cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12337
Views
30
Helpful
16
Replies

ASA 9.6(2) anyconnect in multiple context mode

sipos
Level 1
Level 1

Hello,

I have ASA 5525X in mutliple context mode. I need to assign anyconnect image to firewall. In next url http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html#anc10 is written following:

Note: 1. The flash storage is not virtualised and it is only accessible from the system context.
2. Copy files to the flash in system context i.e. AnyConnect image.
3. The AnyConnect image is a shared configuration.
4. Configured in the admin context only. Not available in other contexts.
5. All contexts automatically refer to this global AnyConnect image configuration.

When I tried to configure it in admin context ASA doesn't know file system

FW01/pri/act/admin(config-webvpn)# anyconnect image ?

webvpn mode commands/options:
Unknown file system

ASDM image is configured in system context, but why anyconnect image has to be configured in admin context?

I tried to configure it in system context I don't have any possibilities about anyconnect:

FW01/pri/act(config-webvpn)# ?

WebVPN commands:
exit Exit from WebVPN configuration mode
memory-size Configure WebVPN memory size. CHECK MEMORY USAGE BEFORE APPLYING
THIS COMMAND. USE ONLY IF ADVISED BY CISCO
no Remove a WebVPN command or set to its default

or

FW01/pri/act(config)# anyconnect ?
ERROR: % Unrecognized command

What is wrong? Where I made mistake? 

Thanks for any advice.

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

Did you first copy the image into system context and allocate the VPN resources from there? That is a mandatory prerequisite.

(I found the formatting of that section in the guide you linked to be quite confusing when I setup one of these for a customer.)

Yes, of course.

I have the solution now - shared storage.

On system context is needed to configure on disk0: some folder (root disk0:/ is not accepted or I made some mistake). In my case is folder VPN.

FW01/pri/act(config)# dir

Directory of disk0:/

74 -rwx 19459638 23:23:10 Oct 04 2016 anyconnect-win-4.2.05015-k9.pkg
85 drwx 4096 02:42:41 Oct 05 2016 VPN

Than move or copy anyconnect image into this one.

FW01/pri/act(config)# dir disk0:VPN

Directory of disk0:/VPN/

86 -rwx 19459638 02:42:43 Oct 05 2016 anyconnect-win-4.2.05015-k9.pkg

next to configure shared storage under admin context subsection

context admin
allocate-interface Management0/0
storage-url shared disk0:/VPN shared
config-url disk0:/admin.cfg

and finally in the admin context is possible to assign anyconnect image

FW01/pri/act/admin(config-webvpn)# sh run webvpn
webvpn
anyconnect image shared:/anyconnect-win-4.2.05015-k9.pkg 1
anyconnect enable

It would be very good rewrite official documentation about this case because at url

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html#anc10

example configuration steps were copied from single context solution. There isn’t any mention about shared part of storage – what is very important !!!

Hello Sipos

Im also trying  to enable anyconnect on a multiple context firewall, but I am unable to get as far as you.

I have made the shared folder and can see the anyconnect image in the admin context.

JASA1/admin/act/pri# sh webvpn anyconnect
1. shared:/anyconnect-win-4.2.06014-k9.pkg 1 dyn-regex=/Windows NT/
  CISCO STC win2k+
  4,2,06014
  Hostscan Version 4.2.06014
  Thu 10/06/2016 14:40:31.34

1 AnyConnect Client(s) installed
JASA1/admin/act/pri#

But the customer context itself will not see the anyconnect image for some reason:

JASA1/DK20001775-004/act/pri# sh run webvpn
webvpn
 enable WAN
 anyconnect enable

JASA1/DK20001775-004/act/pri# sh webvpn anyconnect
AnyConnect Client is enabled. No images configured

hope you can help since you seem to be the only person in the world to have this working :)

ALSO:

JASA1/DK20001775-004/act/pri(config-webvpn)# anyconnect enable
WARNING: No 'anyconnect image' commands have been issued in the admin context. At least one AnyConnect image must be configured in the admin context to enable this feature in a context

Hi Jens

admin context was as reference; it is possible to configure in one or more user contexts - you need to configure in SYSTEM context under client context, for example:

class VPN
limit-resource VPN AnyConnect 50.0%
limit-resource VPN Other 50.0%
!

admin-context admin

member VPN
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg

storage-url shared disk0:/VPN shared

!
context USER_01
member VPN
allocate-interface GigabitEthernetx/y
storage-url shared disk0:/VPN shared

then you can see anyconnect image under admin and user context

FW01/pri/act/USER_01# sh run webvpn
webvpn
enable outside
anyconnect image shared:/anyconnect-win-4.3.03086-k9.pkg 1

!

FW01/pri/act/USER_01# sh webvpn anyconnect
1. shared:/anyconnect-win-4.3.03086-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
4,3,03086
Hostscan Version 4.3.03086
Thu 10/06/2016 13:50:02.18

and in admin context too

FW01/pri/act/admin(config-webvpn)# sh run webvpn
webvpn
anyconnect image shared:/anyconnect-win-4.3.03086-k9.pkg 1
anyconnect enable

!
FW01/pri/act/admin(config-webvpn)# sh web an
FW01/pri/act/admin(config-webvpn)# sh web anyconnect
1. shared:/anyconnect-win-4.3.03086-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
4,3,03086
Hostscan Version 4.3.03086
Thu 10/06/2016 13:50:02.18

The next warning

JASA1/DK20001775-004/act/pri(config-webvpn)# anyconnect enable
WARNING: No 'anyconnect image' commands have been issued in the admin context. At least one AnyConnect image must be configured in the admin context to enable this feature in a context

is not true, you don't have configured anyconnect image in admin context, even if it is possible. To configure it under user context is enough!

This is probably copied from older versions :-( like in documentation.

I hope that it will more clearly now.

Have a nice day!

Pavol

Hi Sepos

Having the shared URL under the customer context configured in system was enough :)

Thank you for your help Sepos.

Hi guys 
   i have the same issue but the command storage-url is not there 

Context configuration commands:
allocate-interface 
allocate-ips 
config-url 
description 
exit 
help
join-failover-group 
member 
no
scansafe 
these are the available commands only under the context 
any ideas 
thanks 

hazem 

egsuptac911  ,

Have you first created a directory to use for storage? I believe that is a prerequisite.

he Marvin ,

thanks for your reply , and yes i have created it 

dir disk0:

62 -rwx 25232296 05:53:12 Dec 15 2016 anyconnect-win-4.3.04027-k9.pkg
76 drwx 4096 06:57:14 Dec 15 2016 test

sh disk0:

62 25232296 Dec 15 2016 05:53:12 anyconnect-win-4.3.04027-k9.pkg
76 4096 Dec 15 2016 06:57:14 test
77 25232296 Dec 15 2016 06:58:46 test/anyconnect-win-4.3.04027-k9.pkg

Hi sipos,

Thank you very much for sharing your solution. I did the config with shared storage (apart from the solution with the private storage that sugested Kumal) and it work great but also to the moment when I reboot one of the firewalls. The configuration of the anyconnect image under the webvpn in both contexts admin and the user simply disappears after the reboot.

Didn't you have the same issue? Could you please comment on that?

Thanks in advance.

Regards,

Remi

If you have an HA pair of ASAs, all images must be copied onto each unit separately. They do not replicate when uploaded onto the Active unit.

Thanks Marvin. That indeed was the problem.

Best regards!

kunkaush
Level 1
Level 1

Here is an easy solution to this problem:

 

  • You need to move the file from system context to the particular context which you created using the command:

 

copy disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg disk0:/vpn1/vpn1

 

 

Detailed steps to perform Anyconnect in Multi-Context mode starting ASA 9.6.2

-  In order to move a specific file from Sytem context to a prarticular context, ASA now support storage virtualization from 9.6(2).

-  Once the virtual storage "vflash" has been created we need to move the file to that location and command to that is.

 

 NOTE: You should be in System Context to perform this task.

  

System Context:

 

class anyconnect

limit-resource vpn anyConnect

!

context vpn1

member anyconnect

  allocate-interface GigabitEthernet0/0

  config-url disk0:/vpn1.cfg

  storage-url private disk0:/vpn1 vflash

!

Now, a virtual storage would be created in flash called: vpn1/vpn1

!

Next, we have to move the required files to the particular context from the system context:

 

copy disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg disk0:/vpn1/vpn1

  

 changeto context vpn1

show vflash

show flash

 

- You'd be able to see the anyconnect image in flash now.

- Configure Anyconnect like you used to do and have fun.

 

webvpn

anyconnect image vflash:/anyconnect...

 

Regards,

Kunal Kaushik

Cisco TAC

Hi all,

   we're also testing anyconnect in multi-context environment and we see problems in ASDM: we only reach properly configuration of shared storage from cli (cant' assign url to context in ASDM, the drop-down list is just empty out of "admin" context) and so then enable the webvpn service and so, BUT group-policy configuration and other stuff becomes unavailable under ASDM (the buttons are there, clickable, but uneffective).

We're running ASA 9.6(3)3 and ASDM 7.8(1).

Bye, Flavio

Got myself an answer, just few grey hair after: in system, you need to configure the shared storage naming it vateveruwanna, say it to save space on contexts and place just one copy of the anyconnect image BUT, the real importante point here is to allocate a private storage space and name it "admin". This would allow ASDM to interact with context as per specific stuff like AnyConnect Client Profile, daps aaaaand group-policy editing.
Couldn't find docs stating this, also opened TAC about. Maybe mybad.