Solved: Re: Cisco ASA 5525X Multi CTX Mode with AnyConnect Support

sven.schneider · ‎04-24-2019

Hello @All,

i have a issue with my ASA 5525X and Anyconnect.

Followed situation we have :

ASA 5525X with IOS 9.8.3

ASA runs in CTX Mode, one for Site2Site VPN´s and one for AnyConnect Users

I have the Apex licensees installed on both ASA Cluster member.

No the Problem, If I try from a W10 notebook to create a VPN to my ASA, the Client get the answer "Connection attempt has failed" and if I take a look in the log from the AnyConnect client I see the entry "no valid certificates available for authentication".

see the configuration for the Admin CTX :

frw01/admin/pri/act# sh run webvpn
webvpn
anyconnect image shared:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 1
anyconnect image shared:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2
anyconnect enable

The WebVPN are Standard configured as I configure a standalone ASA.

I think i have a issue with the IOS Version, but I don't find any information about this.

Have anyone the same Setup and it work, but use a other IOS Version ?

Thanks for help,

Sven

Rob Ingram · ‎04-25-2019

Hi,

I notice you do not have the Windows anyconnect package uploaded to the ASA, only MAC and Linux. Upload the windows pkg file...although the error does imply it's a certificate issue rather than a missing pkg file.

frw01/admin/pri/act# sh run webvpn
webvpn
anyconnect image shared:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 1
anyconnect image shared:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2
anyconnect enable

HTH

View solution in original post

Marvin Rhoads · ‎04-25-2019

That error is most often due to the client not being able to access a local certificate that's required by the headend (ASA or FTD device).

Does your authentication method require a client certificate?

Are you a local admin on the Windows 10 client?

sven.schneider · ‎04-25-2019

Hi Marvin,

the authentication for the VPN User are actual based w/o client cert. I don't know how I configure it ?:)

i have two users on the W10 System.

1. Azure User with local Admin right

2. Local W10 Admin user

Both users I have tested and the same result.

If I try to create a VPN to my ASA 5506X with Radius Authentication for USER. The VPN works !

extrem strange this..

How can I check in the config, if I have authentication client certificate enable ?

- Sven

sven.schneider · ‎04-25-2019

Hi Marvin,

i have add a Screenshot from the ASDM.

You see Client Authentication Local a configured.

- Sven

Marvin Rhoads · ‎04-25-2019

Can you capture and share an AnyConnect DART file showing a failed login attempt?

If you cannot share it publicly you may want to open a TAC case instead.

sven.schneider · ‎04-25-2019

Hello Marvin,

I think I have really a W10 Problem. I have tested with my normal Apple Device "MacBook Pro" and with it works fine and great.

I spend more time now to Fix the Issue with W10.

Finally it is no Problem with the ASA Configuration, I have a Problem with the W10 Test Client.

Thanks for your support.

Bye,

Sven

Rob Ingram · ‎04-25-2019

Hi,

I notice you do not have the Windows anyconnect package uploaded to the ASA, only MAC and Linux. Upload the windows pkg file...although the error does imply it's a certificate issue rather than a missing pkg file.

frw01/admin/pri/act# sh run webvpn
webvpn
anyconnect image shared:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 1
anyconnect image shared:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2
anyconnect enable

HTH

sven.schneider · ‎04-25-2019

Hi Rji,

thanks for your hint :) This are the solution. I have already uploaded the image to the ASA but not configured, because the Customer deployed the VPN Clients via SCCM and updated the Client also via SCCM.

From my point of view I have not configured the pkg File into the Webvpn config.

But now it works.

Thanks for your hint :)

Br,
Sven