cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14030
Views
40
Helpful
21
Replies

ssl vpn cisco anyconnect issue

hoaithanhdo
Level 1
Level 1

Hi ,

 

I have an issue with my ssl vpn cisco anyconnect to dmz. it's showed as below :

"the secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway . No assigned address ".

Please help or recommand the best solution for fixing it. 

mail personel email : hoaithanhdo@gmail.com 

hope receiving the good news form all of you. 

Many thanks !

 

 

21 Replies 21

Hello @Rob Ingram ,

 

I have test and users connect vpn is ok ,they can access internet and ping host in DMZ but they cannot ping  ip of that in dmz interface  .

Could you guide me the best solution for this case. ?

exp : user can ping 192.168.10.2 (server in dmz) but cannot ping ip add 192.168.10.1 - ip address of dmz interface.

Regards !

@hoaithanhdo 

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface, the exception to this is if coming over a VPN. In which case, you can configure mangement-access <interface name> command, this will also permit mgmt of the device using ssh, snmp, http

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

 

 

 

 

Hello @Rob Ingram 

 

Thanks for your refer, it's done now, but after considering about security we only testing and no leave this command in our asa.  But now i have more case :

we will use ldap server is primary authentication for ssl vpn Cisco Anyconncnet and radius will be used for backup authentication . Cisco firewall is support this or not ? 

Sincerely and  Regards !

 

 

Hi @hoaithanhdo 

No you can't have radius as a backup for ldap. The only backup method is local (ASA's local user database).

You should ensure your LDAP servers are resilent and that each LDAP server is configured as a host on the ASA.

 

HTH

Hello @Rob Ingram ,

 

Thanks for your feedback soon. 

I have made the test case : remove user out off all vpn ldap group . but users still can access vpn now. 

i check with server admin , they already done removed that users . 

Could you guide me how to check the problem why ?

Regards ! 

@hoaithanhdo 

Do you have the LDAP NOACCESS group-policy defined? This denies any user that is not part of an LDAP group.

 

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc15

 

Hello @Rob Ingram ,

 

Thanks so much  . This issue is resolved now. 

Regards !