Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11057
Views
40
Helpful
21
Replies

ssl vpn cisco anyconnect issue

Go to solution
hoaithanhdo
Level 1
Level 1

‎06-22-2021 10:49 PM

Hi ,

 

I have an issue with my ssl vpn cisco anyconnect to dmz. it's showed as below :

"the secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway . No assigned address ".

Please help or recommand the best solution for fixing it. 

mail personel email : hoaithanhdo@gmail.com 

hope receiving the good news form all of you. 

Many thanks !

 

 

Labels:
Preview file
42 KB
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-23-2021 05:47 AM

You've enabled the tunnel-group list globally, but you've no alias for your new tunnel-group. You can modify as below

 

tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
 group-alias ALIAS-NAME enable

 

Refer to this reference for more information.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-29-2021 07:49 AM

@hoaithanhdo 

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface, the exception to this is if coming over a VPN. In which case, you can configure mangement-access <interface name> command, this will also permit mgmt of the device using ssh, snmp, http

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

 

 

 

 

View solution in original post

21 Replies 21

Go to solution
Rob Ingram
VIP
VIP

‎06-22-2021 11:58 PM

@hoaithanhdo 

The error indicates "No assigned address"

- Check to see if you have the IP address pool configured

0 Helpful

Go to solution
hoaithanhdo
Level 1
Level 1

‎06-23-2021 02:59 AM - edited ‎06-23-2021 03:04 AM

Hello @Rob Ingram , Thanks for your support but.I already assign address pool for tunnel-group as below but the issue still occurred .

Please take a look. 

tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB type remote-access
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB general-attributes
address-pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL
authentication-server-group LDAP-SERVER
default-group-policy VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB
tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
authentication aaa certificate

ip local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL 10.198.3.161-10.198.3.175 mask 255.255.255.240

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-23-2021 03:25 AM

@hoaithanhdo 

Are other users able to connect? Perhaps there are no spare IP addresses to assign. Check using the command below.

 

show ip local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 05:06 AM - edited ‎06-23-2021 05:12 AM

Hello,  @Rob Ingram 

This is a new pool that I created for VPN remote client . 

Please kindly see the content below :

Regards !

show IP local pool VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB-POOL

Begin End Mask Free Held In use
10.198.3.161 10.198.3.175 255.255.255.240 15 0 0

Available Addresses:
10.198.3.161
10.198.3.162
10.198.3.163
10.198.3.164
10.198.3.165
10.198.3.166
10.198.3.167
10.198.3.168
10.198.3.169
10.198.3.170
10.198.3.171
10.198.3.172
10.198.3.173
10.198.3.174

10.198.3.175

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-23-2021 05:17 AM

@hoaithanhdo

You are definately connecting to this specific tunnel-group and not the default?

You don't appear to have a group-url or group-alias defined. Do you have the tunnel-group drop down list enabled and you select the tunnel-group?

 

 

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 05:36 AM - edited ‎06-23-2021 05:37 AM

Hello @Rob Ingram ,

Please kindly take a look my roadmap that i had created. 

if i miss some configuration , please leave your comment. 

Regards !

 

Preview file
29 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-23-2021 05:47 AM

You've enabled the tunnel-group list globally, but you've no alias for your new tunnel-group. You can modify as below

 

tunnel-group VPN-REMOTE-ACCESS-DMZ_WOLSELEY-ISB webvpn-attributes
 group-alias ALIAS-NAME enable

 

Refer to this reference for more information.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 07:32 AM

 

Hello @Rob Ingram 

 

Thank you so much, 

I will try to test again. 

Regards !

0 Helpful

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 10:32 PM

Hello @Rob Ingram 

 

Thanks for your support . 

I have tried enable group-allias . vpn is ok now. 

your are firewall cisco expert.

Have a nice day. 

Regards !

0 Helpful

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-24-2021 10:55 PM

Hello @Rob Ingram 

 

Now i have new issue , my manager want to 1 users belong to multi vpn groups. 

But when i tried to test it show you have no dial in permission . I remove users out of another vpn group is ok. 

could you please give me your suggestion. 

Thanks and Regards !

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-25-2021 12:01 AM

@hoaithanhdo in the configuration you previously provided you only had 1 LDAP group defined, wat configuration changes did you make on the ASA? Please provide a screenshot of the actual error and indicate which group the user was a member of.

0 Helpful

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-25-2021 10:00 PM

Hello @Rob Ingram 

 

my mean is users belongs to 2 vpn groups , when they connect cisco anyconnect error is you have no dial in permission. 

then i remove users out off one group is ok. the matter is my manager want to users still belongs 2 group . And then i enable allias for vpn group , all users can see all vpn groups. he don't want to see that . hope hearing the best solution from you

Thanks and best regards !

Have a nice weekend. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-26-2021 12:22 AM

@hoaithanhdo 

Use a group-url  and remove the group alias for the 2nd tunnel-group. This URL can be used by the users requiring access to the 2nd tunnel-group, only the initial tunnel-group will be seen be the users in anyconnect.

 

Example:-

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

 

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-26-2021 05:50 PM

Hello @Rob Ingram 

Thanks so much . 

Regards !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents