cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1188
Views
0
Helpful
2
Replies

no luck with anyconnect 3.0 ike2 and asa 8.4.1, any suggestion

Hi to all , i'm trying to get a working config with anyconnect 3.0 and ike2 on asa 8.4.1.

It seems all ok, i configured the relevant part (the documentation is not so much clear and no examples at all at the moment), installed and imported the xml file into the pc, try to connect, the pc receives the digital certificates from asa, i accept it , and a pop-up for authentication cames up. I authenticate mysefl and the vpn starts to came up, but ends with this message :

Not calling vpn_remove_uauth: never added!
Called vpn_remove_uauth: failed!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL

this is the config from the firewall (very simple), any comment or suggestion will be cery appreciated

many thanks

hostname infologic
domain-name infologic.it
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.4.1.99 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!            
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.50.9 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 151.99.125.2
domain-name infologic.it
object network NETWORK_OBJ_10.4.1.0_24
subnet 10.4.1.0 255.255.255.0
object network NETWORK_OBJ_10.4.1.108_31
subnet 10.4.1.108 255.255.255.254
access-list split_tunnel standard permit 10.4.1.0 255.255.255.0
pager lines 24
mtu mgmt 1500
mtu inside 1500
mtu outside 1500
ip local pool infogroup 10.4.1.108-10.4.1.109 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.4.1.0_24 NETWORK_OBJ_10.4.1.0_24 destination static NETWORK_OBJ_10.4.1.108_31 NETWORK_OBJ_10.4.1.108_31
route outside 0.0.0.0 0.0.0.0 192.168.2.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.4.1.9 255.255.255.255 mgmt
http 10.4.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint TrustPoint0
enrollment self
subject-name CN=infologic
crl configure
crypto ca certificate chain TrustPoint0
certificate 047abf4d
    308201ed 30820156 a0030201 02020404 7abf4d30 0d06092a 864886f7 0d010105
    0500303b 31123010 06035504 03130969 6e666f6c 6f676963 31253023 06092a86
    4886f70d 01090216 16696e66 6f6c6f67 69632e69 6e666f6c 6f676963 2e697430
    1e170d31 31303530 33303335 3031395a 170d3231 30343330 30333530 31395a30
    3b311230 10060355 04031309 696e666f 6c6f6769 63312530 2306092a 864886f7
    0d010902 1616696e 666f6c6f 6769632e 696e666f 6c6f6769 632e6974 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008bef57 c450574a
    0abfc343 7f59d620 18dcbe2f 93bd728b 04188098 88e983de e09e34c4 4c54bda4
    e64cf6c8 86b09c1c a5782768 65d50f73 c3aa3f38 7fd89a41 6813bab3 92abd1fd
    39401ff1 2534cc36 9427a38a d15988f8 c9521fa6 8888ed50 92faa2c3 c8fd8b9b
    6f6f7817 e8fee8cb 2af449e5 bf6bee80 67db92bc c5d9ad94 05020301 0001300d
    06092a86 4886f70d 01010505 00038181 008945de 795d81a8 4f7d50eb c6e20059
    3f8f0f99 682589a4 f2d05955 2b9168ca 34ac1dcf 98e2edf6 98f56d2e 80a6c3b6
    7491fca6 213d9b72 88c6e32e 8b9669d3 9ee1ab29 8dfc726f 6333eb40 8b07a83b
    fdb86aaf 27612692 d8767e8a d17e3920 bf7ca0fd 15dde98e 6dc8da72 a0d6ce72
    c7117712 c6d70c92 94c486cd d715e17a c9
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint TrustPoint0
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 1
anyconnect profiles infogroup_client_profile disk0:/infogroup_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 213.140.2.12
group-policy GroupPolicy_infogroup internal
group-policy GroupPolicy_infogroup attributes
wins-server none
dns-server value 208.67.222.222
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value infologic.it
webvpn
  anyconnect profiles value infogroup_client_profile type user
username tecnonet password eDACJqEScH5eIXJA encrypted
username tecnonet attributes
vpn-group-policy GroupPolicy_infogroup
tunnel-group infogroup type remote-access
tunnel-group infogroup general-attributes
address-pool infogroup
default-group-policy GroupPolicy_infogroup
tunnel-group infogroup webvpn-attributes
group-alias infogroup enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3a6df756aba271d14a297cfa75191404
: end

2 REPLIES 2
Herbert Baerten
Cisco Employee

Hi Massimilano,

if you still need help with this: does your client have the profile in its Profiles directory?

If not, either put it there manually, or allow the client to connect via SSL to download it:

group-policy GroupPolicy_infogroup attributes
   vpn-tunnel-protocol ikev2 ssl-client

If you configure the above, when the client has no profile it will use SSL to connect (instead of IKEv2), if it connects successfully it will download the profile, then when you disconnect you should be able to connect using ikev2.

hth

Herbert

i already installed the correct profile file in the correct path.

When i try to connect to asa, anyconnect is able to find the profile and contact tha asa. The strange thing is that seems all ok: contact the asa, negotiate ike2 , authethicate the user start ipsec, get an ip address, and after this the debug tells me that the client disconnects itself, and the client tells me no more communication with asa. Take care we are in lan environment so connection is an ethernet direct connection.

I will try in any case to add also ssl-client to the webvpn context.

thanks for the idea

Create
Recognize Your Peers
Content for Community-Ad