Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
0
Helpful
0
Replies

Problem with AnyConnect Secure Mobility Client Downloader.

Ciscotinkadm
Level 1
Level 1

‎03-28-2012 11:29 AM - edited ‎02-21-2020 05:58 PM

Hi,

I've configured our ASA 5510 8.4(3) for remote client VPN using AnyConnect SSL.

I enter the URL for the WebVPN portal, I click on the "Start AnyConnect" link and I get the following error:

"Cannot update AnyConnect Secure Mobility Client 3.0.5080 because the file server is not enabled on the secure gateway. A VPN connection cannot be established."

I'm including my runnig config as well as show version.  Just in case it may be a license issue.  Any help would be greatly appreciated.

------ Running Config -------

: Saved

:

ASA Version 8.4(3)

!

hostname XXXXXXXXXX

domain-name XXXXXXXXXX

enable password XXXXXXXXXX encrypted

passwd XXXXXXXXXX encrypted

names

!

interface Ethernet0/0

nameif phys_0

security-level 0

no ip address

!

interface Ethernet0/0.511

vlan 511

nameif mtl-web2

security-level 0

ip address 64.254.250.30 255.255.255.224

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.513

vlan 513

nameif mtl-srv

security-level 100

ip address 192.168.13.253 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

dns domain-lookup mtl-srv

dns server-group DefaultDNS

name-server 192.168.13.195

name-server 192.168.13.210

domain-name tink.local

same-security-traffic permit inter-interface

object network NETWORK_OBJ_192.168.13.195

host 192.168.13.195

object network obj-192.168.18.0

subnet 192.168.18.0 255.255.255.224

object-group network mtl-srv-net

network-object 192.168.13.0 255.255.255.0

object-group network mtl-voix2-net

network-object 192.168.22.0 255.255.255.0

object-group network ad-hosts

network-object host 192.168.13.195

network-object host 192.168.13.210

object-group network vergo_servers

network-object host 192.168.97.51

object-group network 75-queen

network-object host 69.70.17.36

network-object host 64.254.250.2

network-object host 64.254.250.3

access-list acl_mtl-srv extended permit icmp any any

access-list acl_mtl-srv extended permit ip any any

access-list acl_mtl-srv extended permit udp any any

access-list acl_mtl-web2 extended permit icmp any any

access-list acl_mtl-xcon extended permit icmp any any

access-list acl_mtl-bur extended permit ip object-group mtl-bur-net any

access-list mtl-web2_cryptomap extended permit ip host 192.168.13.195 host 192.168.97.51

access-list mtl-web2 extended permit ip object-group 75-queen host 64.254.250.30

pager lines 24

logging enable

logging buffer-size 100000

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging class vpn asdm debugging

mtu phys_0 1500

mtu qmgt-inside 1500

mtu mtl-web2 1500

mtu pmgt-inside 1500

mtu mtl-srv 1500

mtu mtl-bur 1500

mtu mtl-xcon 1500

mtu mtl-voix2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (mtl-srv,mtl-web2) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.18.0 obj-192.168.18.0 no-proxy-arp

nat (mtl-srv,mtl-web2) source static NETWORK_OBJ_192.168.13.195 NETWORK_OBJ_192.168.13.195 destination static NETWORK_OBJ_192.168.97.51 NETWORK_OBJ_192.168.97.51

nat (mtl-srv,mtl-voix2) source static mtl-srv-net mtl-srv-net destination static mtl-voix2-net mtl-voix2-net no-proxy-arp route-lookup

nat (mtl-bur,mtl-web2) source dynamic mtl-bur-net interface

nat (mtl-srv,mtl-web2) source dynamic mtl-srv-net interface

nat (mtl-voix2,mtl-web2) source dynamic mtl-voix2-net interface

!

object network nat-webtest

nat (mtl-srv,mtl-web2) static 64.254.250.25

access-group acl_mtl-web2 in interface mtl-web2

access-group acl_mtl-srv in interface mtl-srv

access-group acl_mtl-xcon in interface mtl-xcon

route mtl-web2 0.0.0.0 0.0.0.0 64.254.250.1 1

route mtl-xcon 192.168.16.0 255.255.254.0 192.168.20.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP_SRV_GRP protocol ldap

aaa-server LDAP_SRV_GRP (mtl-srv) host 192.168.13.195

ldap-base-dn dc=tink, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=svc_asa_vpn,OU=Comptes-Service,OU=Tink,DC=tink,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.13.0 255.255.255.0 mtl-srv

http 69.70.17.36 255.255.255.255 mtl-web2

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal 3DES-SHA

protocol esp encryption 3des

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map mtl-web2_map 1 match address mtl-web2_cryptomap

crypto map mtl-web2_map 1 set peer 216.226.58.234

crypto map mtl-web2_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map mtl-web2_map interface mtl-web2

crypto ikev2 policy 1

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 43200

crypto ikev1 enable mtl-web2

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 69.70.17.32 255.255.255.248 mtl-web2

ssh 64.250.254.0 255.255.255.224 mtl-web2

ssh 0.0.0.0 0.0.0.0 mtl-srv

ssh 0.0.0.0 0.0.0.0 mtl-xcon

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 15

console timeout 0

no vpn-addr-assign aaa

dhcprelay server 192.168.13.195 mtl-srv

dhcprelay enable mtl-voix2

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

port 8080

enable mtl-web2

anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1

anyconnect profiles INFRA_CONNECTION_PROFILE disk0:/infraConnection.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_216.226.58.234 internal

group-policy GroupPolicy_216.226.58.234 attributes

vpn-tunnel-protocol ikev1

group-policy GROUP_POLICY_1 internal

group-policy GROUP_POLICY_1 attributes

dns-server value 192.168.13.195

dhcp-network-scope 192.168.18.0

vpn-tunnel-protocol ssl-client ssl-clientless

default-domain value tink.local

webvpn

  anyconnect profiles value INFRA_CONNECTION_PROFILE type user

  anyconnect ask enable default anyconnect

username root password WGfb6prWAtYhS8eE encrypted

tunnel-group 216.226.58.234 type ipsec-l2l

tunnel-group 216.226.58.234 general-attributes

default-group-policy GroupPolicy_216.226.58.234

tunnel-group 216.226.58.234 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group TUNNEL_GROUP_1 type remote-access

tunnel-group TUNNEL_GROUP_1 general-attributes

authentication-server-group LDAP_SRV_GRP

default-group-policy GROUP_POLICY_1

dhcp-server 192.168.13.195

tunnel-group TUNNEL_GROUP_1 webvpn-attributes

group-alias Group1 enable

!

class-map Voice

match access-list acl_mtl-voix2-voipqos

class-map inspection_default

match default-inspection-traffic

class-map Data

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

policy-map VoicePolicy

class Voice

  priority

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:271513aac834617dc8432069bbf42e33

: end

-------- Show version  ---------

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 25             perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Regards.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents