11-28-2014 10:20 AM - edited 02-21-2020 07:57 PM
I am trying to setup my ASA firewall to accept AnyConnect VPN connections from an XP client running in VMware ESXi 5.1.
Does anyone know if this is even possible?
If this helps any - from an internal XP Virtual Machine, I can run ASDM to manage the firewall.
ASA IOS 9.2(2)
ASDM 7.2(2)
In my physical environment:
I have proven my VPN setup is functional between the ASA and physical XP laptop.
The physical laptop running XP can make a successful AnyConnect VPN connection to the ASA. This VPN session works as expected as I can access the LAN and all servers on the inside LAN of the ASA once the VPN session is established.
Thank you
Frank
11-28-2014 06:39 PM
There's no reason I can think off offhand. I run AnyConnect clients from XP VMs on ESXi frequently with no trouble. Is there anything special about the vSwitch configuration on the ESXi host or the network configuration of the VM? At what point does the AnyConnect login fail? Are you getting past the AnyConnect login in the web browser?
12-01-2014 05:39 AM
Hi,
Thanks, here are the sequence of events:
I open the Cisco AnyConnect Secure Mobility Client (anyconnect-win-3.1.05170)
I click on the "Connect" button
I am prompted for a username and password, I enter both
In the AnyConnect Secure Mobility Client VPN Message History dialog window
I am then presented with:
AnyConnect Secure Mobility Client Downloader error message:
Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.
Thanks again for any help
Frank
12-01-2014 05:51 AM
This sounds more like a permissions problem with the profile folder than a problem with the VM itself. Try renaming the following folder and creating a new one in its place to see if that clears things up.
%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
12-01-2014 10:04 AM
Hi Jody,
I de-installed and reinstalled, no change.
I noticed the client profile (CP112414_client_profile.xml) was not being copied to the Cisco PROFILES folder on my VM XP client PC so I manually copied it there.
Now when I try to connect, I get this error message that I think might be a VMware error message but wanted your take before moving there.
"The VPN connection was started by a remote desktop user whose remote console has been disconnected. It is presumed the VPN routing configuration is responsible for the remote console disconnect. The VPN connection has been disconnected to allow the remote console to connect again. A remote desktop user must wait 90 seconds after VPN establishment before disconnecting the remote console to avoid this condition"
Thanks once again!
Frank
12-01-2014 10:11 AM
Sounds like you still have a problem with the profiles folder. Uninstalling and reinstalling doesn't touch the profiles folder, so that wouldn't have done anything.
The profile is copied when AnyConnect establishes a successful connection, so if you manually copied the profile, it's going to assume it's working with an old copy and you're likely to get errors like this one.
Have you compared the permissions between this VM's profiles folder and the one on your working machine?
12-01-2014 11:16 AM
Both XP clients (logical and physical) use the same profile. The ASA AnyConnect setup only has a single profile.
Topology:
XP(vm)-----vlan2(10.0.0.0)----ASA----vlan6(192.168.1.0)----vmware_ESXi
As far as permissions, the Cisco folder is read-only on both an cannot be changed; next is the Profile folder which is clear of attributes as-is the actual profile file.
I think there is a communication problem between the VPN tunnel establishment and the VMware communications; When AnyConnect tries to establish a VPN tunnel, communications between the VM XP host is cut which produces the previous error. I just don't know how to go about fixing it. I guess more research.
Thanks again for your help
Frank
12-01-2014 11:27 AM
So if you check the permissions as follows on the working one and the non-working one, they're identical?
C:\>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" C:\ProgramData\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA FILE_APPEND_DATA FILE_WRITE_EA FILE_WRITE_ATTRIBUTES
12-01-2014 12:09 PM
Hi Jody,
My vm XP and physical XP attributes are identical BUT do not match yours.
Not sure what this means? :-|
Any ideas?
BTW, my XP clients are operating as standalone; I.E. no Windows domain.
! VM XP
C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
C:\Documents and Settings\me>
! Physical PC
C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
C:\Documents and Settings\me>
12-01-2014 12:12 PM
The important thing was that they matched each other rather than mine, so I wouldn't worry about that. Do you get the same behaviour with 3.1.05187?
Also, just to be sure, your XP VMs are using bridged connections to the LAN, correct?
12-01-2014 12:28 PM
Yes, bridged.
The internal and external vm hosts are using the same physical VMware ESXi host interface. This interface is trunked to a Cisco switch (SW1). The Internal hosts use 192.168.1.0/24 vlan 2 while the external hosts use 10.0.0.0/24 vlan 6. The ASA inside interface plugs into this same switch (SW1).
Internal vm hosts (192.168.1.0/24):
External vm hosts (10.0.0.0/24):
I have not upgraded yet but I guess since nothing else is working, I could try.
:)
Thanks again for you help. Despite the learning curve, I am learning!!! And hopefully I (We) will get this thing going!
Thanks
Frank
12-02-2014 06:26 AM
GOOD NEWS!!!!!!!!!!!!! IT WORKS!!!!!!!! :)
Using the ESXi vSphere 5.1 Hypervisor client, via a console login, my XP vm can establish an AnyConnect VPN session. I can access the internal LAN and internal servers! All are HAPPY!
I am still using Cisco AnyConnect Secure Mobility Client (anyconnect-win-3.1.05170).
THANKS
Frank
12-02-2014 06:53 AM
Good to hear! What changed?
12-02-2014 09:27 AM
Hey Jody,
Nothing changed except the access method.
In all previous attempts I RDPed into the XP vm any then attempted to establish an AnyConnect VPN; which failed.
In this attempt I connected to the physical VM box, via the VMware vSphere Hypervisor client and then open a console window to open XP vm.
I just noticed if the ASA user Connection Profile date is out of sync with the XP vm profile, you receive the:
AnyConnect Secure Mobility Client Downloader error message:
Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.
And of course a manual copy of the Connection Profile from the ASA to XP vm fixes this issue. Not optimal but it does resolve most of my issues.
Would be nice to know how to run AnyConnect VPN on XP vm via RDP.
Thanks again for your assistance
Frank
12-02-2014 10:24 AM
Ah... this was the first I heard about using RDP. Are you RDPing to the machine that was working or using it directly?
Normally, to establish an AnyConnect session from an RDP session, you need to relax the security policy in the profile. Has this been done?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide