Hi Mike Farnschlaeder,

Mike Farnschlaeder · ‎05-15-2017

Hi!

We are use Cisco AnyConnect 4.4.01054 to connect to our network. This is working fine with certificate.

But we have the following problem:

- We connect to our network by typing in the URL e.g. "anyconnect.network.com"

- After disconnection the session you´ll see the connection-name in the AnyConnect URL.field, e.g. "NETWORK-SUPPORT"

- When trying to connect again with this connection-name "NETWORK-SUPPORT" we are getting the following error:

"Cannot connect to this gateway. Please choose another gateway and try again."

Why isn´t this working? In the XML-File I can see the entry:

            <HostName>NETWORK-SUPPORT</HostName>
           <HostAddress>anyconnect.network.com</HostAddress>
           <UserGroup>NETWORK-SUPPORT</UserGroup>

When connection again by using the URL "anyconnect.network.com" it is working fine. But it is confusing for the users, because they try to connect by choosing the connection name "NETWORK-SUPPORT" in the drop-down-menu.

Ideas???

JP Miranda Z · ‎05-15-2017

Hi Mike Farnschlaeder,

In order to have a User Group configured on the XML profile you need to have a group url configuration under the tunnel group or connection profile if using ASDM.

In this case if you connect only to the fqdn and them you are getting a drop down that means you have group alias configured, so my recommendation will be to remove the User Group from the .xml and have your clients connecting one time to update the .xml.

Keep in mind you can also configure a group url and have your clients connecting with the current .xml.

This link explains very well the group url and group alias configuration:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Hope this info helps!!

Rate if helps you!

-JP-

Mike Farnschlaeder · ‎05-18-2017

Hi!

I still have the problem.

I deleted "Server List" in the "Client-Profile". But then it only works when starting the AnyConnect-Client as Administrator.

After the log in, the XML-File is stored in "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile".

After disconnecting I still have the URL in the AnyConnect-Client, which is fine for me.

When I start the AnyConnect-Client a s normal user I always get „no valid certificates available for authentication“

So, deleting the "Server List" does not help.

I then build the XML-File again by using the AnyConnect Profile Editor and uploaded the file to the ASA and added it again to the Group Policy.

When connecting again by using the URL it was working fine. After disconnecting I have the Profile Name again in the AnyConnect-Client.

Now, it isn´t not possible to connect by using the Profile Name.

I have to put in the URL manually in the filed and can connect again.

JP Miranda Z · ‎05-18-2017

Hi,

I never recommended to remove the server list, i recommended to remove the User Group or make sure you are using an actuall group url and that from where you are getting this User Group.

You can always try sharing your .xml profile and a sanitized config so we can help you over here, and keep in mind you can always open a TAC case since this is something that we should be able to resolve pretty quick on a webex.

Hope this info helps!!

Rate if helps you!!

-JP-

Mike Farnschlaeder · ‎05-22-2017

Hi!

I could resolve the issue by deleting every AnyConnect-entry and re-configured everthing.

Now it is working. I do not know exactly what went wrong before but now it´s working.

Cisco AnyConnect - Cannot connect to this gateway. Please chosse another gateway and try again.