
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain domain.com
!
dhcpd address 172.16.2.100-172.16.2.254 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint_SelfSigned outside
ssl trust-point ASDM_TrustPoint_SelfSigned inside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.5.02036-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 wins-server none
 vpn-tunnel-protocol ssl-client 
 default-domain value domain.com
dynamic-access-policy-record DfltAccessPolicy
username username password password
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 default-group-policy GroupPolicy_VPN
 dhcp-server 172.16.2.1
tunnel-group VPN webvpn-attributes
 group-alias VPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:ffff
: end

Thanks for your help.

Francesco Molino · ‎08-27-2018

Hi

Sorry if i miss something, I'm reading your config through my smartphone.

I see you're trying to assign your vpn users an ip within the same subnet as your lan and using asa as dhcp server. Usually we use dhcp to redirect requests to internal corporate dhcp server or ip local pool when we want asa to deliver ip addresses.

Using dhcp method when asa is the dhcp server, I'm not sure it works and to be totally transparent I've never tested also.

IP POOL method example:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-anyconnect.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-27-2018

Hi

Sorry if i miss something, I'm reading your config through my smartphone.

I see you're trying to assign your vpn users an ip within the same subnet as your lan and using asa as dhcp server. Usually we use dhcp to redirect requests to internal corporate dhcp server or ip local pool when we want asa to deliver ip addresses.

Using dhcp method when asa is the dhcp server, I'm not sure it works and to be totally transparent I've never tested also.

IP POOL method example:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-anyconnect.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jsf · ‎09-06-2018

Thanks Francesco,

I was sure I had followed the guide you referenced and it didn't work ... finger problems I guess.

Thanks again.