04-29-2014 11:48 AM - edited 02-21-2020 07:37 PM
Experts,
We are in a process of replacing Cisco IPSec (IKEv1) VPN client with Cisco Secure Anyconnect Mobility Client using SSL technology. We are pre-deploying the VPN client with the vpnconfiguration.xml file to the end users. In this way we control the VPN settings for the users. We have also provided the FQDN (resolvable on the Internet) of our ASA firewall (VPN Concentrator) in the vpnconfiguration.xml file.
When the user tries to connect using the vpnconfiguration.xml file he receives a message “invalid host entry. please re-enter”. Even if we put the IP address of the ASA firewall in the vpnconfiguration.xml file we get the same error message.
However if we manually enter the FQDN in the Cisco Secure Anyconnect Mobility Client.
We are not sure we are missing.
Ds
04-29-2014 12:21 PM
Did you create the XML file manually or use the AnyConnect Profile editor?
Are you putting it (in place of the underscore) the "<HostAddress>_______</HostAddress>" field of the XML file?
04-29-2014 12:57 PM
Marvin,
We are using the profile editor provided in the Cisco ASA firewall.
See below snapshot of the partial .xml file . Let me know your thoughts.
<ServerList>
<HostEntry>
<HostName>XXX-VPN-Test-Users</HostName>
<HostAddress>XXX.XX.34.132</HostAddress>
<UserGroup>XXX-VPN-Test-Users</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>
04-29-2014 01:25 PM
That snapshot looks OK re the host bit.
I do notice it is missing the "<PrimaryProtocol>SSL</PrimaryProtocol>" (or it could say IPsec for an IKEv2 VPN) that I would also expect within the ServerList section. I have 20 profiles on my client (yes 20 - I've worked on lots of client networks remotely) and every one of them has the PrimaryProtocol field populated. Here is a link the to the Admin Guide reference on that section.
04-29-2014 02:47 PM
Martin,
I am still getting the same error message. What am I missing?
<ServerList>
<HostEntry>
<HostName>XXX-VPN-Test-Users</HostName>
<HostAddress>XXX.XX.34.132</HostAddress>
<UserGroup>XXX-VPN-Test-Users</UserGroup>
<PrimaryProtocol>SSL</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Ds
04-30-2014 03:41 PM
Marvin,
I ended up opening a TAC case with Cisco. It appears that I was missing the following RED highlighted portion in the tunnel group configuration :
tunnel-group XXX-VPN-Test-Users webvpn-attributes
group-alias XXX-VPN-Test-Users enable
group-url https://XXX.XXX.XXX.XXX.XXX/XXX-VPN-Test-Users enable
I thought you would be interested in knowing.
Ds
04-30-2014 08:21 PM
Thanks for advising us of the resolution. It's difficult at times to give a good solution when only seeing snippets of the configuration. Your resolution helps show others the important bit here. +5
08-20-2014 08:06 AM
I can confirm that this solution worked for me as well. I used ASDM. This is how I did it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide