I have an ASA 5515 running 9.1(1).
One of my customers is attempting to connect with AnyConnect 3.1.02040 and after authenticating, he gets the message
Failed to get configuration from secure gateway. Contact your system administrator.
I have about 100 other customers who have not had this issue and can connect fine.
Since it appears to be localized to his PC, he's uninstalled and reinstall the client, but to no avail. He's using Windows 7 Pro.
On the ASA, while he is attempting to connect, I see this:
15:48:04|302014|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Teardown TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 to identity:<<<ASA IP>>>/443 duration 0:00:00 bytes 8241 TCP Reset-I
14:48:04|725007|<<<REMOTE IP>>>|51032|||SSL session with client outside:<<<REMOTE IP>>>/51032 terminated.
14:48:04|113039|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> AnyConnect parent session started.
14:48:04|734001|||||DAP: User etpdeir, Addr <<<REMOTE IP>>>, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
14:48:04|113008|||||AAA transaction status ACCEPT : user = etpdeir
14:48:04|113019|||||Group = ibmdtsc, Username = etpdeir, IP = 188.8.131.52, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:41s, Bytes xmt: 885580, Bytes rcv: 1343, Reason: Connection Preempted
14:48:04|716002|||||Group <GroupPolicy_AnyConnect> User <etpdeir> IP <<<<REMOTE IP>>>> WebVPN session terminated: Connection Preempted.
14:48:04|113009|||||AAA retrieved default group policy (GroupPolicy_AnyConnect) for user = etpdeir
14:48:04|113004|||||AAA user authentication Successful : server = 172.29.128.126 : user = etpdeir
14:48:04|725002|<<<REMOTE IP>>>|51032|||Device completed SSL handshake with client outside:<<<REMOTE IP>>>/51032
14:48:03|725001|<<<REMOTE IP>>>|51032|||Starting SSL handshake with client outside:<<<REMOTE IP>>>/51032 for TLSv1 session.
15:48:03|302013|<<<REMOTE IP>>>|51032|<<<ASA IP>>>|443|Built inbound TCP connection 495403 for outside:<<<REMOTE IP>>>/51032 (<<<REMOTE IP>>>/51032) to identity:<<<ASA IP>>>/443 (<<<ASA IP>>>/443)
Has there been any fix with this? We are now running into the same issue. Could it be a bad image that the devices are reaching for?
My fix at the end of this,..
-Problem Description: Users stating that a profile which has been working is now giving some users the message "Failed to get configuration from secure gateway. Contact your system administrator." when they attempt to connect to the VPN server/"secure gateway". This happens in both the clientless and Anyconnect clients.
-Fix: the profile.xml was not properly configured to match the Group Policy.
-ASDM setting: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile
-CLI missing configuration: anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml
If you are pulling from tftp then the disk0:/ command would be replaced accordingly.
Along with these ensure that you have the latest Java update and it is a trusted site in the Java Control Panel. Ensure The Java and/or ActiveX settings will allow the profile to load off the VPN server by URL and ensure it is enabled like below.
For Example: group-url https://yourvpn.yourdomain.org/VPN_Group_Policy_Name enable
To add: anyconnect profiles VPN_Group_Policy_Name disk0:/prifile_filename.xml you must enter the tunnel-group webvpn-attributes command first as shown below:
tunnel-group Group_Policy_Tunnel_Group_Name webvpn-attributes
i had this problem. for me the cause had to do with internet explorer TLS settings.
in IE8 go to tools, internet options, advanced and under security I had to make sure Use TLS 1.0 was checked (only Use SSL 3.0 and Use TLS 1.1 were checked. I left them checked.).
We had the same issue here too. The reason was, that on the client there was an older version of anyconnect installed, but an update of the client was not successful (maybe because of some security configuration on windows, for example SRP or something of that kind ...). So the client disconnected to update (and reconnect with the updated version), but tthat never happened because the update failed ...
To enable (temporarily) the connectivity with the older version of anyconnect client, i configured the firewall to provide only the old version of the client to connecting PCs:
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 regex "Windows NT"
We will revert this configuration back to the new one, when all old client with that issue were updated to the new version ...
The newer version of the client was still able to connect even after this configuration change, the this maybe a temporary fix for you too ...
Failed to get configuration from AnyConnect client process. Contact your system administrator.
I got this problem on ubuntu. There were 2 reasons behind this:
1. First time I connected I used a wifi network that required VPN connection even to visit google.com. So it was not able to download the profile. There was no profile xml in the profiles folder. I connected to a network that had access to public network. It then downloaded the profile xml.
2. Again I got the same error. This was due to starting the anyconnect without using sudo. I have to do "sudo ./vpnui" to start this everytime. Else it gives the same error.
Also after it connects I had to set the network proxy before browse anything. This is a manual step in the network preferences.
This might help oracle internal users trying to configure VPN