Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
4
Replies

Cisco AnyConnect Client - Group Policy Tunnel Protocol question

fraley.b12
Level 1
Level 1

‎05-31-2022 09:16 AM

Hello all,

 

I might have a quick question.

 

But first, context - I was helping one of our contractors with troubleshooting why they could not connect to our ASA via Cisco AnyConnect. We were able to get the client downloaded and installed on their machine and when they went to connect they were able to select which profile/group to use. However after authentication and Duo MFA we kept receiving this error:

 

 

Logon denied, unauthorized connection mechanism, contact your administrator.

 

 

Which was odd. A quick couple of searches yielded the the following response:

 

This error message occurs mostly because of configuration issues that  are improper or an incomplete configuration.
Check the configuration  and make sure it is as required to resolve the issue.

 

 

Which is also not very helpful. Further googling led me to this solution, which appears to have done the trick. Essentially I needed to select a VPN tunneling protocol in the group policy attached to the profile they were using. Initially the only tunneling option I had selected "IKEv2" for both our FTE profile and out Contractors profile. I added the `ssl-client` to the contractor profile's group policy and they were then able to login.

 

Here is where my question comes in:

 

Why, if only IKEv2 was enabled on the policy, were both contractors and FTEs able to login using Cisco AnyConnect and the web client? I have had contractors using the profile before and AnyConnect without issue. Same goes for the FTE's as well. The issue appears to be fixed and I have added the `ssl-client` option to both profiles just to be sure.

 

Any ideas or thoughts on why it worked for some and not others without it being explicitly selected?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎05-31-2022 09:29 AM

@fraley.b12 perhaps the users connected to a different tunnel-group (connection profile) which used a different group-policy with the vpn protocols enabled?

0 Helpful

fraley.b12
Level 1
Level 1
In response to Rob Ingram

‎05-31-2022 09:54 AM

@Rob Ingramthat thought had crossed my mind initially but both of the group policies tunnel protocols were identical. Both set to IKEv2 only.

0 Helpful

Rob Ingram
VIP
VIP
In response to fraley.b12

‎05-31-2022 10:38 AM

@fraley.b12 hard to tell, but there must be a valid reason. Can you replicate the issue and then run "show vpn-sessiondb detail anyconnect" and determine what group policy and tunnel group was used? Else provide the configuration for review.

 

 

0 Helpful

fraley.b12
Level 1
Level 1
In response to Rob Ingram

‎06-01-2022 06:22 AM

I don't think I can replicate the issue. I don't have a test environment. I would be happy to provide the output of `show vpn-sessiondb detail anyconnect` but without the ability to recreate the issue, I am not sure what help it may or may not be.

0 Helpful
Customers Also Viewed These Support Documents