04-29-2014 01:01 PM
Hi,
I've recently come across a problem with our 5505 that will not allow VPN access, neither clientless or Anyconnect. I have our 5510 with the same VPN config, and it works fine. I've been trying all weekend to figure this out.
When I try to access the 5505 with clientless, I don't even get the login page, just a "File not found" , being redirected to URL https://123.123.123.12/admin/public/index.html.
When I try to access with the Anyconnect client, I get a "user not authorized for Anyconnect Client access", regardless of the device used; Windows, Android, IOS.
I have removed all remote access config from the 5505 and recreated it line for line from the 5510, same results. Both are using Security+ and have licenses for Anyconnect Premium.
Maybe it's me, but I cannot see anything wrong in my VPN config:
webvpn
port 445
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect profiles Information-Tech_client_profile disk0:/Information-Tech_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.7 192.168.1.8
vpn-simultaneous-logins 1
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value SKYscc.net
vlan 1
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_12.12.12.12 internal
group-policy GroupPolicy_12.12.12.12 attributes
vpn-tunnel-protocol ikev1
split-tunnel-all-dns disable
group-policy GrPol-InfoTech internal
group-policy GrPol-InfoTech attributes
banner value You are accessing a secure system. If you are not authorized to access this system, please disconnect from it immediately.
banner value If you are authorized, please note that any and all activity performed while connected to this network will be logged.
banner value This connection profile is restricted to SKY IT staff only.
wins-server none
dns-server value 192.168.1.7 192.168.1.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside-All-Admin
default-domain value SKYscc.net
split-tunnel-all-dns disable
address-pools value HO-remote-pool
group-policy InfoTech-Clientless internal
group-policy InfoTech-Clientless attributes
banner value This VPN profile is for access by SKY Information Technology only in case of a gateway outage.
vpn-filter value Inside-All-Admin
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value RDS-Emergency
filter value RDS-repair-only
url-entry enable
username sonny password 3333333 encrypted
username sonny attributes
service-type remote-access
username mister password 1111111 encrypted
username mister attributes
service-type remote-access
username infotechSOS password 2222222 encrypted
username infotechSOS attributes
vpn-group-policy DfltGrpPolicy
group-lock value Infotech-SOS-profile
webvpn
url-list value RDS-Emergency
username skyadm password 44444444 encrypted privilege 15
username skyadm attributes
vpn-group-policy GrPol-InfoTech
username contract1 password /555555555 encrypted
username contract1 attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
authorization-required
tunnel-group Infotech-SOS-profile type remote-access
tunnel-group Infotech-SOS-profile general-attributes
default-group-policy InfoTech-Clientless
tunnel-group Infotech-SOS-profile webvpn-attributes
group-alias InfoTech-SOS-only enable
group-url https://123.123.123.12/InfoTechSOS enable
without-csd
tunnel-group 14.14.14.14 type ipsec-l2l
tunnel-group 14.14.14.14 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 general-attributes
default-group-policy GroupPolicy_12.12.12.12
tunnel-group 12.12.12.12 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group InfoTech-Conn-Profile type remote-access
tunnel-group InfoTech-Conn-Profile general-attributes
default-group-policy GrPol-InfoTech
tunnel-group InfoTech-Conn-Profile webvpn-attributes
group-alias InfoTech-only enable
!
B
04-29-2014 01:31 PM
Does the 5505 have the AnyConnect image (anyconnect-win-3.1.05152-k9.pkg) and the profile file (Information-Tech_client_profile disk0:/Information-Tech_client_profile.xml) on disk0?
An Android or IOS-based client would also require the AnyConnect for Mobile license be installed on the ASA.
04-29-2014 01:32 PM
Thanks Marvin for the quick reply,
Again, after posting it I'm able to figure it out.
Line #2 was the problem, maybe left over from the previous admin. WebVPN port 445 changed to 443, then both are now working. I didn't see it until I compared the configs side by side in Excel.
Hopefully this helps someone else, as googling these errors didn't help much.
Brad
04-29-2014 01:41 PM
You're welcome.
That'll do it - i skimmed over that myself.
Whenever I compare a pair of configurations, I rely on a tool (ExamDiff is my tool of choice) as it will nicely highlight changed or missing lines.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide