Hello Federico,

Thanks for being so active in the community.

>>I know that it's recommended to configure the SSL via ASDM via the  wizard or even manually, but can you use the ASDM when something does  not work?

ASDM unlike VPN 3000 Concentrator GUI is not itegrated into the code of the ASA. ASDM is just an application which runs the command (availble for CLI users) and pipes the output to the GUI parser. Troubleshooting through ASDM is still only limited to watching the live logs in the log viewer.

>>I mean.. for troubleshooting a non-working AnyConnect connection... how would you use ASDM to troubleshoot (or better CLI)?

As I mentioned before, the syslogs can be viewed regarding an AnyConnct connection problem, Apart from that debugs have to be run through the CLI only.

To troubleshoot the first thing is to ascertain where the problem is for example. the problem could be with the initial SSL connection or after the initial connection. Because the AnyConnect protocol travels inside the SSL connection. If the SSL Connection is established and the client is not connecting than 'deb webvpn svc' can show us where the problem is. Again, the problem could be DAP or tunnel/group policy assignment or plain client install problem (debug dap ? for all the options for DAP). For pure client side issues DART is the best tool, simply because it collects whatever there is related to AnyC client and presents the information in one place.

>> What's coming new for SSL in Cisco ASAs in a future release?

The AnyConnect client 3.0 is still in Beta, therefore the features present in Beta may or may not be present in the released client. However, as per the initial reports IKEv2 (that means IPSEC Client) could be one of the main features. Stay tuned for the release, I would say.

Regards

Vikas

Thank you for addressing my questions Vikas!

Appreciate your time :-)

Federico.

Hello Dianne,

This will actually depend upon the features which will be there in the new client.

Nothing can be said with certainty regarding the features as the client is still due to be released.

Regards

Hi Hitesh,

In case of user authentication via LDAP the memberOf attribute associated with the user is  sent acorss by the LDAP server.  On Cisco ASA we can go ahead and map the memberof attribute with other RADIUS  attribute / Cisco Attribute etc.   Once the mapping is done we can map the value accordingly.

For example:   A user by name Deepak can be part of Group"Employee" in a domain sectac.com.   As soon as user Deepak logs in the LDAP server will return the authentication success and memberOf Employee.  We can configure ASA to map the LDAP attribute value Employee to group policy like Employee etc.

A LDAP the representation of syntax above will be like:-

CN=Employees,CN=Users,DC=sectac,DC=com

CN=Users is like folder under which this group exist. 

We had an example in the presentation by Vikas and I have attached the screeen shot of Mapping with example.   Additionaly, you will find the following link helpful.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Hope this helps.

Regards,

-Deepak

Hi Deepak,

Thanks for the prompt response and its perfect match for the solution that i was looking for. Appreciate your time and help.

Regards

Hitesh Vinzoda

Hi Ahmed,

Please note, this thread is specifically meant for "ANYCONNECT SSL VPN CLIENT ON ASA THROUGH ASDM" . However; in your case you seems to be looking for an assistance with regard to IPSEC Lan to Lan VPN. 

I would request you to please go ahead and post the query under the correct thread :-

https://supportforums.cisco.com/community/netpro/security/vpn

Also, please get the output of show cry ipsec sa and sh cry isakmp sa to check on which phase concerned tunnel is failing. On ASA please get show run crypto and on IOS router get the ouput of show run | sec cry and show access-list used as crypto acl.

Thanks, for understanding.

Regards,

-Deepak

Hi Deepak,

Thanks for your reply and I will post there in the link,

best regards,

Ahmed

Vikas,

on an ASA5510, what is the most stable software version to enable the anyconnect feature? and how do we publish a portal, based on the user who is logging in, so this portal can show the user the files he is allowed to access?

for example, if userA logs in via ciscoanyconnect, we want him to land into a portal where he will have access to folders he is allowed. the same thing for userB... when userB gets in, we want to land him on a portal that will make visible only the items he is allowed to see.

ciscobigcat,

Generally it is recommened to be on the latest version of the anyconnect client.  It will provided the widest support for operating systems and the most recent bug fixes.  With that being said many customers have found that the latest version in the 2.4.x throttle works well.

In regards to your second question that seems more related to the clientless portal rather than anyconnect.  Under the user/group accounts you can configure different bookmarks or customizations.  This way user a and user b will have different links presented to them.  You will naturally need to provide some method to distinguish user a from user b.  Perhaps ldap mapping as was mentioned earlier in the thread.

-Jay