Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
943
Views
1
Helpful
9
Replies

Issues selecting connection profile (connection attempt has failed)

Go to solution
BoomShakaLak
Level 1
Level 1

ā€Ž10-15-2024 09:54 AM - edited ā€Ž10-15-2024 12:15 PM

My client has been using split tunnel and I now want to introduce a second connection profile for tunneling all traffic.  I have configured the tunnel all profile exactly the same as the split tunnel, with the exception that the assigned group policy specifies tunnel all traffic instead of tunnel networks specified below.  I created a new client profile, set the server list with user group tunnelall and assigned it to the group policy associated with the tunnel all connection profile.

This setup is failing.  If I remove the user group entry from the client profile, the connection is successful however the connection profile chosen is the split-tunnel profile.  So the issue is with identifying the connection profile upon connection.  Am I missing a step?  One thing that is different is that the split tunnel profile does not have a user group defined.  I have been a bit wary in setting this so that users have a working solution until this is sorted.

Any ideas on how I might get this working?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to BoomShakaLak

ā€Ž10-17-2024 03:05 AM

The configuration on the screenshot you shared is belonging to AnyConnect/Secure Client profile. That profile doesn't push any config to the firewall. Rather it is an xml file that you will push to the clients via GPO or manually. From the firewall perspective it should have a matching configs of this profile. For instance, you would have profile 1 & 2 to be pushed to the clients, and on the firewall you would have the tunnel groups and group policies matching those profiles, so when a client connects it will be landing to the right tunnel group that you defined through AnyConnect/Secure Client profile. Please take a look at this post of mine to show an example of this, but please note that the post is not related to the issue you are experiencing, it's just to show you an example of what I'm referring to:

AnyConnect Management Tunnel Disconnected (connect failed) (bluenetsec.com)

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to BoomShakaLak

ā€Ž10-17-2024 08:14 AM

If you are configuring the group URL in FMC then  edit the connection profile and navigate to Alias, and there the URL Alias is equivalent to group URL.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Aref Alsouqi
VIP
VIP

ā€Ž10-16-2024 01:26 AM

Could you please share a screenshot of the user group entry you are referring to?

0 Helpful

Go to solution
BoomShakaLak
Level 1
Level 1

ā€Ž10-16-2024 07:35 AM

Hi @Aref Alsouqi 

Here is the screenshot

Screenshot 2024-10-15 103232.png

ā€ƒ

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

ā€Ž10-16-2024 07:43 AM

Thanks for this. Did you configure the right group URL under the tunnel group WebVPN attributes that is matching the user group you configured under the profile?

0 Helpful

Go to solution
BoomShakaLak
Level 1
Level 1

ā€Ž10-17-2024 02:00 AM

Hmm...I do not see the group URL under webvpn in the running config, isn't this supposed to be created when the Alias is added?  Had a look through the connection profile and the only field that looks like it might be for the group URL is the URL Alias.  Tried entering vpn.myvpn.com:111/Tunnel_all but it throws an invalid URL error.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to BoomShakaLak

ā€Ž10-17-2024 03:05 AM

The configuration on the screenshot you shared is belonging to AnyConnect/Secure Client profile. That profile doesn't push any config to the firewall. Rather it is an xml file that you will push to the clients via GPO or manually. From the firewall perspective it should have a matching configs of this profile. For instance, you would have profile 1 & 2 to be pushed to the clients, and on the firewall you would have the tunnel groups and group policies matching those profiles, so when a client connects it will be landing to the right tunnel group that you defined through AnyConnect/Secure Client profile. Please take a look at this post of mine to show an example of this, but please note that the post is not related to the issue you are experiencing, it's just to show you an example of what I'm referring to:

AnyConnect Management Tunnel Disconnected (connect failed) (bluenetsec.com)

0 Helpful

Go to solution
BoomShakaLak
Level 1
Level 1
In response to Aref Alsouqi

ā€Ž10-17-2024 03:22 AM

I understand what you said initiallyā€¦the issue is that there is no configuration option for group URL,  There is one for URL Alias, is that what is meant for this purpose?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to BoomShakaLak

ā€Ž10-17-2024 03:38 AM

What I meant by the right group URL under the tunnel group WebVPN attributes is similar to what you see in the link I shared, it is basically the part of the tunnel group config:

tunnel-group Mgmt_TG webvpn-attributes
authentication certificate
group-alias Mgmt_TG enable
group-url https://acmgmttunn.mylab.local/Management enable

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to BoomShakaLak

ā€Ž10-17-2024 08:14 AM

If you are configuring the group URL in FMC then  edit the connection profile and navigate to Alias, and there the URL Alias is equivalent to group URL.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
BoomShakaLak
Level 1
Level 1

ā€Ž10-17-2024 01:05 PM

Thanks guys, adding https://vpn.myvpn.com:111/Tunnel_All to the URL Alias in the connection profile solved the issue.

Customers Also Viewed These Support Documents