Why do I need to have client services enabled?  I don't want or need any of them.

I am using a client profile created using ASDM and the ASA and exported.  I'm not sure how to tell if its proper.  But, I have reviewed the profile setting and they look correct.  Does a client profile specify IPSec IKEv2 in it?  I don't see it.

If I enable client services on the 'outside' interface, I get certificate errors.  First the certificate from the ASA is not trusted.  If I say "install and continue" then I get a certificate validation error.  From that point on, I get only the certificate validation error.  "This connection requires a client certifiate, but no matching certifcate could be found."

Perhaps I need to revisit certifcates.

Regards.

Mark,

Strictly speaking you do not need client services.

Client services are not part of IKEv2 framework. In ASA + Anyconnect combo we use client services to update AC client from headend and push profile updates.

Looks like you're requesting user certificates too, but that's besides the point.

I would first of all check if you're initiating IKEv2 at all, I assume you're using whatever you configured in "" tag to initiate connection.

From profile's perspective there should be mention

- "" what you going to put in the AC window to connect

- "HostAddress" to specify where the headend is - IP or hostname

- "Protocol" - IPsec. IKEv2 is used - no support for IKEv1 on AC.

You can find an example profile here:

https://supportforums.cisco.com/docs/DOC-18960

I would also take care that profile on ASA and client are exactly the same (copy/paste/import).

M.

I've tried following that example.  The end result is a client profile that cannot be saved or editted from ASDM.  There are some XML errors.  I don't have the exact error text, unfortunately.  However, If I manually create a client profile, its does not have a IPsec in the host entry of the server list.  Maybe that is why AnyConnect isn't even trying IPsec and perhaps defaulting to SSL.

I'm going to try to edit the client profile and import it into the ASA and import it into the Android AnyConnect.

I'm also going to upgrade to 9.01 on the ASA and ASDM 7.02.  But, I'll do that later.

Regards.

Edited and imported the client profile XML and I got the same error as when I followed the example.

I left the client profile in the ASA (it can't be editted, but I was able to apply).  Not sure if its being used or not. I took the updated client profile to the Android and imported it into AnyConnect.  I get this error on the Android: "VPN Server could not parse request."  The ASA says: "Local:192.62.167.137:500 Remote:192.61.133.26:43648 Username:Unknown Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group."

First, its port 500, so YAY its IPsec.

But what is failing?

Regards.

Hehe.

Well KE and DH stands for diffie hellman group.

I would still enabled debugging on ASA and export logs from Android to see what is being used.

I think I'm going to update to 9.01 on the ASA and ASDM 7.02 at this time.

I also noticed that I must have at least one AnyConnect Client software image installed.  None of them are appropriate (I'm using Andorid client) but I must have at least one or I can't create client profiles properly.

Maybe the new levels will be more functional for me.

Mark,

That could be agood idea (upgrade) although I'm not sure if 9.0 is yet ready for prime time.

ALthough the IKEv2 Remote access wizard in ASDM should sort out the ASA config for you.

Indeed you need Anyconnect image AND Anyconnect mobile license to succeed.

M.

9.01 VPN wizard still creates a faulty client profile with the same XML error regarding "PrimaryProtocol".

Do I need updated anyconnect client images?  I'll try that.