Solved: Re: ssl anyconnect dont work

ngo duyen · ‎07-14-2011

I have config cisco ASA 5520 as remote access ipsec vpn and It worked.

Now, I want config more function: ssl vpn.

Here my config; if I change "vpn−tunnel−protocol svc" -> "vpn−tunnel−protocol webvpn", I can see clientless ssl work.

But anyconnect ssl dont work ( I can access https://ip_outside_vpn_server and manual download anyconnect software,

and install software, after click CONNECT I get error ( the attach picture) )

Please help me indentify the problem.

access-list inside_nat0_outbound extended permit ip any 192.168.80.0 255.255.255.0

!

ip local pool sslpool 192.168.80.1−192.168.80.254 mask 255.255.255.0

!

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

tunnel−group−list enable

svc enable

!

group−policy sslpolicy internal

group−policy sslpolicy attributes

vpn−tunnel−protocol svc

split−tunnel−policy tunnelall

webvpn

svc ask none default svc

svc keep−installer installed

svc rekey time 30

svc rekey method ssl

!

aaa local authentication attempts max−fail 10

!

username ssluser1 password sslusr1

!

tunnel−group sslgroup type remote−access

tunnel−group sslgroup general−attributes

address−pool sslpool

default−group−policy sslpolicy

exit

tunnel−group sslgroup webvpn−attributes

group−alias sslgroup_users enable

!

global (inside) 2 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 2 192.168.80.0 255.255.255.0 outside

Jennifer Halim · ‎07-14-2011

Is this the only Windows 7 PC that has issue? or you can't connect from any other computer as well?

Is this Windows 7 PC a fresh install, or it's an upgrade from previous version of Windows?

View solution in original post

Jennifer Halim · ‎07-14-2011

The following should be removed as you already has NAT exemption:

nat (outside) 2 192.168.80.0 255.255.255.0 outside

global (inside) 2 interface

Which Windows OS are you running, and also which SSL VPN license do you have?

Can you also share the output of "show vpn-sessiondb summary" after trying to connect again with AnyConnect.

ngo duyen · ‎07-14-2011

I use window 7 sp1

about vpn license:

SSL VPN Peers : 500

Total VPN Peers : 750

and

the output of

"show vpn-sessiondb summary":

show vpn-sessiondb summary

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent : Inactive

SSL VPN : 0 : 40 : 5

Clientless only : 0 : 40 : 5

With client : 0 : 0 : 0 : 0

IPsec Remote Access : 0 : 11 : 3

Totals : 0 : 51

License Information:

IPsec : 750 Configured : 750 Active : 0 Load : 0%

SSL VPN : 500 Configured : 500 Active : 0 Load : 0%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 11 : 3

SSL VPN : 0 : 59 : 5

Totals : 0 : 70

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

Jennifer Halim · ‎07-14-2011

Is this the only Windows 7 PC that has issue? or you can't connect from any other computer as well?

Is this Windows 7 PC a fresh install, or it's an upgrade from previous version of Windows?

ngo duyen · ‎07-14-2011

oh, I try with another computer with window 7 enterprise, I work

and

other computer ( window 7 ultimate sp1) which I rdp it and get error:"

VPN establishment capability from a remote desktop is disable. A VPN connection will not be established" -> How can I enable this function ?

I think the OS was problem

Jennifer Halim · ‎07-14-2011

You can configure AnyConnect profile and changing the Windows VPN Establishment to AllowRemoteUsers to allow VPN connection from RDP session. Do you actually need to VPN out from an RDP session?

ngo duyen · ‎07-14-2011

I want to test this function, could you guide me detail ?

I use ASDM 6.3 and asa 8.22, I dont see where I can change this setting.

thank you

Jennifer Halim · ‎07-16-2011

AnyConnect profile can be configured via:

Configuration --> Remote Access VPN --> Network (Client) Access --> AnyConnect Client Profile --> then create a new VPN profile.

Once you create the profile, then you can modify the profile settings, and to allow RDP access, go to Preferences (Part 1) --> Windows VPN Establishment --> choose "AllowRemoteUsers".

For the AnyConnect profile, the most basic settings is to configure the "Server Lists", ie: the ASA that the AnyConnect vpn needs to connect to.

Then you just have to assign the AnyConnect profile to your group policy.

ngo duyen · ‎07-17-2011

Thank you for fast support