Cisco AnyConnect VPN connect to a non-443 port entry

James_Suzhou · ‎01-24-2022

Hi,

Due to some reason, I have change the default 443 port to 7799 in ASA firewall both in HTTPS port and DTLS port.

By using Cisco AnyConnect Secure Mobility Client, I am able to connect successfully if manual input the address xx.domainname.com:7799 and everything working just fine.

However, if I had add this xx.domainname.com:7799 as one of the HostEntry under Profile subfolder, the connection never successful.

Does anyone can help with this? Thanks.

Cisco ASA: ASA 5506

ASA Version: 9.12(4)18

ASDM Version: 7.5(2)

Cisco AnyConnect Secure Mobility Client: 4.8.03052

Profile:

***

<ServerList>

<HostEntry>
<HostName>vpn</HostName>
<HostAddress>https://xx.domainname.com:7799</HostAddress>
<UserGroup>vpn</UserGroup>
</HostEntry>

</ServerList>

Regards

James

Sheraz.Salim · ‎01-24-2022

The remote user have to tag the port at the end of the ip address/URL if using other than 443.

unless otherwise if you use the default port 443 than the ASA ASDM will keep the default port in host entry.

please do not forget to rate.

James_Suzhou · ‎01-24-2022

@Sheraz.Salim wrote:
The remote user have to tag the port at the end of the ip address/URL if using other than 443.

unless otherwise if you use the default port 443 than the ASA ASDM will keep the default port in host entry.

Hi Sheraz.

Thank you.

So far, manually input seems the only way, but its quite annoying.

Karsten Iwen · ‎01-24-2022

Use the HostAddress without the "https://" in your XML file and try again.

James_Suzhou · ‎01-24-2022

@Karsten Iwen wrote:
Use the HostAddress without the "https://" in your XML file and try again.

Hi Karsten, Yes. I have tried to remove the "https://" and change the domain name to ip address, both seems not working.

Karsten Iwen · ‎01-25-2022

Using the IP can not work as the IP is not in the certificate. But using a host entry in the XML with a non-standard port definitely works.

This is one of my entries:

		<HostEntry>
			<HostName>Example Company</HostName>
			<HostAddress>vpn2.example.de:444</HostAddress>
			<UserGroup>LOC</UserGroup>
			<BackupServerList>
				<HostAddress>vpn1.example.de:444</HostAddress>
			</BackupServerList>
		</HostEntry>

James_Suzhou · ‎01-27-2022

Hi Karsten,

I tried to remove the https:// and now my XML looks like below. Still not working.

<ServerList>
<HostEntry>
<HostName>vpn</HostName>
<HostAddress>xx.domainname.com:7799</HostAddress>
<UserGroup>vpn</UserGroup>
</HostEntry>
</ServerList>

@Karsten Iwen wrote:
Using the IP can not work as the IP is not in the certificate. But using a host entry in the XML with a non-standard port definitely works.
This is one of my entries:
		<HostEntry>
			<HostName>Example Company</HostName>
			<HostAddress>vpn2.example.de:444</HostAddress>
			<UserGroup>LOC</UserGroup>
			<BackupServerList>
				<HostAddress>vpn1.example.de:444</HostAddress>
			</BackupServerList>
		</HostEntry>

Karsten Iwen · ‎01-28-2022

I am not aware of any bug here, but if anything doesn't work, I would always try the actual software-version. And your AnyConnect is already slightly outdated.

And have you tried to remove all profiles on the PC and load the relevant profile again from the ASA?

Next question: Can you reproduce this with other PCs?