03-25-2019 09:30 AM - edited 02-21-2020 09:36 PM
Hi There,
I am wanting to configure the XML for the VPN Management Tunnel in the new version of Anyconnect.
But I am getting this error Management Connection State: Disconnected (invalid VPN configuration)
I have created the XML VpnMgmtTunProfile.xml and put it in the MgmtTun folder, but I noticed in the whitepaper it talks about potential issues if you have a different automatic VPN policy in the XML.
We don't enforce our users to connect to VPN on launch, so I don't have any auto connect config in the standard XML.
So in the MGMT XML I have put
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
Will this conflict with the standard XML, it should it connect and disconnect as normal according to the trusted DNS domains and servers?
Thanks
03-25-2019 12:13 PM
The TND settings for the user tunnel are not mandatory AFAIK, just preferred to be the same. According to the Admin guide:
For a consistent user experience, we recommend that you use identical TND settings in both user and management VPN tunnel profiles.
Your error message seems to be related to Split tunneling config not enable on the GP connected to the Management tunnel group. Again referencing the same guide:
Disconnected (invalid VPN configuration)—An invalid split tunneling configuration was encountered upon management tunnel establishment.
What does the ASA side config look like for the Management tunnel?
03-26-2019 08:53 AM
Hey Rahul,
I got our network engineer to add the custom attribute ManagementTunnelAllAllowed and im still getting the invalid error.
What information specifically do you want from the ASA, as I don't have access and would need to ask our network guy to provide it.
Thanks
03-26-2019 10:12 AM
Tunnel-group and group-policy config on the ASA for management tunnel.
05-29-2019 01:35 AM
Hi Rahul,
Did you find any solution for this issue. I have exactly the same issue? I think I did all the config correctly but I get the same error.
Regards,
Laurent
05-29-2019 05:54 AM
Please post a screenshot of you AnyConnect Custom Attribute Names from ASDM.
05-29-2019 06:43 AM
05-29-2019 07:28 AM - edited 05-29-2019 07:29 AM
The Name should be "true" and the value should be "true". In your screenshot the Name=Value and the Values = "true/true"
The documentation for this is confusing.
See screenshot.
05-29-2019 07:48 AM - edited 05-29-2019 07:49 AM
I have tried with name true and value true but it didn´t make a difference. My issue was related to IPv6 not enabled on the client as I described below. But the question is why does management VPN need IPv6 enabled on the client machine to work?
Regards,
Laurent
05-29-2019 07:44 AM - edited 05-29-2019 07:51 AM
Ok. It looks like the issue is related to IPv6. IPv6 was disabled on the local Windows 10 machine I was testing on and I could see in the Anyconnect logs (generated from diagnostics) that Anyconnect was complaining about IPv6 not being configured/activated on the client:
Sure enough IPv6 was disabled on the Windows 10 machine with a GPO. After we did enable it everything was working and the client was connected. I just want to understand why IPv6 is a requirement for management VPN to work, Cisco any info on that?
I have attached a full konfig of the setup if someone runs into the same issue :-)
Regards,
Laurent
Regards,
Laurent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide