cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

WebVPN and Anyconnect?

richardfinnie
Beginner
Beginner

Is it possible to have WebVPN (i.e. clientless) and AnyConnect on the same interface? Every time I enable AnyConnect, even with a different port, it blows away my bookmarks and items that I have currently defined on the clientless page.

1 ACCEPTED SOLUTION

Accepted Solutions

Assuming your profiles and groups are configured correctly, the only other configuration that can force you to default to AnyConnect would be your Dynamic Access Policies configuration.

Check to see if you have more than one DAP configured, if not, check the default DAP policy.

- Go to the "Access Method" tab to confirm that the option it set to "Unchanged".

If you have more than one DAP configured, you'll need to comb through your DAP configurations to see which is being used, or check your logs.

The DAP will force you to use AnyConnect, or Clientless, or Default to AnyConnect or Default to Clientless.  DAPs are both a boon and a burden.

Dynamic Access Policies can be configured from either Network (Client) Access or Clientless SSL VPN Access sections of the ASDM.

If you're still having an issue, CLI to your firewall post your WebVPN configuration for the community to review.  It's all mostly in the latter of the configuration.

Additionally, if you authenticating LOCAL, make sure the user configuration is configured all for inheritance.  Hopefully you havn't hardset the user to a particular group policy.

FYI - Policy enforcement is in this order:

DAP -> User Attrs -> Group Policy -> Group Policy w/ Connection Profile -> Default Group Policy Attributes

View solution in original post

10 REPLIES 10

Jonathan Tomlin
Beginner
Beginner

The short answer is yes.  The problem must be within your configuration.

Try creating two seperate connection profiles and group policies for your clientless and anyconnect methods.  You can then use aliases and a drop down selection box to choose between the connection profiles on the login portal page.

Thanks for the reply.

So here's what I've done.

1 - I went into ASDM and went to Configuration -->Network (Client) Access-->AnyConnect Connection Profiles. I enabled AnyConnect on my outside interface with the checkbox (Enable Cisco AnyConnect VPN Client access on the interfaces selected in the table below).

2- I created a new connection profile called SSLCLIENT, assigned the address pool etc.

3 - I saved and wrote my configuration.

After saving, I attempt to go to my portal page. the intial screen looks fine, but as soon as I login (regardless of what Profile I select) it takes me to the page for downloading and installing the AnyConnect client.

The only way that I can find to revert back to my original bookmarks is to uncheck the box in step 1, but then I am unable to connect with the client (Error Message: AnyConnect is not enabled on the VPN Server).

Thoughts? How do I force the bookmark page after enabling AnyConnect VPN client Access?

IIRC, having AnyConnect essentials enabled causes an issue similar to this.  If you enable AnyConnect essentials, you basically lose clientless.  In other words, to have both working, you need to have SSL premium licenses and AnyConnect Essentials disabled.

Configuration -> Network (Client) Access -> Advanced -> AnyConnect Essentials

Untick the "Enable AnyConnect Essentails"

Apply

What version of code are you running? I'm running 8.3.2 on the gateways and don't see AnyConnect essentials under advanced.