03-28-2012 11:29 AM - edited 02-21-2020 05:58 PM
Hi,
I've configured our ASA 5510 8.4(3) for remote client VPN using AnyConnect SSL.
I enter the URL for the WebVPN portal, I click on the "Start AnyConnect" link and I get the following error:
"Cannot update AnyConnect Secure Mobility Client 3.0.5080 because the file server is not enabled on the secure gateway. A VPN connection cannot be established."
I'm including my runnig config as well as show version. Just in case it may be a license issue. Any help would be greatly appreciated.
------ Running Config -------
: Saved
:
ASA Version 8.4(3)
!
hostname XXXXXXXXXX
domain-name XXXXXXXXXX
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Ethernet0/0
nameif phys_0
security-level 0
no ip address
!
interface Ethernet0/0.511
vlan 511
nameif mtl-web2
security-level 0
ip address 64.254.250.30 255.255.255.224
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.513
vlan 513
nameif mtl-srv
security-level 100
ip address 192.168.13.253 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns domain-lookup mtl-srv
dns server-group DefaultDNS
name-server 192.168.13.195
name-server 192.168.13.210
domain-name tink.local
same-security-traffic permit inter-interface
object network NETWORK_OBJ_192.168.13.195
host 192.168.13.195
object network obj-192.168.18.0
subnet 192.168.18.0 255.255.255.224
object-group network mtl-srv-net
network-object 192.168.13.0 255.255.255.0
object-group network mtl-voix2-net
network-object 192.168.22.0 255.255.255.0
object-group network ad-hosts
network-object host 192.168.13.195
network-object host 192.168.13.210
object-group network vergo_servers
network-object host 192.168.97.51
object-group network 75-queen
network-object host 69.70.17.36
network-object host 64.254.250.2
network-object host 64.254.250.3
access-list acl_mtl-srv extended permit icmp any any
access-list acl_mtl-srv extended permit ip any any
access-list acl_mtl-srv extended permit udp any any
access-list acl_mtl-web2 extended permit icmp any any
access-list acl_mtl-xcon extended permit icmp any any
access-list acl_mtl-bur extended permit ip object-group mtl-bur-net any
access-list mtl-web2_cryptomap extended permit ip host 192.168.13.195 host 192.168.97.51
access-list mtl-web2 extended permit ip object-group 75-queen host 64.254.250.30
pager lines 24
logging enable
logging buffer-size 100000
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging class vpn asdm debugging
mtu phys_0 1500
mtu qmgt-inside 1500
mtu mtl-web2 1500
mtu pmgt-inside 1500
mtu mtl-srv 1500
mtu mtl-bur 1500
mtu mtl-xcon 1500
mtu mtl-voix2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (mtl-srv,mtl-web2) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.18.0 obj-192.168.18.0 no-proxy-arp
nat (mtl-srv,mtl-web2) source static NETWORK_OBJ_192.168.13.195 NETWORK_OBJ_192.168.13.195 destination static NETWORK_OBJ_192.168.97.51 NETWORK_OBJ_192.168.97.51
nat (mtl-srv,mtl-voix2) source static mtl-srv-net mtl-srv-net destination static mtl-voix2-net mtl-voix2-net no-proxy-arp route-lookup
nat (mtl-bur,mtl-web2) source dynamic mtl-bur-net interface
nat (mtl-srv,mtl-web2) source dynamic mtl-srv-net interface
nat (mtl-voix2,mtl-web2) source dynamic mtl-voix2-net interface
!
object network nat-webtest
nat (mtl-srv,mtl-web2) static 64.254.250.25
access-group acl_mtl-web2 in interface mtl-web2
access-group acl_mtl-srv in interface mtl-srv
access-group acl_mtl-xcon in interface mtl-xcon
route mtl-web2 0.0.0.0 0.0.0.0 64.254.250.1 1
route mtl-xcon 192.168.16.0 255.255.254.0 192.168.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (mtl-srv) host 192.168.13.195
ldap-base-dn dc=tink, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=svc_asa_vpn,OU=Comptes-Service,OU=Tink,DC=tink,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.13.0 255.255.255.0 mtl-srv
http 69.70.17.36 255.255.255.255 mtl-web2
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map mtl-web2_map 1 match address mtl-web2_cryptomap
crypto map mtl-web2_map 1 set peer 216.226.58.234
crypto map mtl-web2_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map mtl-web2_map interface mtl-web2
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 43200
crypto ikev1 enable mtl-web2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 69.70.17.32 255.255.255.248 mtl-web2
ssh 64.250.254.0 255.255.255.224 mtl-web2
ssh 0.0.0.0 0.0.0.0 mtl-srv
ssh 0.0.0.0 0.0.0.0 mtl-xcon
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 15
console timeout 0
no vpn-addr-assign aaa
dhcprelay server 192.168.13.195 mtl-srv
dhcprelay enable mtl-voix2
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8080
enable mtl-web2
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles INFRA_CONNECTION_PROFILE disk0:/infraConnection.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_216.226.58.234 internal
group-policy GroupPolicy_216.226.58.234 attributes
vpn-tunnel-protocol ikev1
group-policy GROUP_POLICY_1 internal
group-policy GROUP_POLICY_1 attributes
dns-server value 192.168.13.195
dhcp-network-scope 192.168.18.0
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value tink.local
webvpn
anyconnect profiles value INFRA_CONNECTION_PROFILE type user
anyconnect ask enable default anyconnect
username root password WGfb6prWAtYhS8eE encrypted
tunnel-group 216.226.58.234 type ipsec-l2l
tunnel-group 216.226.58.234 general-attributes
default-group-policy GroupPolicy_216.226.58.234
tunnel-group 216.226.58.234 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TUNNEL_GROUP_1 type remote-access
tunnel-group TUNNEL_GROUP_1 general-attributes
authentication-server-group LDAP_SRV_GRP
default-group-policy GROUP_POLICY_1
dhcp-server 192.168.13.195
tunnel-group TUNNEL_GROUP_1 webvpn-attributes
group-alias Group1 enable
!
class-map Voice
match access-list acl_mtl-voix2-voipqos
class-map inspection_default
match default-inspection-traffic
class-map Data
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map VoicePolicy
class Voice
priority
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:271513aac834617dc8432069bbf42e33
: end
-------- Show version ---------
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide