cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
189245
Views
6
Helpful
15
Replies

secure Gateway has rejected the connection

james.king14
Level 1
Level 1

Having an issue with VPN sending this back to endusers.  Have changed the Cert-Map and other things but still get this message.  Here is a copy of CLI of errors, and configuration.

the exact error is :

The secure gateway has rejected the connection attempt.  A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.  The following message was received from the secure gateway:  No assigned address

tunnel-group SRHVPN type remote-access
tunnel-group SRHVPN general-attributes
 address-pool (outside) SRHVPN
 address-pool SRHVPN
 default-group-policy GroupPolicy_SRHVPN
 dhcp-server 10.10.10.253
tunnel-group SRHVPN webvpn-attributes
 authentication certificate
 group-alias SRHVPN enable
tunnel-group-map enable rules
tunnel-group-map default-group SRHVPN
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 3
 anyconnect profiles SRHVPN_client_profile disk0:/SRHVPN_client_profile.xml
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
 certificate-group-map CERT-MAP 10 SRHVPN
 application-type citrix-receiver default tunnel-group SRHVPN
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value sr.vpn.donot.ts
group-policy GroupPolicy_SRHVPN internal
group-policy GroupPolicy_SRHVPN attributes
 wins-server value 10.10.10.253
 dns-server value 10.10.10.252
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value sr.vpn.donot.ts
 address-pools value SRHVPN

2 Accepted Solutions

Accepted Solutions

You have a dhcp server configured on the tunnel-group. That would take preference for address assignment. Order of address assignment is AAA,DHCP and then local.

tunnel-group SRHVPN general-attributes
 address-pool (outside) SRHVPN
 address-pool SRHVPN
 default-group-policy GroupPolicy_SRHVPN
 dhcp-server 10.10.10.253

I would recommend removing that configuration if you are not using a dhcp server. 

Also, sometimes when DHCP is assigned, the ASA might disable the local vpn address assignment. The default is a hidden command so you have to see "show run all" to see it. Like this:

ASA# sh run all | in vpn-addr
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0

If you are only using the local pool to assign ip addresses, the above would be the config you need. If you need DHCP or AAA ip address assignment enabled the setting by adding the command.

View solution in original post

Why if you are try to get the ip from a DHCP server you have a local pool assigned to the group policy and tunnel group?, remove it from the configuration is confusing....

Need to focus in the troubleshooting of the DHCP part, is the server located inside your network?

Take captures from the inside interface to the server and from the server to the network scope that you assign, need to make sure traffic is going to the server and is replayed back to the network scope, also enable the debugs suggest below to get more information about the issue.

If the server support RFCs 3011 or 3527 you can implement the following configuration

     tunnel-group <name> general-attributes
        dhcp-server subnet-selection <server ip>      (3011)
 tunnel-group <name> general-attributes
        dhcp-server link-selection <server ip>        (3527)

with this the server will replay to inside interface of the ASA instead of the network scope.

View solution in original post

15 Replies 15

Diego Lopez
Level 1
Level 1

Hi, 

If you get this message "No assigned address" the Anyconnect client is not getting an IP to establish the connection, is very clear. 

This bug is describing the 2 errors in the screenshot of the client that you attached:

https://tools.cisco.com/bugsearch/bug/CSCtx92190/?referring_site=bugquickviewredir

Condition:

This issue is seen if the tunnel group's address pool has been exhausted, and the connection attempt fails as a result. This is seen on all OS's.

Pool has no available ips to assign, create a pool with more ips make sure the mask is valid for the new range and apply it on the tunnel group for example:

ip local pool anyconenct-pool 172.16.0.1 -172.16.3.254 mask 255.255.252.0

remove the old pool 

tunnel-group SRHVPN general-attributes

no address-pool (outside) SRHVPN
no address-pool SRHVPN

also from the group-policy 

group-policy GroupPolicy_SRHVPN attributes

no address-pools value SRHVPN

apply the new one 

tunnel-group SRHVPN general-attributes

address-pool anyconenct-pool

Hi llopezgu,

I wish that was the issue, the Anyconnect software is not grabbing one.  The anyconnect software never grabs an IP from the pool.  I have looked at  the logs from the ASA and the software terminates saying user request but unknown how user request termination.


 : %ASA-6-725001: Starting SSL handshake with client outside:70.196.18.37/54157 for TLS session.
Dec 22 2015 16:53:19 Wrong-WAY : %ASA-6-725003: SSL client outside:70.196.18.37/54157 request to resume previous session.
Dec 22 2015 16:53:19 Wrong-WAY : %ASA-6-725002: Device completed SSL handshake with client outside:70.196.18.37/54157
Dec 22 2015 16:53:19 Wrong-WAY : %ASA-6-716002: Group <GroupPolicy_SRHVPN> User <thatguy.12345678> IP <70.196.18.37> WebVPN session terminated: User Requested.
Dec 22 2015 16:53:19 Wrong-WAY : %ASA-4-113019: Group = SRHVPN, Username = thatguy.12345678, IP = 70.196.18.37, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:00m:53s, Bytes xmt: 89, Bytes rcv: 771, Reason: User Requested
Dec 22 2015 16:53:20 Wrong-WAY : %ASA-6-725007: SSL session with client outside:70.196.18.37/54157 terminated.

If you attempt the connection from a different computer are you able to establish it? Can you gather a DART from that particular machine.

Merry Christmas everyone,  thank you all the assistance!

I am also looking at the logs from the ASA and I do not see my connection attempt.

I was wondering if the usage of the dhcpserver command would help give the endusers a IP Address on the outside interface.

Here are some logs from the ASA. 

%ASA-3-722020: TunnelGroup tunnel_group GroupPolicy group_policy User
user-name IP IP_address No address available for SVC connection
Address assignment failed for the AnyConnect session. No IP addresses are available.

• tunnel_group—The name of the tunnel group that the user was assigned to or used to log in

• group_policy—The name of the group policy that the user was assigned to

• user-name—The name of the user with which this message is associated

• IP_address—The public IP (Internet) address of the client machine



%ASA-6-725001 Starting SSL handshake with remote_device
interface_name: IP_address/port for SSL_version session.
The SSL handshake has started with the remote device.

• remote_device—Either the server or the client, depending on the device that initiated the connection

• interface_name—The interface that the SSL session is using

• IP_address—The remote device IPv4 or IPv6 address

• port—The remote device IP port number

• SSL_version—The SSL version for the SSL handshake (SSLv3 or TLSv1)


%ASA-6-725002 Device completed SSL handshake with remote_device
interface_name: IP_address/port
The SSL handshake has completed successfully with the remote device.

• remote_device—Either the server or the client, depending on the device that initiated the connection

• interface_name—The interface that the SSL session is using

• IP_address—The remote device IPv4 or IPv6 address

• port—The remote device IP port number


%ASA-6-725007 SSL session with remote_device interface_name:
IP_address/port terminated.
The SSL session has terminated.

• remote_device—Either the server or the client, depending on the device that initiates the connection

• interface_name—The interface that the SSL session is using

• IP_address—The remote device IP address

• port—The remote device IP port number

6|Dec 29 2015|14:06:53|302015|15.15.15.28|67|10.10.10.129|67|Built outbound UDP connection 293687 for inside:10.10.10.129/67 (10.10.10.129/67) to identity:15.15.15.28/67 (15.15.15.28/67)
4|Dec 29 2015|14:06:53|722041|||||TunnelGroup <SRHVPN> GroupPolicy <GroupPolicy_SRHVPN> User <US> IP <12.12.12.221> No IPv6 address available for SVC connection
6|Dec 29 2015|14:06:53|737005|||||IPAA: DHCP configured, request succeeded for tunnel-group 'SRHVPN'
6|Dec 29 2015|14:06:53|725002|12.12.12.221|21744|||Device completed SSL handshake with client outside:12.12.12.221/21744
6|Dec 29 2015|14:06:52|725001|12.12.12.221|21744|||Starting SSL handshake with client outside:12.12.12.221/21744 for TLS session.
6|Dec 29 2015|14:06:52|302013|12.12.12.221|21744|12.12.12.3|443|Built inbound TCP connection 293686 for outside:12.12.12.221/21744 (12.12.12.221/21744) to identity:12.12.12.3/443 (12.12.12.3/443)
6|Dec 29 2015|14:06:49|302014|12.12.12.221|26810|12.12.12.3|443|Teardown TCP connection 293684 for outside:12.12.12.221/26810 to identity:12.12.12.3/443 duration 0:00:06 bytes 8056 TCP FINs
6|Dec 29 2015|14:06:49|725007|12.12.12.221|26810|||SSL session with client outside:12.12.12.221/26810 terminated.
6|Dec 29 2015|14:06:47|302021|12.12.12.1|0|12.12.12.3|0|Teardown ICMP connection for faddr 12.12.12.1/0 gaddr 12.12.12.3/0 laddr 12.12.12.3/0
6|Dec 29 2015|14:06:47|302020|12.12.12.1|0|12.12.12.3|0|Built inbound ICMP connection for faddr 12.12.12.1/0 gaddr 12.12.12.3/0 laddr 12.12.12.3/0
6|Dec 29 2015|14:06:46|113039|||||Group <GroupPolicy_SRHVPN> User <US> IP <12.12.12.221> AnyConnect parent session started.
6|Dec 29 2015|14:06:46|734001|||||DAP: User US, Addr 12.12.12.221, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
6|Dec 29 2015|14:06:46|113009|||||AAA retrieved default group policy (GroupPolicy_SRHVPN) for user = US
6|Dec 29 2015|14:06:46|725002|12.12.12.221|26810|||Device completed SSL handshake with client outside:12.12.12.221/26810
6|Dec 29 2015|14:06:46|717028|||||Certificate chain was successfully validated with warning, revocation status was not checked.
6|Dec 29 2015|14:06:46|717022|||||Certificate was successfully validated. serial number: 3CC672, subject name:  cn=thatguy.12345678,ou=OTHER,ou=PKI,ou=DoD,o=U.S. Government,c=US.
6|Dec 29 2015|14:06:46|717022|||||Certificate was successfully validated. serial number: 039F, subject name:  cn=DOD EMAIL CA-31,ou=PKI,ou=DoD,o=U.S. Government,c=US.
6|Dec 29 2015|14:06:44|725001|12.12.12.221|26810|||Starting SSL handshake with client outside:12.12.12.221/26810 for TLS session.
6|Dec 29 2015|14:06:42|302014|12.12.12.221|5026|12.12.12.3|443|Teardown TCP connection 293683 for outside:12.12.12.221/5026 to identity:12.12.12.3/443 duration 0:00:00 bytes 1554 TCP Reset-I
6|Dec 29 2015|14:06:42|302013|12.12.12.221|26810|12.12.12.3|443|Built inbound TCP connection 293684 for outside:12.12.12.221/26810 (12.12.12.221/26810) to identity:12.12.12.3/443 (12.12.12.3/443)
6|Dec 29 2015|14:06:42|725001|12.12.12.221|5026|||Starting SSL handshake with client outside:12.12.12.221/5026 for TLS session.
6|Dec 29 2015|14:06:42|302013|12.12.12.221|5026|12.12.12.3|443|Built inbound TCP connection 293683 for outside:12.12.12.221/5026 (12.12.12.221/5026) to identity:12.12.12.3/443 (12.12.12.3/443)
6|Dec 29 2015|14:06:38|302021|12.12.12.1|0|12.12.12.3|0|Teardown ICMP connection for faddr 12.12.12.1/0 gaddr 12.12.12.3/0 laddr 10.10.80.3/0
6|Dec 29 2015|14:06:38|302020|12.12.12.1|0|12.12.12.3|0|Built inbound ICMP connection for faddr 12.12.12.1/0 gaddr 12.12.12.3/0 laddr 12.12.12.3/0
6|Dec 29 2015|14:06:38|302014|12.12.12.221|50969|12.12.12.3|443|Teardown TCP connection 293681 for outside:12.12.12.221/50969 to identity:12.12.12.3/443 duration 0:00:00 bytes 1978 TCP FINs
6|Dec 29 2015|14:06:37|725007|12.12.12.221|50969|||SSL session with client outside:12.12.12.221/50969 terminated.
6|Dec 29 2015|14:06:37|725002|12.12.12.221|50969|||Device completed SSL handshake with client outside:12.12.12.221/50969
6|Dec 29 2015|14:06:37|725001|12.12.12.221|50969|||Starting SSL handshake with client outside:12.12.12.221/50969 for TLS session.





Diego,

According the the logs from the ASA once I get the connection I receive no IP address.  Checking the ASDM log buffer I do not see the Client getting pass the NAT statement. Nor the DHCP server on inside. 

object-group network VPN-DHCP

network-object host 10.10.10.129

nat (outside,outside) source dynamic any interface destination static VPN-DHCP VPN-DHCP description SRHVPN connection

You have a dhcp server configured on the tunnel-group. That would take preference for address assignment. Order of address assignment is AAA,DHCP and then local.

tunnel-group SRHVPN general-attributes
 address-pool (outside) SRHVPN
 address-pool SRHVPN
 default-group-policy GroupPolicy_SRHVPN
 dhcp-server 10.10.10.253

I would recommend removing that configuration if you are not using a dhcp server. 

Also, sometimes when DHCP is assigned, the ASA might disable the local vpn address assignment. The default is a hidden command so you have to see "show run all" to see it. Like this:

ASA# sh run all | in vpn-addr
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0

If you are only using the local pool to assign ip addresses, the above would be the config you need. If you need DHCP or AAA ip address assignment enabled the setting by adding the command.

Rahul,

Yes I am using a DHCP server, when the client get through the FW.  So I need to get rid of one of these.  When I look at my configuration the dhcp server is doing the assigning and not the local.

vpn-addr-assign aaa
vpn-addr-assign dhcp
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local.

Yet I am not getting a IP address.  On the dhcp server I have a IP network ready for connectivity.

Makes more sense now. If you want the DHCP server to assign an ip address, leave the "dhcp-server" sub-command as it is in the tunnel-group config.

If you have a DHCP scope defined in the DHCP server, configure that scope subnet under the group-policy. Like this:

group-policy GroupPolicy_SRHVPN internal
group-policy GroupPolicy_SRHVPN attributes


!--- define the DHCP network scope in the group policy.This configuration is Optional

dhcp-network-scope 192.168.5.0

This will get you an ip address in the scope you have specified.

Reference this document to verify your configurations again:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

If DHCP is still failing,  run the "debug dhcpc detail 255" to see what happens during DHCP transaction.

I removed all references to the local pool within the ASA.  Pointed all IP address ranges to the DHCP server and still getting a NO ADDRESS ASSIGNED on client.  From the CLI of the ASA I get this when running debug dhcpc detail command.

DHCP: DHCP Proxy added rule -524110416 for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 1.
DHCP: DHCP Proxy added route for interface: inside, address: 10.10.10.0, to us: TRUE, in use count: 1.
DHCP: Adding 10.10.10.129 as DHCP server
DHCP: DHCP Proxy decremented rule -524110416 count for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.10.10.0, in use count: 0.
DHCP: DHCP Proxy removed route on interface: inside, address: 10.10.10.0.
DHCP: DHCP proxy removed rule -524110416 on interface: inside address: 10.10.10.0.
DHCP: DHCP Proxy added rule -514334816 for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 1.
DHCP: DHCP Proxy added route for interface: inside, address: 10.10.10.0, to us: TRUE, in use count: 1.
DHCP: DHCP Proxy decremented rule -514334816 count for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.10.10.0, in use count: 0.
DHCP: DHCP Proxy removed route on interface: inside, address: 10.10.10.0.
DHCP: DHCP proxy removed rule -514334816 on interface: inside address: 10.10.10.0.
DHCP: DHCP Proxy added rule -524110416 for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 1.
DHCP: DHCP Proxy added route for interface: inside, address: 10.10.10.0, to us: TRUE, in use count: 1.
DHCP: DHCP Proxy decremented rule -524110416 count for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.10.10.0, in use count: 0.
DHCP: DHCP Proxy removed route on interface: inside, address: 10.10.10.0.
DHCP: DHCP proxy removed rule -524110416 on interface: inside address: 10.10.10.0.
DHCP: DHCP Proxy added rule -481410944 for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 1.
DHCP: DHCP Proxy added route for interface: inside, address: 10.10.10.0, to us: TRUE, in use count: 1.
DHCP: QScan: Purging entry
DHCP: deleting entry 0x00007ffee3447440 0.0.0.0 from list
DHCP: DHCP Proxy decremented rule -481410944 count for interface: inside, scope: 10.10.10.0, server: 10.10.10.129, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.10.10.0, in use count: 0.
DHCP: DHCP Proxy removed route on interface: inside, address: 10.10.10.0.
DHCP: DHCP proxy removed rule -481410944 on interface: inside address: 10.10.10.0.
DHCP: QScan: Purging entry
DHCP: deleting entry 0x00007ffee34478d0 0.0.0.0 from list
DHCP: QScan: Purging entry
DHCP: deleting entry 0x00007ffee32e7c60 0.0.0.0 from list
DHCP: QScan: Purging entry
DHCP: deleting entry 0x00007ffee32e8220 0.0.0.0 from list
DHCP: removing 10.10.10.129 as DHCP server

Why if you are try to get the ip from a DHCP server you have a local pool assigned to the group policy and tunnel group?, remove it from the configuration is confusing....

Need to focus in the troubleshooting of the DHCP part, is the server located inside your network?

Take captures from the inside interface to the server and from the server to the network scope that you assign, need to make sure traffic is going to the server and is replayed back to the network scope, also enable the debugs suggest below to get more information about the issue.

If the server support RFCs 3011 or 3527 you can implement the following configuration

     tunnel-group <name> general-attributes
        dhcp-server subnet-selection <server ip>      (3011)
 tunnel-group <name> general-attributes
        dhcp-server link-selection <server ip>        (3527)

with this the server will replay to inside interface of the ASA instead of the network scope.

kiranoddiraju
Level 1
Level 1

This might help someone...I had the exact same problem AnyConnect VPN unable to connect with the exact same message (as below).

 

"The secure gateway has rejected the connection attempt.  A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.  The following message was received from the secure gateway:  No assigned address"

 

Upon troubleshooting I found even though I configured the correct Connection Profile for SSL VPN, the incoming connection was taking the DefaultWEBVPNGroup connection profile which didn't have client address assignment. I configured the Client address Pool with a client address pool and I am now able to obtain an ip address and manage to remote in.

 

HTH

 

Regards,

KO

Hi There

I had the same issues but it wasn't related to IP POOL or DHCP configuration. I just turned off the Antivirus System and everything goes OK.

Then I checked my ESET Antivirus Settings and found that the WEB filtering module prevents AnyConnect from establishing connection.

Please rate if this is helpful.