Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18164
Views
5
Helpful
9
Replies

Failed to get configuration from secure gateway. Contact your system administrator

maweigel
Level 1
Level 1

‎10-30-2020 03:17 AM

Hi,

i try to setup FlexVPN for anyconnect to a isr4331 headend.

I can successfully connect, and build a IKEv2 based tunnel. 

 

Then anyconnect pops up the following error: Failed to get configuration from secure gateway. Contact your system administrator.

 

As i understand it, this error can have many causes. How can i debug this problem? Anyconnect seems to provide NO DEBUGGING SUPPORT?

 

How can is the configuration transfered from the headend to the client? https? inside or outside the tunnel? 

Did the client receive the xml-file and reject its contents?

 

Any help?

 

Matthias

 

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎10-30-2020 03:49 AM

Hi @maweigel 

The physical routers do not support XML profile downloads only CSR1000v. By default the AnyConnect client will try to download the latest XML profile from the FlexVPN Hub router and the connection will fail. This can be disabled:

  • Locate the AnyConnectLocalPolicy.xml file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ a
  • Change BypassDownloader value to True

HTH

0 Helpful

maweigel
Level 1
Level 1
In response to Rob Ingram

‎10-30-2020 04:19 AM

Hi Rob,

 

thanks for the tip, will try that.

Do you know if this is a bug or a feature?

Per this guide, profile download should be possible: 

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html#anc9

I have ios-xe 16.9.6 on the isr4331 head.

 

Thanks!

 

Matthias

0 Helpful

maweigel
Level 1
Level 1
In response to Rob Ingram

‎10-30-2020 06:22 AM - edited ‎10-30-2020 06:22 AM

Hi Rob,

 

after i changed the BypassDownloader setting, the errormessage is now different:

"Automatic profile updates are disabled and the local VPN profile does not match the secure gateway VPN profile. Contact your system administrator."

 

In the profile XML file i have:

     <IKEIdentity>icn</IKEIdentity>

 

in the head router config i have:

 

crypto ikev2 profile icn
  match identity remote key-id icn

  anyconnect profile icn

 

 

crypto vpn anyconnect profile icn bootflash:/blabla-vpn.xml

 

 

 

How can i debug anyconnect profiles?

 

0 Helpful

arrowdawn
Level 1
Level 1
In response to maweigel

‎11-26-2020 02:41 AM - edited ‎11-26-2020 02:46 AM

Hi There, 

 

you need to remove the following line from the config for the crypto ikev2 profile

 

anyconnect profile ***

 

and disable config download on the client.

 

this will then allow the vpn to build correctly

0 Helpful

Rob Ingram
VIP
VIP

‎10-30-2020 04:29 AM - edited ‎10-30-2020 04:53 AM

Actually that document was using a virtual image "Cisco Cloud Services Router running IOS XE 16.9.2" when written and there is a Cisco Live presentation that also only said this worked with CSR1000v, not physical hardware.

 

When I previously tested, bypassing the downloader made it work for me.

0 Helpful

maweigel
Level 1
Level 1

‎11-26-2020 03:34 AM

Hi,

 

o.k. i had to open a TAC case about this.

 

Turns out, the anyconnect requirements are much more restrictive than i read from the docs.

 

1. The name of the profile file on the client must be acvpn.xml. NO OTHER NAME ALLOWED!

 

2. The name of the profile file on the router must be acvpn.xml. NO OTHER NAME ALLOWED!

 

3. The acvpn.xml on the router and on the client must be identical. Same content is not sufficient. Same md5 checksum (or similar) is required.

 

4. You cannot disable the checksum comparison. If the checksum is different, the connection fails. The BypassDownloader setting is irrelevant. If the xml files are different, the connection fails. The ISR4331 cannot used for Download anyway.

 

In summary, these "features" make anyconnect pretty unusable for any nontrivial deployment. If you deploy it, you can NEVER EVER change anything, because acvpn.xml will have to be updated on all clients and the headend simultaneously.

 

Best Regards

 

Matthias

masterprince
Level 1
Level 1
In response to maweigel

‎10-29-2022 09:54 PM

Hi Matthias,

Can you please share your working config for anyconnect . I am trying on Cisco 4321 IOS-XE but getting connection fail even before prompting me username and password

 

Thanks

0 Helpful

maweigel
Level 1
Level 1

‎11-01-2022 01:36 AM

Hi masterprince,

 

this is the second attempt at sending the config. My first reply it seems, has gone lost somewhere.

There probably will be more help for you, if you create a new topic with your config and debug logs. So many others will have a look at the problem.

Nevertheless attached is some redacted and commented version of my working config.

 

Best Regards

Matthias

Preview file
8 KB
0 Helpful

masterprince
Level 1
Level 1

‎11-01-2022 03:08 AM

Thanks Matthias,

I will try and update

 

Regards,

MP

0 Helpful
Customers Also Viewed These Support Documents