cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
534
Views
0
Helpful
3
Replies

No VPN access from one of 2 ASA devices - same VPN config

Brad Hodgins
Level 1
Level 1

Hi,

 

I've recently come across a problem with our 5505 that will not allow VPN access, neither clientless or Anyconnect. I have our 5510 with the same VPN config, and it works fine. I've been trying all weekend to figure this out.

When I try to access the 5505 with clientless, I don't even get the login page, just a "File not found" , being redirected to URL https://123.123.123.12/admin/public/index.html.

When I try to access with the Anyconnect client, I get a "user not authorized for Anyconnect Client access", regardless of the device used; Windows, Android, IOS.

I have removed all remote access config from the 5505 and recreated it line for line from the 5510, same results. Both are using Security+ and have licenses for Anyconnect Premium.

Maybe it's me, but I cannot see anything wrong in my VPN config:

webvpn
 port 445
 enable outside
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect profiles Information-Tech_client_profile disk0:/Information-Tech_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.7 192.168.1.8
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value SKYscc.net
 vlan 1
 webvpn
  anyconnect ask none default anyconnect
group-policy GroupPolicy_12.12.12.12 internal
group-policy GroupPolicy_12.12.12.12 attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-all-dns disable
group-policy GrPol-InfoTech internal
group-policy GrPol-InfoTech attributes
 banner value You are accessing a secure system. If you are not authorized to access this system, please disconnect from it immediately.
 banner value If you are authorized, please note that any and all activity performed while connected to this network will be logged.
 banner value This connection profile is restricted to SKY IT staff only.
 wins-server none
 dns-server value 192.168.1.7 192.168.1.8
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside-All-Admin
 default-domain value SKYscc.net
 split-tunnel-all-dns disable
 address-pools value HO-remote-pool
group-policy InfoTech-Clientless internal
group-policy InfoTech-Clientless attributes
 banner value This VPN profile is for access by SKY Information Technology only in case of a gateway outage.
 vpn-filter value Inside-All-Admin
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value RDS-Emergency
  filter value RDS-repair-only
  url-entry enable
username sonny password 3333333 encrypted
username sonny attributes
 service-type remote-access
username mister password 1111111 encrypted
username mister attributes
 service-type remote-access
username infotechSOS password 2222222 encrypted
username infotechSOS attributes
 vpn-group-policy DfltGrpPolicy
 group-lock value Infotech-SOS-profile
 webvpn
  url-list value RDS-Emergency
username skyadm password 44444444 encrypted privilege 15
username skyadm attributes
 vpn-group-policy GrPol-InfoTech
username contract1 password /555555555 encrypted
username contract1 attributes
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 authorization-server-group LOCAL
 authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 authorization-server-group LOCAL
 authorization-required
tunnel-group Infotech-SOS-profile type remote-access
tunnel-group Infotech-SOS-profile general-attributes
 default-group-policy InfoTech-Clientless
tunnel-group Infotech-SOS-profile webvpn-attributes
 group-alias InfoTech-SOS-only enable
 group-url https://123.123.123.12/InfoTechSOS enable
 without-csd
tunnel-group 14.14.14.14 type ipsec-l2l
tunnel-group 14.14.14.14 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 general-attributes
 default-group-policy GroupPolicy_12.12.12.12
tunnel-group 12.12.12.12 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group InfoTech-Conn-Profile type remote-access
tunnel-group InfoTech-Conn-Profile general-attributes
 default-group-policy GrPol-InfoTech
tunnel-group InfoTech-Conn-Profile webvpn-attributes
 group-alias InfoTech-only enable
!

B

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Does the 5505 have the AnyConnect image (anyconnect-win-3.1.05152-k9.pkg) and the profile file (Information-Tech_client_profile disk0:/Information-Tech_client_profile.xml) on disk0?

An Android or IOS-based client would also require the AnyConnect for Mobile license be installed on the ASA.

Brad Hodgins
Level 1
Level 1

Thanks Marvin for the quick reply,

Again, after posting it I'm able to figure it out.

Line #2 was the problem, maybe left over from the previous admin. WebVPN port 445 changed to 443, then both are now working. I didn't see it until I compared the configs side by side in Excel.

Hopefully this helps someone else, as googling these errors didn't help much.

 

Brad

You're welcome.

That'll do it - i skimmed over that myself.

Whenever I compare a pair of configurations, I rely on a tool (ExamDiff is my tool of choice) as it will nicely highlight changed or missing lines.