Security Internetworking Experts


Post New Topic  Post A Reply
my profile | register | search | faq | forum home
  next oldest topic   next newest topic
» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » Anyconnect on ASA

UBBFriend: Email this page to someone!    
Author Topic: Anyconnect on ASA
moonatic
Guru

Member # 26104

Member Rated:
posted December 11, 2009 02:24 PM      Profile for moonatic     Send New Private Message      Edit/Delete Post  Reply With Quote 
I am trying to confiure Anyconnect on a ASA running 8.0.3 with failover enabled.

I did the followong commands:

group-policy SSL-VPN internal
group-policy SSL-VPN attributes
dns-server value 10.5.10.47 10.5.10.43
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-vpn-client
default-domain value lab.com
webvpn
svc keep-installer installed
svc ask enable default svc

tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool VPN
default-group-policy SSL-VPN
tunnel-group SSL-VPN webvpn-attributes
group-alias SSL-VPN enable

webvpn
port 444
svc image anyconnect-win-2.4.0202-k9.pkg
svc enable
tunnel-group-list enable

When I try to add the command " enable outside" it causes the unit to failover to the secondary unit. I tried to configure it using ASDM and the same issue happened.

Both units have the anyconnect image installed and there is no other web vpn configuration. Is there a know bug or a licence limitation?


Any help will be appreciated.

Thanks.

Posts: 174 | From: Costa Rica | Registered: Jul 2008  |  IP: Logged
Bucky
Member

Member # 26228

Rate Member
posted December 11, 2009 03:54 PM      Profile for Bucky     Send New Private Message      Edit/Delete Post  Reply With Quote 
Hmm.. this sounds like a bug. Is there a crash file (show crash) generated each time this happens?
Posts: 27 | From: US | Registered: Jul 2008  |  IP: Logged
CCIE_Sec_Hunt
Elite

Member # 28511

Member Rated:
posted December 11, 2009 05:48 PM      Profile for CCIE_Sec_Hunt     Send New Private Message      Edit/Delete Post  Reply With Quote 
Well, I use code 8.2 and ver stable so far.
I never had issues with Anyconnect on 8.2 code.

Posts: 372 | From: UK | Registered: Jun 2009  |  IP: Logged
moonatic
Guru

Member # 26104

Member Rated:
posted December 12, 2009 07:09 AM      Profile for moonatic     Send New Private Message      Edit/Delete Post  Reply With Quote 
I didn't check for a crash file. As soon as failover happened I did a show fail and both units where up. I am going to test with version 8.2.

Thanks

Posts: 174 | From: Costa Rica | Registered: Jul 2008  |  IP: Logged
moonatic
Guru

Member # 26104

Member Rated:
posted December 13, 2009 12:28 PM      Profile for moonatic     Send New Private Message      Edit/Delete Post  Reply With Quote 
I upgraded the ASAs and now I am not having the failover issue. Now I have a different issue. When I try to connect from a PC I get the following log:

%ASA-5-722010: Group <SSL-VPN> User <test> IP <10.1.1.100> SVC Message: 16/ERROR: Profile settings do not allow VPN initiation from a remote desktop..

From my PC I connect to the other PC using RDP. Is there a limitation with an RDP session and Anyconnect?

Posts: 174 | From: Costa Rica | Registered: Jul 2008  |  IP: Logged
Bucky
Member

Member # 26228

Rate Member
posted December 13, 2009 12:38 PM      Profile for Bucky     Send New Private Message      Edit/Delete Post  Reply With Quote 
Yep, just like the error msg says, you cannot use anyconnect from a RDP session. You should get a similar error message from the client attempting to connect as well.
Posts: 27 | From: US | Registered: Jul 2008  |  IP: Logged
moonatic
Guru

Member # 26104

Member Rated:
posted December 14, 2009 06:04 AM      Profile for moonatic     Send New Private Message      Edit/Delete Post  Reply With Quote 
Thanks for the reply. I thought there was a configuration option that could allow the remote desktop connection.

Thanks again.

Posts: 174 | From: Costa Rica | Registered: Jul 2008  |  IP: Logged


All times are Eastern Time  
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
Printer-friendly view of this topic
Hop To:


Contact Us | Security Internetworking Experts