Hi Marvin,

Just read couple posts here on Anyconnect profile and seems you are the expert here.

I have configured a tunnel-group aka SSL connection profile for an external customer. Default option on our 5515 (running 9.1(6)8) is not to use tunnel-group-list option and just use a specific URL.

I sent the customer the URL: https://vpn.mydomain.com/cig along with credentials. 

Now he says they are already using Anyconnect internally and they already have a profile deployed. Basically he asked me to send him a profile of my VPN connection so he can choose between his company profile and my company profile.

First of all: is this possible? How would this look, like a dropdown list?

Second: I have configured a custom Anyconnect profile for this connection profile and assigned it specifically to the group-policy, but I am not sure about the next step. Should I export it from flash and send the xml file to the customer? Or is it that after customer connects once more, it will automatically receive that file anyway?

Thanks in advance,

Florin.

Florin

First, it should be possible and if it is done correctly then when the customer starts AnyConnect it should come up with a drop down list of connections which should include your connection.

Second, If you have configured a custom profile for this connection and specified it for the connection then it should be automatically down loaded the next time the customer connects to your VPN.

HTH

Rick

Hi guys,

First of all thanks for your inputs! Next, I have configured on ASDM two profiles:

- one for the customer and one for network team.

- I installed anyconnect on a VM for the first time and then successfully connected on each profile using the specific URL. 

- after each connection the profile was downloaded on the expected location

Still when I attempt to connect to either of the two past profiles I can't choose between.

I just uploaded a print screen of the overall situation.

Florin,

The files seem to be there in your screenshot. Have you tried restarting the AnyConnect client user interface (UI)? You can kill and restart the process or just reboot the host. 

I have rebooted the VM and still the same as in the previous screenshot: just the default VPN concentrator shows up.

For the reference I am using Cisco Anyconnect 4.1.06013 and asa916-8-smp-k8.bin .

Any thoughts before opening a TAC case, gentlemen?

Not knowing if you actually used the profile editor, can you verify that each XML file you have saved is a well formed one with an embedded profile name as shown in this thread:

https://supportforums.cisco.com/discussion/11489861/anyconnect-30-profile-drop-down-list

Read that topic, but failed to understand the expected format. I went on ASDM, Profile Editor, created the file and assigned it to a specific Group-Profile and did just one change on it: added one server on the Server list entry.

For the reference I just uploaded the xml output as it sits now on my test PC.

Hmm that looks about right. I'm strictly mobile this week so the file opens with a few extraneous characters on my tablet but it should work given that you built it with profile editor.

I'd inspect the version on the ASA itself to make sure it's downloading properly to the client but if it is then I'd try a TAC case. 

TAC case succesfully closed within 2h.

Both profiles were using identical Host Name or Host Display Name as it's called on the profile editor. 

Thanks everyone for the support!

Florin

Thanks for posting back to the forum to let us know that you have solved the issue and what the problem was. This is very helpful. Having the same Host Display Name would be an easy thing to miss.

HTH

Rick

I am half way on my CCNP Security exam; just learnt about Cisco Anyconnect profile editor.

I wander what's the difference between VPN Profile editor from ASDM vs the locally installed software on my machine?

I see it has similar settings but I am not sure about the use scenarios for each. Thoughts?

The profile editor on the ASA saves the profile (xml file) to the ASA itself and is normally used in basic deployments where that's all you need to do.

The standalone profile editor can be used totally distinct from the ASA and the distribution also includes profile editors for the other AnyConnect components (NAM, ISE Posture module, etc.). It is often used in an enterprise deployment where there might be separation of duties between ASA admins and those staff responsible for deploying client software. Also, we might use the standalone editor when we want to pre-deploy the client side apart from having the production ASA ready and active.

Bottom line is that both the ASA-based and standalone VPN profile editor allow you to create the same xml files.

Florin,

As Rick mentioned, the profile (which, among other functions, populates the drop down list in the client) can co-exist with the specific URL access option. Both your profile and your customer's profile will create entries in their client drop down list.

You may want to create a separate profile for them and restrict their usernames to that profile if their access privileges need to be more restrictive than your staff's. Even if they are the same, that option may be attractive as it allows you to  separate the two login types administratively and, should future requirements indicate, differentiate between them at that point.