06-22-2021 10:49 PM
Hi ,
I have an issue with my ssl vpn cisco anyconnect to dmz. it's showed as below :
"the secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway . No assigned address ".
Please help or recommand the best solution for fixing it.
mail personel email : hoaithanhdo@gmail.com
hope receiving the good news form all of you.
Many thanks !
Solved! Go to Solution.
06-23-2021 05:47 AM
You've enabled the tunnel-group list globally, but you've no alias for your new tunnel-group. You can modify as below
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
group-alias ALIAS-NAME enable
Refer to this reference for more information.
06-29-2021 07:49 AM
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface, the exception to this is if coming over a VPN. In which case, you can configure mangement-access <interface name> command, this will also permit mgmt of the device using ssh, snmp, http
07-02-2021 01:35 AM
Do you have the LDAP NOACCESS group-policy defined? This denies any user that is not part of an LDAP group.
Reference:-
06-22-2021 11:58 PM
The error indicates "No assigned address"
- Check to see if you have the IP address pool configured
06-23-2021 02:59 AM - edited 06-23-2021 03:04 AM
Hello @Rob Ingram , Thanks for your support but.I already assign address pool for tunnel-group as below but the issue still occurred .
Please take a look.
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB type remote-access
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB general-attributes
address-pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL
authentication-server-group LDAP-SERVER
default-group-policy VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
authentication aaa certificate
ip local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL 10.198.3.161-10.198.3.175 mask 255.255.255.240
06-23-2021 03:25 AM
Are other users able to connect? Perhaps there are no spare IP addresses to assign. Check using the command below.
show ip local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL
06-23-2021 05:06 AM - edited 06-23-2021 05:12 AM
Hello, @Rob Ingram
This is a new pool that I created for VPN remote client .
Please kindly see the content below :
Regards !
show IP local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL
Begin End Mask Free Held In use
10.198.3.161 10.198.3.175 255.255.255.240 15 0 0
Available Addresses:
10.198.3.161
10.198.3.162
10.198.3.163
10.198.3.164
10.198.3.165
10.198.3.166
10.198.3.167
10.198.3.168
10.198.3.169
10.198.3.170
10.198.3.171
10.198.3.172
10.198.3.173
10.198.3.174
10.198.3.175
06-23-2021 05:17 AM
You are definately connecting to this specific tunnel-group and not the default?
You don't appear to have a group-url or group-alias defined. Do you have the tunnel-group drop down list enabled and you select the tunnel-group?
06-23-2021 05:36 AM - edited 06-23-2021 05:37 AM
Hello @Rob Ingram ,
Please kindly take a look my roadmap that i had created.
if i miss some configuration , please leave your comment.
Regards !
06-23-2021 05:47 AM
You've enabled the tunnel-group list globally, but you've no alias for your new tunnel-group. You can modify as below
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
group-alias ALIAS-NAME enable
Refer to this reference for more information.
06-23-2021 07:32 AM
06-23-2021 10:32 PM
Hello @Rob Ingram
Thanks for your support .
I have tried enable group-allias . vpn is ok now.
your are firewall cisco expert.
Have a nice day.
Regards !
06-24-2021 10:55 PM
Hello @Rob Ingram
Now i have new issue , my manager want to 1 users belong to multi vpn groups.
But when i tried to test it show you have no dial in permission . I remove users out of another vpn group is ok.
could you please give me your suggestion.
Thanks and Regards !
06-25-2021 12:01 AM
@hoaithanhdo in the configuration you previously provided you only had 1 LDAP group defined, wat configuration changes did you make on the ASA? Please provide a screenshot of the actual error and indicate which group the user was a member of.
06-25-2021 10:00 PM
Hello @Rob Ingram
my mean is users belongs to 2 vpn groups , when they connect cisco anyconnect error is you have no dial in permission.
then i remove users out off one group is ok. the matter is my manager want to users still belongs 2 group . And then i enable allias for vpn group , all users can see all vpn groups. he don't want to see that . hope hearing the best solution from you
Thanks and best regards !
Have a nice weekend.
06-26-2021 12:22 AM
Use a group-url and remove the group alias for the 2nd tunnel-group. This URL can be used by the users requiring access to the 2nd tunnel-group, only the initial tunnel-group will be seen be the users in anyconnect.
Example:-
06-26-2021 05:50 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide