cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18947
Views
5
Helpful
10
Replies

WebVPN and Anyconnect?

richardfinnie
Level 1
Level 1

Is it possible to have WebVPN (i.e. clientless) and AnyConnect on the same interface? Every time I enable AnyConnect, even with a different port, it blows away my bookmarks and items that I have currently defined on the clientless page.

1 Accepted Solution

Accepted Solutions

Assuming your profiles and groups are configured correctly, the only other configuration that can force you to default to AnyConnect would be your Dynamic Access Policies configuration.

Check to see if you have more than one DAP configured, if not, check the default DAP policy.

- Go to the "Access Method" tab to confirm that the option it set to "Unchanged".

If you have more than one DAP configured, you'll need to comb through your DAP configurations to see which is being used, or check your logs.

The DAP will force you to use AnyConnect, or Clientless, or Default to AnyConnect or Default to Clientless.  DAPs are both a boon and a burden.

Dynamic Access Policies can be configured from either Network (Client) Access or Clientless SSL VPN Access sections of the ASDM.

If you're still having an issue, CLI to your firewall post your WebVPN configuration for the community to review.  It's all mostly in the latter of the configuration.

Additionally, if you authenticating LOCAL, make sure the user configuration is configured all for inheritance.  Hopefully you havn't hardset the user to a particular group policy.

FYI - Policy enforcement is in this order:

DAP -> User Attrs -> Group Policy -> Group Policy w/ Connection Profile -> Default Group Policy Attributes

View solution in original post

10 Replies 10

Jonathan Tomlin
Level 1
Level 1

The short answer is yes.  The problem must be within your configuration.

Try creating two seperate connection profiles and group policies for your clientless and anyconnect methods.  You can then use aliases and a drop down selection box to choose between the connection profiles on the login portal page.

Thanks for the reply.

So here's what I've done.

1 - I went into ASDM and went to Configuration -->Network (Client) Access-->AnyConnect Connection Profiles. I enabled AnyConnect on my outside interface with the checkbox (Enable Cisco AnyConnect VPN Client access on the interfaces selected in the table below).

2- I created a new connection profile called SSLCLIENT, assigned the address pool etc.

3 - I saved and wrote my configuration.

After saving, I attempt to go to my portal page. the intial screen looks fine, but as soon as I login (regardless of what Profile I select) it takes me to the page for downloading and installing the AnyConnect client.

The only way that I can find to revert back to my original bookmarks is to uncheck the box in step 1, but then I am unable to connect with the client (Error Message: AnyConnect is not enabled on the VPN Server).

Thoughts? How do I force the bookmark page after enabling AnyConnect VPN client Access?

IIRC, having AnyConnect essentials enabled causes an issue similar to this.  If you enable AnyConnect essentials, you basically lose clientless.  In other words, to have both working, you need to have SSL premium licenses and AnyConnect Essentials disabled.

Configuration -> Network (Client) Access -> Advanced -> AnyConnect Essentials

Untick the "Enable AnyConnect Essentails"

Apply

What version of code are you running? I'm running 8.3.2 on the gateways and don't see AnyConnect essentials under advanced.

I'm running version 8.4 & note that these options may depend on your current licensing.

Although I think I may have gotten your error message mixed up with "Clientless (browser) SSL VPN access is not allowed.", you can still look for the option in the ASDM or simply from CLI with a "show run | include anyconnect-essentails"

To disable essentials:

conf t

webvpn

  no anyconnect-essentials

The opposite to re-enable it.

If you're still having an issue beyond this point, I would recommened sharing your Web VPN configuration so that it may be inspected closer.

Ok, So this may sound like a really silly question. We currently are using the default license shipped with the device, as we wanted to confirm functionality prior to going out and purchasing a tonne of SSL VPN licenses. Will this impact what I am trying to do? Do you need licenses installed prior to attempting an anyconnect connection?

You should have 1 or 2 SSL VPN licenses for use.  Check your licensing on the home tab or from CLI with show version.  The SSL VPN can be used by either AnyConnect or Clientless.

Regardless, it still sounds like a configuration issue.

Just as an overview, you should have done something similar to the following.  This isn't a complete setup, but it should help get you there.

GROUP POLICY (Clientless)

1. Set up a new Group Policy

2. Manually set tunneling protocols to only include "Clientless SSL VPN"

3. Define DNS, WINS, Domain

4. Under Portal Settings, add your bookmarks list

CONNECTION PROFILE (Clientless)

Note: Make sure SSL VPN is Enabled on Outside interface

Tick "Allow user to select connection profile, identified by its alias, on the login page"

1. Set up new Connection Profile

2. Name it, set the auth method, set the DNS group, choose you newly created group policy

3. Go to advanced, clientless ssl vpn, set a connection alias name for the drop down selector

(NOTE: Do the same for your AnyConnect connection profile, but give a different alias for it)

Under AnyConnect Connection Profiles

1. Untick SSL Enabled and IPSec Enabled for your Clientless Profile (It will not be an Anyconnect Profile)

2. Tick "Allow user to select connection profile, identified by its alias, on the login page", if it is not already selected.

3. Edit your AnyConnect Profile and add an Alias as you did for you Clientless.

Now you should be able to select between the two aliases on your login portal page which will force the asa between either AnyConnect or Clientless.  There is more than one way of doing this as this is only one example.

If you don't set aliases and allow the user to choose an alias, the DefaultWebVPNGroup will be the connection profile.

We technically have 4 licenses due to rollup of our A/S pair. I have defined the GROUP POLICY previously similar to your instructions, as well as the CONNECTION PROFILE. However, it still seems that as soon as I enable the AnyConnect VPN Client access (as per the attached image), it defaults to the anyconnect SSL page regardless of profile selected.

Assuming your profiles and groups are configured correctly, the only other configuration that can force you to default to AnyConnect would be your Dynamic Access Policies configuration.

Check to see if you have more than one DAP configured, if not, check the default DAP policy.

- Go to the "Access Method" tab to confirm that the option it set to "Unchanged".

If you have more than one DAP configured, you'll need to comb through your DAP configurations to see which is being used, or check your logs.

The DAP will force you to use AnyConnect, or Clientless, or Default to AnyConnect or Default to Clientless.  DAPs are both a boon and a burden.

Dynamic Access Policies can be configured from either Network (Client) Access or Clientless SSL VPN Access sections of the ASDM.

If you're still having an issue, CLI to your firewall post your WebVPN configuration for the community to review.  It's all mostly in the latter of the configuration.

Additionally, if you authenticating LOCAL, make sure the user configuration is configured all for inheritance.  Hopefully you havn't hardset the user to a particular group policy.

FYI - Policy enforcement is in this order:

DAP -> User Attrs -> Group Policy -> Group Policy w/ Connection Profile -> Default Group Policy Attributes

Thanks! The issue did exist in the Dymanic policies. I set them all to unchanged, and that resolved the issue (well that part of the issue anyway ). I appreciate all the help!!