03-27-2013 02:34 PM
Hi,
I have an ASA with anyconnect profiles configured.
In one of these profiles I want to enable clientless VPN.
When I access https://[asa address] I get the Anyconnect instalation page.
How do I get in the portal for clientless access?
Solved! Go to Solution.
04-02-2013 06:51 AM
Base on the above information, you can't have clientless SSL VPN as you have AnyConnect Essentials enabled.
I saw that you have 2 license (AnyConnect Essentials and AnyConnect Premium (10)), however, you can only enable either one or the other, not both at the same time.
base on your webvpn configuration:
webvpn
enable outside
anyconnect-essentials
you have anyconnect essentials enabled, hence you can't have the anyconnect premium enabled.
If you want to test the premium license for clientless ssl vpn, then you would need to disable anyconnect essentials temporarily.
to disable it:
webvpn
no anyconnect-essentials
Hope that clears the confusion.
03-28-2013 12:07 AM
Have you enabled "ssl-clientless" within your group-policy?
Within group-policy, you should have "vpn-tunnel-protocol ssl-clientless" as one of the vpn tunnel protocols.
03-28-2013 05:31 AM
Yes, I enabled ssl-clientless protocol
03-28-2013 06:42 AM
You are talking about anyconnect or clientless? Anyconnect is client based VPN connection. CLientless is through web browser.
To create a clientless VPN base solution you need at leats the following:
Group Policy in Configuration > Remote access VPN > Network client access > Clientless SSL VPN Access > Group Policies
and a connection profile Configuration > Remote access VPN > Network client access > Clientless SSL VPN Access > Connection Profile
If you have both Provide more input License level + configuration
04-02-2013 06:21 AM
Hi, thanks for the reply.
Here is the relevant configuration currently installed.
ssl trust-point localtrust outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
webvpn
anyconnect ask enable default webvpn timeout 15
!
group-policy VPN_Funcionarios internal
group-policy VPN_Funcionarios attributes
dns-server value 172.31.30.55
vpn-filter value filter_VPN_Funcionarios
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value st_inside
default-domain value sa.esab.org
address-pools value SSLClientPool
webvpn
anyconnect ask enable default webvpn timeout 15
!
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy VPN_Funcionarios
!
04-02-2013 06:37 AM
And here is the licencing information.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 10 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
This platform has an ASA5525 VPN Premium license.
04-02-2013 06:51 AM
Base on the above information, you can't have clientless SSL VPN as you have AnyConnect Essentials enabled.
I saw that you have 2 license (AnyConnect Essentials and AnyConnect Premium (10)), however, you can only enable either one or the other, not both at the same time.
base on your webvpn configuration:
webvpn
enable outside
anyconnect-essentials
you have anyconnect essentials enabled, hence you can't have the anyconnect premium enabled.
If you want to test the premium license for clientless ssl vpn, then you would need to disable anyconnect essentials temporarily.
to disable it:
webvpn
no anyconnect-essentials
Hope that clears the confusion.
04-02-2013 07:00 AM
Thank you.
I noticed it a few minutes before the reply, but this is the right answer.
I had to use the following:
webvpn
no anyconnect-essentials
Then the ASA changed to "Premium mode..."
MAX AnyConnect Premium Peers allowed: 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide