Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11126
Views
40
Helpful
21
Replies

ssl vpn cisco anyconnect issue

Go to solution
hoaithanhdo
Level 1
Level 1

‎06-22-2021 10:49 PM

Hi ,

 

I have an issue with my ssl vpn cisco anyconnect to dmz. it's showed as below :

"the secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway . No assigned address ".

Please help or recommand the best solution for fixing it. 

mail personel email : hoaithanhdo@gmail.com 

hope receiving the good news form all of you. 

Many thanks !

 

 

Labels:
Preview file
42 KB
0 Helpful
21 Replies 21

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎06-29-2021 07:40 AM

Hello @Rob Ingram ,

 

I have test and users connect vpn is ok ,they can access internet and ping host in DMZ but they cannot ping  ip of that in dmz interface  .

Could you guide me the best solution for this case. ?

exp : user can ping 192.168.10.2 (server in dmz) but cannot ping ip add 192.168.10.1 - ip address of dmz interface.

Regards !

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎06-29-2021 07:49 AM

@hoaithanhdo 

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface, the exception to this is if coming over a VPN. In which case, you can configure mangement-access <interface name> command, this will also permit mgmt of the device using ssh, snmp, http

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

 

 

 

 

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎07-01-2021 10:07 PM

Hello @Rob Ingram 

 

Thanks for your refer, it's done now, but after considering about security we only testing and no leave this command in our asa.  But now i have more case :

we will use ldap server is primary authentication for ssl vpn Cisco Anyconncnet and radius will be used for backup authentication . Cisco firewall is support this or not ? 

Sincerely and  Regards !

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎07-02-2021 12:20 AM

Hi @hoaithanhdo 

No you can't have radius as a backup for ldap. The only backup method is local (ASA's local user database).

You should ensure your LDAP servers are resilent and that each LDAP server is configured as a host on the ASA.

 

HTH

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎07-02-2021 01:16 AM

Hello @Rob Ingram ,

 

Thanks for your feedback soon. 

I have made the test case : remove user out off all vpn ldap group . but users still can access vpn now. 

i check with server admin , they already done removed that users . 

Could you guide me how to check the problem why ?

Regards ! 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hoaithanhdo

‎07-02-2021 01:35 AM

@hoaithanhdo 

Do you have the LDAP NOACCESS group-policy defined? This denies any user that is not part of an LDAP group.

 

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

Go to solution
hoaithanhdo
Level 1
Level 1
In response to Rob Ingram

‎07-02-2021 04:28 AM

Hello @Rob Ingram ,

 

Thanks so much  . This issue is resolved now. 

Regards !

0 Helpful
Customers Also Viewed These Support Documents