Jump to content


1

issues in anyconnect and SSL


7 replies to this topic

#1 passsecret1234

passsecret1234

    Member

  • Members
  • PipPip
  • 28 posts
  • 5 thanks

Posted 07 February 2019 - 09:30 PM

Dear Guys,

i have issues in anyconnect and SSL VPN.

i ahve configured the ASA1v and ASA2v as per question,

i am able to connect to asa1 through anyconnect client.

but i am unable to access server1.cisco.com and server2.cisco.com from client PC1

similarly , i am able to see the server1 and server2 links when i login in http://20.1.2.1 through client PC2 but those links are highlighted.

i tried to check the logs in FMC and WSA for events but no traffic,

below is asa1 config after anyconnect configuration .


hostname ASA11V
domain-name cisco.com

ip local pool ccieprofile 172.16.1.0-172.16.1.10 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
authentication key eigrp 12 ***** key-id 1
authentication mode eigrp 12 md5
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface

interface Management0/0
nameif mgmt
security-level 100
ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
!

dns domain-lookup mgmt
dns server-group DefaultDNS
name-server 150.1.7.200
domain-name cisco.com
access-list servers standard permit host 192.168.101.3
access-list servers standard permit host 192.168.102.3


failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2


router eigrp 12
network 10.1.11.0 255.255.255.0


http server enable
http 150.1.7.0 255.255.255.0 mgmt

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5

crypto dynamic-map ccieprofile 10 set ikev2 ipsec-proposal AES256
crypto dynamic-map ccieprofile 10 set reverse-route
crypto map ccieprofile 65535 ipsec-isakmp dynamic ccieprofile
crypto map ccieprofile interface outside

crypto ca trustpoint ccietrust
enrollment self
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
crl configure


crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ccietrust


ssl trust-point ccietrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1
anyconnect profiles ccieprofile disk0:/ccieprofile.xml
anyconnect enable
tunnel-group-list enable
cache
  disable
error-recovery disable

group-policy ccieprofile internal
group-policy ccieprofile attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value servers
default-domain value cisco.com
webvpn
  anyconnect keep-installer installed
  anyconnect profiles value ccieprofile type user

tunnel-group ccieprofile type remote-access
tunnel-group ccieprofile general-attributes
address-pool ccieprofile
default-group-policy ccieprofile
tunnel-group ccieprofile webvpn-attributes
group-alias ccieprofile enable

please let me know if i am missing any

Edited by mavis, 08 February 2019 - 04:48 AM.
Duplicate topic merged. Do not open multiple topics. Open topic is correct section.


#2 passsecret1234

passsecret1234

    Member

  • Members
  • PipPip
  • 28 posts
  • 5 thanks

Posted 07 February 2019 - 09:31 PM

Dear Guys,

i have issues in anyconnect and SSL VPN.

i ahve configured the ASA1v and ASA2v as per question,

i am able to connect to asa1 through anyconnect client.

but i am unable to access server1.cisco.com and server2.cisco.com from client PC1

similarly , i am able to see the server1 and server2 links when i login in http://20.1.2.1 through client PC2 but those links are highlighted.

i tried to check the logs in FMC and WSA for events but no traffic,

below is asa1 config after anyconnect configuration .


hostname ASA11V
domain-name cisco.com

ip local pool ccieprofile 172.16.1.0-172.16.1.10 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
authentication key eigrp 12 ***** key-id 1
authentication mode eigrp 12 md5
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface

interface Management0/0
nameif mgmt
security-level 100
ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
!

dns domain-lookup mgmt
dns server-group DefaultDNS
name-server 150.1.7.200
domain-name cisco.com
access-list servers standard permit host 192.168.101.3
access-list servers standard permit host 192.168.102.3


failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2


router eigrp 12
network 10.1.11.0 255.255.255.0


http server enable
http 150.1.7.0 255.255.255.0 mgmt

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5

crypto dynamic-map ccieprofile 10 set ikev2 ipsec-proposal AES256
crypto dynamic-map ccieprofile 10 set reverse-route
crypto map ccieprofile 65535 ipsec-isakmp dynamic ccieprofile
crypto map ccieprofile interface outside

crypto ca trustpoint ccietrust
enrollment self
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
crl configure


crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ccietrust


ssl trust-point ccietrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1
anyconnect profiles ccieprofile disk0:/ccieprofile.xml
anyconnect enable
tunnel-group-list enable
cache
  disable
error-recovery disable

group-policy ccieprofile internal
group-policy ccieprofile attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value servers
default-domain value cisco.com
webvpn
  anyconnect keep-installer installed
  anyconnect profiles value ccieprofile type user

tunnel-group ccieprofile type remote-access
tunnel-group ccieprofile general-attributes
address-pool ccieprofile
default-group-policy ccieprofile
tunnel-group ccieprofile webvpn-attributes
group-alias ccieprofile enable

please let me know if i am missing any

#3 kukoshakaku

kukoshakaku

    Junior Member

  • Members
  • PipPip
  • 9 posts
  • 25 thanks

Posted 08 February 2019 - 01:14 AM

I guess you are missing the  following

aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.212
key cisco

Under tunnel-group

authentication-server-group ISE

#4 MrR0b0t

MrR0b0t

    Cisco Technologies Expert.

  • Technical Expert
  • PipPipPip
  • 130 posts
  • 8927 thanks

Posted 08 February 2019 - 07:00 AM

define "links are highlighted" ?
"Do not mistake my Generosity for generosity."
______________________________________________________

-> Do not post useless "thank you" post.
-> Please use the "Thanks" button as shown in the  announcements
-> Help us keep this forum clean by reporting spam / scam / non IT related posts.
-> Please use report button to report posts / users.

#5 joshhh

joshhh

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts
  • 32 thanks

Posted 08 February 2019 - 07:29 PM

Hello,
Clientless VPN : Can you please confirm us that ASA2_V is able to resolve both URLs ?
Anyconnect client : Do you see the route on your PC (to both servers) by doing a "route print" after the tunnel has been established ?

Thank you !

#6 cc1ecisco

cc1ecisco

    Advanced Member

  • Members
  • PipPipPip
  • 89 posts
  • 988 thanks

Posted 12 February 2019 - 10:19 AM

View Postpasssecret1234, on 07 February 2019 - 09:30 PM, said:

Dear Guys,

i have issues in anyconnect and SSL VPN.

i ahve configured the ASA1v and ASA2v as per question,

i am able to connect to asa1 through anyconnect client.

but i am unable to access server1.cisco.com and server2.cisco.com from client PC1

similarly , i am able to see the server1 and server2 links when i login in http://20.1.2.1 through client PC2 but those links are highlighted.

i tried to check the logs in FMC and WSA for events but no traffic,

below is asa1 config after anyconnect configuration .


hostname ASA11V
domain-name cisco.com

ip local pool ccieprofile 172.16.1.0-172.16.1.10 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
authentication key eigrp 12 ***** key-id 1
authentication mode eigrp 12 md5
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface

interface Management0/0
nameif mgmt
security-level 100
ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
!

dns domain-lookup mgmt
dns server-group DefaultDNS
name-server 150.1.7.200
domain-name cisco.com
access-list servers standard permit host 192.168.101.3
access-list servers standard permit host 192.168.102.3


failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2


router eigrp 12
network 10.1.11.0 255.255.255.0


http server enable
http 150.1.7.0 255.255.255.0 mgmt

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5

crypto dynamic-map ccieprofile 10 set ikev2 ipsec-proposal AES256
crypto dynamic-map ccieprofile 10 set reverse-route
crypto map ccieprofile 65535 ipsec-isakmp dynamic ccieprofile
crypto map ccieprofile interface outside

crypto ca trustpoint ccietrust
enrollment self
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
crl configure


crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ccietrust


ssl trust-point ccietrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1
anyconnect profiles ccieprofile disk0:/ccieprofile.xml
anyconnect enable
tunnel-group-list enable
cache
  disable
error-recovery disable

group-policy ccieprofile internal
group-policy ccieprofile attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value servers
default-domain value cisco.com
webvpn
  anyconnect keep-installer installed
  anyconnect profiles value ccieprofile type user

tunnel-group ccieprofile type remote-access
tunnel-group ccieprofile general-attributes
address-pool ccieprofile
default-group-policy ccieprofile
tunnel-group ccieprofile webvpn-attributes
group-alias ccieprofile enable

please let me know if i am missing any

DNS Issue

#7 cciersman

cciersman

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts
  • 465 thanks

Posted 21 February 2019 - 05:29 PM

check routing info at R1 for 172.16.1.0 network.

#8 popuc

popuc

    Member

  • Members
  • PipPip
  • 38 posts
  • 156 thanks

Posted 23 February 2019 - 10:21 AM

I also got the same problem and solved by reboot WSA and add route on R1

### R1
ip route 172.16.1.0 255.255.255.0 10.1.11.1
!
router eigrp 12
redistribute static metric 10000 1000 255 1 1500




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top