04-17-2024 09:31 AM
Hi Everyone
I'm using a trial version of ASAv and i believe it has full functionality but is limited in 100kbps. I'm trying to set up remote access anyconnect vpn which authenticates to our NPS radius server. As you can see in the radius debug, it seems to be connecting to the radius successfully. The radius server goes to an AD server to authenticate the user:
rad_procpkt: ACCEPT
radius.c 1374: status = 1
MSChapv2 authenticator received.
Added decoded MS MPPE recv key for RADIUS
Added decoded MS MPPE send key for RADIUS
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x00007fc812693f60 session 0x2b54 id 111
free_rip 0x00007fc812693f60
radius: send queue empty
The problem is that the authentication fails on the anyconnect. Now i've checked the licence on my trial ASAv and it is showing:
Firewall throughput limited to 100 Kbps
Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
Botnet Traffic Filter : Enabled
Cluster : Enabled
It is showing anyconnect as disabled. Am i mistaken into thinking the anyconnect feature should work in the trial or do i have an issue between the ASAv and radius server or the radius server and the AD domain server?
Thanks
04-18-2024 04:36 AM
Did you get a token and configure smart licensing?
04-18-2024 04:41 AM
@faghouri83, "anyconnect enable" won't help you until you resolve the issue with the license, as @Marvin Rhoads pointed out.
04-18-2024 04:38 AM
This could change at some point. Simple google search shows that typical number of AnyConnect Premium licenses on the unlicensed ASAv is 2.
04-18-2024 07:03 AM
debug aaa shim 255
debug aaa comm 127
share these two debug
thanks
MHM
04-26-2024 12:13 PM
any update ?
MHM
04-30-2024 03:36 AM - edited 04-30-2024 03:37 AM
Sorry for not getting back. Had an issue with activating the account for smart licensing. I have that sorted now and i've pulled off a token but still no luck. I have entered the webvpn - anyconnect enable command too.
Once i entered the token i did the command sh license summary and it still came up with not registered. I have then entered the token again but this time with the force command at the end. I now get:
ciscoasa/act/pri# sh license summary
Smart Licensing is ENABLED
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NOT ALLOWED
Next Registration Attempt: Apr 30 2024 10:46:46 UTC
License Authorization:
Status: EVAL MODE
Evaluation Period Remaining: 89 days, 23 hours, 4 minutes, 0 seconds
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
(ASAv-STD-1G) 1 EVAL MODE
when i do sh ver:
License mode: Smart Licensing
ASAv Platform License State: Unlicensed
Active entitlement: ASAv-STD-1G, enforce mode: Eval period
Firewall throughput limited to 100 Kbps
Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
Botnet Traffic Filter : Enabled
Cluster : Enabled
I can get out to the internet so the firewall should successfully be able to register. I can see the config:
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
So it's in evaluation mode but seems i don't have the ability to connect via cisco anyconnect still.
04-30-2024 07:18 AM
The two command I share before show us if it license issue or not
Run it and share output
MHM
04-30-2024 07:18 AM
I have managed to get the firewall talking to the cisco portal by adding a default DNS server. It has registered and is now showing a number of anyconnect licences. However i'm still failing authentication and i now get:
Reason: This connection is group locked to <CORP_VPN>.
04-30-2024 07:24 AM - edited 04-30-2024 07:24 AM
Good'
Share anyconnect config
MHM
05-22-2024 03:16 AM
Sorry for not replying back but would like to say thank you to everyone who helped. The problem i had was the **bleep**rd management option was not enabled. That prevented the asa from talking to the radius server using chapv2 which was enabled on the radius server.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide