09-15-2014 01:36 PM
Hello All,
I have created a new VPN profile to my ASA5510 using certificate based authentication because of a business need to On Demand VPN.
I install the AnyConnect software to my ipad and deploy the .xml configuration to the AnyConnect profile. The profile works great
and establishes a VPN connection manually. I have also populated the "Always On" feature for my internal domain name, having any request for my internal domain initiate a VPN connection.
Unfortunately this on-demand function is not initiating automatically. I am using safari and chrome to test with my internal web applications.Where can I start to investigate the issues ?
Thansk
09-16-2014 12:29 AM
What version iOS are you running on your apple device?
From where (in relation to your web application servers) are you testing? from outside the office, from another subnet on the office network...etc.
If you are testing from outside the office, are you 100% sure that the DNS requests are not being resolved? If the DNS requests are being resolved then the VPN connection will not be established.
--
Please remember to select a correct answer and rate helpful posts
09-16-2014 07:36 AM
Hello Marius
I am running Apple IOS 7.1 on the IPAD.
I am using an external Wifi with the IPAD for connectivity.
I am testing with my Internal SharePoint application which the url is simply https://gateway.mycompany.com. Therefore in the AnyConnect Domain List, I have added to always connect when looking for mycompany.com.
09-16-2014 11:25 AM
Could you try configuring the domain list under connect if needed list and then test. As of iOS 7 the Always Connect is no longer supported, but should still check that list and act as Connect if Needed.
But does https://gateway.mycompany.com resolve to a public IP? If it does then the VPN will not be established as the 'VPN client will do a DNS lookup first and if the name resolves a VPN connection will not be established. It is only when internal DNS servers are used and a DNS lookup fails that a Connect if Needed VPN connection is established.
--
Please remember to select a correct answer and rate helpful posts
09-17-2014 02:30 PM
Hello Marius,
Yes my https://gateway.mycompany.com does resolve externally.
In my domain list I have added *.mycompany.com and try testing against other internal sites that do not resolve externally but still no on demand vpn.
The operation seems very straight forward, just not sure where to start the troubleshooting process.
On my ipad Any Connect, I have added the vpn profile and installed the cert. When I manually initiate the vpn it works although it does prompt my to press connect. (I assume this is normal) ?
Cheers
09-17-2014 02:49 PM
When I manually initiate the vpn it works although it does prompt my to press connect. (I assume this is normal) ?
Yes, from my experience this is normal.
As for the URL that resolves externally, that is expected that the tunnel will not be established.
But for the URLs that do not resolve externally, where did you configure them? did you put them under Connect if Needed?
Do you perhaps have any conflicting entries under the never connect section?
Have you enabled logging on the iPhone and checked to see if there is anything there that can point us in the right direction?
do you have network roaming enabled under the VPN connection entry?
Have you looked through this guide? perhaps it will give you some ideas.
--
Please remember to select a correct answer and rate helpful posts
09-29-2014 11:55 AM
Hello Marius,
Yes I put my domains under "Connect if Needed".
I have enabled logging, and have attached my .txt file. and I have noticed this error on the log file, not sure if it helps.
" Line: 168 User did not implement deliverWebLaunchHostCB."
BTW... I have only installed the server cert from my ASA, do I need a user cert also ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide