I have an issue with my ssl vpn cisco anyconnect to dmz. it's showed as below :
"the secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway . No assigned address ".
Please help or recommand the best solution for fixing it.
mail personel email : email@example.com
hope receiving the good news form all of you.
Many thanks !
Solved! Go to Solution.
Hello @Rob Ingram ,
I have test and users connect vpn is ok ,they can access internet and ping host in DMZ but they cannot ping ip of that in dmz interface .
Could you guide me the best solution for this case. ?
exp : user can ping 192.168.10.2 (server in dmz) but cannot ping ip add 192.168.10.1 - ip address of dmz interface.
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface, the exception to this is if coming over a VPN. In which case, you can configure mangement-access <interface name> command, this will also permit mgmt of the device using ssh, snmp, http
Hello @Rob Ingram
Thanks for your refer, it's done now, but after considering about security we only testing and no leave this command in our asa. But now i have more case :
we will use ldap server is primary authentication for ssl vpn Cisco Anyconncnet and radius will be used for backup authentication . Cisco firewall is support this or not ?
Sincerely and Regards !
No you can't have radius as a backup for ldap. The only backup method is local (ASA's local user database).
You should ensure your LDAP servers are resilent and that each LDAP server is configured as a host on the ASA.
Hello @Rob Ingram ,
Thanks for your feedback soon.
I have made the test case : remove user out off all vpn ldap group . but users still can access vpn now.
i check with server admin , they already done removed that users .
Could you guide me how to check the problem why ?
Do you have the LDAP NOACCESS group-policy defined? This denies any user that is not part of an LDAP group.