Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2765
Views
0
Helpful
3
Replies

Cisco Anyconnect with Always on and SBL

dedwards
Level 1
Level 1

‎08-31-2011 03:17 PM - edited ‎02-21-2020 05:33 PM

For some reason I cannot get the Anyconnect 3.0 to work with Always on selected and SBL. When I log into the machine the vpn starts right up and ask for my password but before logon I get a "

AnyConnect cannot confirm it is connected to your secure gateway. The local network may 
not be trustworthy. Please try another network."

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>true</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>false</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="false">true</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">true</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="false">true</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>true

<TrustedDNSDomains>medassurant.local</TrustedDNSDomains>

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>

<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>

<AlwaysOn>true

<ConnectFailurePolicy>Closed

<AllowCaptivePortalRemediation>false

<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>

</AllowCaptivePortalRemediation>

<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>

</ConnectFailurePolicy>

<AllowVPNDisconnect>false</AllowVPNDisconnect>

</AlwaysOn>

</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="false">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>vpn.medxxxxx.com</HostName>

<UserGroup>perspective_advantage</UserGroup>

</HostEntry>

</ServerList>

</AnyConnectProfile>

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>true</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>false</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="false">true</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">true</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="false">true</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>true

<TrustedDNSDomains>med.local</TrustedDNSDomains>

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>

<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>

<AlwaysOn>true

<ConnectFailurePolicy>Closed

<AllowCaptivePortalRemediation>false

<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>

</AllowCaptivePortalRemediation>

<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>

</ConnectFailurePolicy>

<AllowVPNDisconnect>false</AllowVPNDisconnect>

</AlwaysOn>

</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="false">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>vpn.medassurant.com</HostName>

</HostEntry>

</ServerList>

</AnyConnectProfile>

Please let me know if you have seen this before, from the quide it says that the cert on the ASA must be incorrect, but I am able to connect when logged into the machine. .. These are also windows 7 64bit machines.

Labels:
0 Helpful
3 Replies 3

dedwards
Level 1
Level 1

‎09-01-2011 08:51 AM

Okay  someone let me know, does Always-on for anyconnect not actually work, I spoke with TAC and they said there is a bug with the CRL and a load balanced CRL name.

0 Helpful

turner_cisco
Level 1
Level 1
In response to dedwards

‎09-14-2011 06:27 AM

We are currently struggling with Always-on and CRL problems.  Suspected a bug so thanks for posting it!

0 Helpful

turner_cisco
Level 1
Level 1
In response to turner_cisco

‎09-14-2011 06:32 AM

The error message in your first post I got when the name on the ASA identity cert didn't match the entries in the client profile.  The message is misleading as it actually means the remote device isn't trusted.  I had to put FQDN of the ASA in both the hostname and host address sections on the profile.

0 Helpful
Customers Also Viewed These Support Documents