Simple story....

Hardware: Cisco ASA5500, Version 8.4(3)

We're obviously planning migration from the old ipsec vpn client to the AnyConnect V3 client, enabling preconnect posturing at the same time.

We have over 3000 lalptops with the old client installed working fine so we need to migrate running both clients at the same time.

By policy we prefer IPsec as the encryption so will continue with this.

As prepatory work I enabled the Anyconnect user profiles on the ASA5500.

I have tested this in our testlab without issue.

However on the live hardware we immediately ran into problems and our support engineers needed to rase a case (ref 622041287) to help resolve the issues. The wording of the fault clearance is;

"we saw that IKEv2 was configured on the group policy, and IKEv1 was configured on the tunnel group, and believe that is the conflict that is preventing connections.

We removed IKEv2 from the group policy on cnell-asa-01 and we saw several users connect to group-secid, so all seems to back as it was before the recent change."

From the appearance of the logs it appears that indeed the IKE v2 configuration was conflicting with the current clients.

Of course this could simply be a configuration error, but as I have tested the same configuration without error in the testlab on the same hardware and software I'm struggling to figure out where we went wrong. I am using the same group policies for AnyConnect and IP sec.

Actually I've just noticed in the Group Policies that I didn't have IKE v2 enabled in the defaultra group. So there was a mismatch when enable AnmyConnect profiles as they use IKE v2, and the group policyies didn't have IKE v2 enabled ... doh!

Is my assumption / logic correct there?