cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3582
Views
0
Helpful
32
Replies

IKEv2 vs DTSL1.2

KGrev
Level 4
Level 4

Hi,

We are testing upgrading from a very old version of Cisco Anyconnect (4.6)

To a Newer 4.10 version due to DH group limitations.

When testing the newer version, the client no longer connects as Ikev2 IPSec connection and looks to be "Anyconnect-Parent SSL-Tunnel DTLS-Tunnel.

Is there a knowledgeable person that can explain to me if this is a good expected result and if this is the path forward for the anyconnect client? Sorry I'm still learning.

32 Replies 32

@KGrev so are you using the exact some XML profile on both laptops? if not copy the profile from the laptop that is working to the other laptop. You can also upload the profile to the ASA, when the user connects to the VPN they will automatically download the profile.

Or its because my old file is an XML profile and the default profile it provides is an XSD profile. Maybe I should transfer config changes to the XSD file. Maybe it doesnt accept xml files anymore?

@KGrev use the XML format for the profile

Or if you create a new profile using the profile editor, it saves the file in XML profile as default. Place that in the correct folder, restart the client and the profile will appear and you connect.

@Rob IngramAll current testing was done with both laptops having the previous profile saved in the same locations. However, it is a profile from 4.6. When I look at the default profile for 4.10 it is a very different thing.

Where is the profile editor? I dont think I see that in the install file.

@Rob IngramI'm a little bewildered at this point. I used the Profile editor to create the profile that mirrors the profile already on the ASA. I compared them in Notepad++ and they are almost identical minus the newer version having a few lines for Linux devices. Both say to use an IPSec connection.

When I put this profile in the profile folders it yields the same result. It connects with a DTLS connection.

If I remove everything from the Profiles folder then allow it to connect to the ASA and automatically download the profile given from the ASA, then disconnect and reconnect, it is still at a DTLS connection.

do you check the link I share below, this default behave in new Anyconnect Ver. 

@MHM Cisco Worldyes thank you for the link. I looked through it and the symptoms seem to reflect similar issues but wouldnt the correct profile on the client side fix these issues? There have been no changes on the ASA side.

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">

  <ServerList>

    <HostEntry>

      <HostName>vpn.example.com (IPsec)</HostName>

      <HostAddress>203.0.113.10</HostAddress>

      <PrimaryProtocol>IPsec</PrimaryProtocol>

    </HostEntry>

  </ServerList>

</AnyConnectProfile>

even the PrimaryProtocol is IPsec the Anyconnect try both. 

@MHM Cisco WorldHere is whats in my profile

<ServerList>
<HostEntry>
<HostName>XXXX-EXT-FW1</HostName>
<HostAddress>X.X.X.X</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>

@Rob IngramSo I figured I'd do a fresh install as I think this version was installed while the previous version was still installed.

I uninstalled the client , restarted the laptop, then installed 4.10 again. When the software started it still had the server name filled in when it booted. Its like it is using old settings from somewhere. I also deleted the cisco folder from ProgramData.

Delete the preferences file(s) in your profile, which has the cached the settings and restart.

Is the display name the FQDN of the ASA, you may have previously just connected to the ASA using TLS and this is cached. Just create a new XML profile, with a different display name using IPSec, so you know you are connecting to a new profile.

@Rob IngramOk that answered that. Deleting the Pref emptied the address bar. However I am having the same results. But I can see in the logs that IKEv2 negotiation aborted due to Error: failed to find a matching policy.

The policy I have is DH Group: (All for testing)

Encryption: AES 256

Integrity Hash: Sha 256

Prf Hash: Sha 256

 

@Rob IngramHere is some debug of the ike neg failing.

 

remote access have two type 
one is remote access IPsec IKEv2
other is SSL/TLS remote access 
so it depend on config of tunnel/group the user hit