in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 12-21-2009 7:05 AM by paul1gilbert. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next
  • 12-11-2009 2:23 PM

    AnyConnect on ASA

    I am trying to confiure Anyconnect on a ASA running 8.0.3 with failover enabled.

    I did the followong commands:


    group-policy SSL-VPN internal
    group-policy SSL-VPN attributes
     dns-server value 10.5.10.47 10.5.10.43
     vpn-tunnel-protocol svc
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split-vpn-client
     default-domain value lab.com
     webvpn
      svc keep-installer installed
      svc ask enable default svc

    tunnel-group SSL-VPN type remote-access
    tunnel-group SSL-VPN general-attributes
     address-pool VPN
     default-group-policy SSL-VPN
    tunnel-group SSL-VPN webvpn-attributes
     group-alias SSL-VPN enable

    webvpn
     port 444
     svc image anyconnect-win-2.4.0202-k9.pkg
     svc enable
     tunnel-group-list enable

    When I try to add the command " enable outside" it causes the unit to failover to the secondary unit. I tried to configure it using ASDM and the same issue happened.

    Both units have the anyconnect image installed and there is no other web vpn configuration. Is there a know bug or a licence limitation?

     

    Any help will be appreciated.

     

    Thanks.

     

    • Post Points: 20
  • 12-14-2009 12:28 AM In reply to

    Re: AnyConnect on ASA

    This is weird. Have you tried on newer version of the software? Give it a go on 8.2(1) and see what happens. If it's still behaving strange then further investigation is necessary. 

     

    Also have you been running any debugs to see what is causing the device to go into failover? Most likely it is due to an interface getting a sore one. You could also do "no failover" while adding the command and see if that triggers anything. And then just re-enable failover when it's done, and do write to the secondary mate. 

    Kent Heide

    CCIE #26048 Security

    My employee: http://www.datametrix.no (Cisco Global Services Partner 2009)

    My website: http://www.priv15.com

    • Post Points: 20
  • 12-14-2009 6:03 AM In reply to

    Re: AnyConnect on ASA

    I tested with 8.2.1 and this time it took the commands. I was able to finish the configuration but now I have a different issue. I am connecting from my PC to another PC using RDP, when I try to open the Anyconnect client I fails and the logs of the ASA showing the following:

     

    %ASA-5-722010: Group <SSL-VPN> User <test> IP <10.1.1.100> SVC Message: 16/ERROR: Profile settings do not allow VPN initiation from a remote desktop..

     

    I guess this is not allowed but at least the configuration seems to be fine.

    Thanks for the help.

    • Post Points: 20
  • 12-14-2009 6:19 AM In reply to

    Re: AnyConnect on ASA

    This is true. It is not allowed. Just like you can disable the possibility to run through a virtual machine etc. (With Secure Desktop) :-)

    Kent Heide

    CCIE #26048 Security

    My employee: http://www.datametrix.no (Cisco Global Services Partner 2009)

    My website: http://www.priv15.com

    • Post Points: 20
  • 12-21-2009 7:05 AM In reply to

    Re: AnyConnect on ASA

    I read on a different forum that this can actually work by loading a file on the ASA:

    Here is the link:

    https://supportforums.cisco.com/message/2007489#2007489

    • Post Points: 5
Page 1 of 1 (5 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved