AnyConnect Config on ASA 5520

akalbfell
akalbfell used Ask the Experts™
on
Trying to get the anyconnect to work but if i put in the correct username and pass on the client it says AnyConnect is not enabled on the VPN server. But if i put in a wrong password it says login failed. Looks like everything is enabled to me but maybe someone will see something im missing.
Thanks...
ASA Version 8.0(3) 
!
hostname xxxxxxxxx
domain-name xxxxxxx.local
no names
name 10.170.1.208 -BES
name 10.170.1.207 -FS1-2
name 10.170.1.206 -FS1
name 10.170.1.205 -BAK
name 10.170.1.204 MAILVS
name 10.170.1.203 -MS2-2
name 10.170.1.202 -MS2
name 10.170.1.201 -MS1
name 10.170.1.200 -DC1
name 10.170.1.209 WUG
name 10.170.1.222 -EDAT
name 10.170.1.221 -EAP2
name 10.170.1.220 -EAP1
 
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.38.2 255.255.255.0 standby x.x.38.3 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.170.1.250 255.255.252.0 standby 10.170.1.251 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
 
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.170.1.200
 name-server 10.170.1.205
 domain-name xxxxxx.local
object-group service RDP tcp
 description Remote Desktop Protocol
 port-object eq 3389
object-group service DM_INLINE_UDP_1 udp
 port-object eq radius
 port-object eq radius-acct
object-group service Citrix tcp
 port-object eq 2598
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 2598
 port-object eq citrix-ica
 port-object eq www
object-group service Netflow udp
 description Netflow
 port-object eq 9999
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object icmp echo
object-group network DM_INLINE_NETWORK_1
 network-object host 10.170.1.209
 network-object host x.x.38.209
object-group network DM_INLINE_NETWORK_2
 network-object host 10.170.1.220
 network-object host 10.170.1.221
 network-object host 10.170.1.222
 network-object host 10.170.0.148
object-group network DM_INLINE_NETWORK_3
 network-object host 10.170.1.200
 network-object host 10.170.1.205
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq domain 
 service-object udp eq domain 
access-list outbound extended deny ip 172.0.0.0 255.0.0.0 any 
access-list outbound extended deny ip 169.254.0.0 255.255.0.0 any 
access-list acl_outside extended permit udp any eq domain any 
access-list acl_outside extended permit udp any any eq domain 
access-list acl_outside extended permit tcp any host x.x.38.201 eq smtp 
access-list acl_outside remark Permit Access to Citrix Server from outside
access-list acl_outside extended permit tcp any host x.x.38.216 object-group DM_INLINE_TCP_1 
access-list acl_outside extended permit udp any host x.x.38.208 object-group DM_INLINE_UDP_1 
access-list acl_outside extended permit tcp any host x.x.38.202 eq smtp 
access-list acl_outside extended permit tcp any host x.x.38.203 eq smtp 
access-list acl_outside extended permit tcp any host x.x.38.204 eq www 
access-list acl_outside extended permit tcp any host x.x.38.204 eq smtp 
access-list acl_outside extended permit tcp any host x.x.38.204 eq https 
access-list acl_outside extended permit tcp any host x.x.38.210 eq https 
access-list acl_outside extended permit tcp any host x.x.38.210 eq smtp 
access-list acl_outside extended permit tcp any host x.x.38.210 eq www 
access-list acl_outside remark RADIUS authentication for routers to BES server/RADIUS server
access-list acl_outside extended permit udp x.x.38.0 255.255.255.0 host x.x.38.208 range 1812 1813 
access-list acl_outside extended permit tcp any host x.x.38.228 eq https 
access-list acl_outside extended permit udp any host x.x.38.197 eq 2055 
access-list acl_outside extended permit tcp any host x.x.38.220 eq 1400 
access-list acl_outside extended permit tcp any host x.x.38.230 eq www 
access-list acl_outside extended permit udp any host x.x.38.209 eq syslog 
access-list acl_outside remark Allow Whats Up Gold to ping Verizon and XO router to verify they are still up
access-list acl_outside extended permit object-group DM_INLINE_SERVICE_1 x.x.38.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list acl_outside extended permit ip 10.10.170.0 255.255.255.0 10.170.0.0 255.255.252.0 
access-list test extended permit udp any eq domain any 
access-list test extended permit udp any any eq domain 
access-list vpn01_splitTunnelAcl extended permit ip 10.170.0.0 255.255.252.0 10.10.170.0 255.255.255.0 
access-list vpn01_splitTunnelAcl extended permit ip 192.168.170.0 255.255.255.0 10.10.170.0 255.255.255.0 inactive 
access-list NONAT extended permit ip any 10.10.170.0 255.255.255.0 
access-list Block_VPN_ACCESS extended permit ip 10.10.170.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list Block_VPN_ACCESS extended permit object-group DM_INLINE_SERVICE_2 10.10.170.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm alerts
logging facility 16
logging host inside 10.170.1.209
logging message 106001 level warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 10.10.170.110-10.10.170.200 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.55.1 255.255.255.252 standby 192.168.55.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 x.x.38.10-x.x.38.100 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.38.200 10.170.1.200 netmask 255.255.255.255 
static (inside,outside) x.x.38.216 10.170.1.216 netmask 255.255.255.255 
static (inside,outside) x.x.38.201 10.170.1.201 netmask 255.255.255.255 
static (inside,outside) x.x.38.202 10.170.1.202 netmask 255.255.255.255 
static (inside,outside) x.x.38.203 10.170.1.203 netmask 255.255.255.255 
static (inside,outside) x.x.38.204 10.170.1.204 netmask 255.255.255.255 
static (inside,outside) x.x.38.205 10.170.1.205 netmask 255.255.255.255 
static (inside,outside) x.x.38.206 10.170.1.206 netmask 255.255.255.255 
static (inside,outside) x.x.38.208 10.170.1.208 netmask 255.255.255.255 
static (inside,outside) x.x.38.207 10.170.1.207 netmask 255.255.255.255 
static (inside,outside) x.x.38.209 10.170.1.209 netmask 255.255.255.255 
static (inside,outside) x.x.38.220 10.170.1.220 netmask 255.255.255.255 
static (inside,outside) x.x.38.199 10.170.1.127 netmask 255.255.255.255 
static (inside,outside) x.x.38.221 10.170.1.221 netmask 255.255.255.255 
static (inside,outside) x.x.38.222 10.170.1.222 netmask 255.255.255.255 
static (inside,outside) x.x.38.223 10.170.1.225 netmask 255.255.255.255 
static (inside,outside) x.x.38.195 10.170.0.31 netmask 255.255.255.255 
static (inside,outside) x.x.38.194 10.170.0.35 netmask 255.255.255.255 
static (inside,outside) x.x.38.224 10.170.1.226 netmask 255.255.255.255 
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.38.1 1
route inside 10.170.5.0 255.255.255.0 10.170.1.254 1
route inside 10.171.0.0 255.255.252.0 192.168.170.20 1
route inside 192.168.170.0 255.255.255.0 192.168.170.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Rad_Serv protocol radius
aaa-server Rad_Serv host 10.170.1.208
 timeout 5
 key xxxxxxx
eou allow none
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 10.170.0.0 255.255.252.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_map 30 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
client-update type Windows url http://10.170.1.225/new/vpnclient_setup.exe rev-nums 5.0.03.0560
telnet timeout 30
ssh 10.170.0.0 255.255.252.0 inside
ssh 10.171.0.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
ntp server 10.170.1.253 source inside prefer
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc enable
  auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec 
 webvpn
  url-list value xxxxx
group-policy vpn01 internal
group-policy vpn01 attributes
 wins-server value 10.170.1.205 10.170.1.207
 dns-server value 10.170.1.200 10.170.1.205
 vpn-idle-timeout 240
 vpn-session-timeout 480
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn01_splitTunnelAcl
 default-domain value xxxxxny.local
 backup-servers y.y.165.115
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group Rad_Serv
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group Rad_Serv
tunnel-group vpn01 type remote-access
tunnel-group vpn01 general-attributes
 address-pool VPN_POOL
 authentication-server-group Rad_Serv LOCAL
 default-group-policy vpn01
tunnel-group vpn01 ipsec-attributes
 pre-shared-key *
tunnel-group xxxxx type remote-access
tunnel-group xxxxx general-attributes
 address-pool VPN_POOL
 authentication-server-group Rad_Serv
 default-group-policy vpn01
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
policy-map global-policy
 class inspection_default
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e9351539f1c022137940e435bae6b05b
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Systems Engineer
Top Expert 2008
Commented:
Trying to compare your config with one of my working configs.

Try removing the auto-signon entry
> svc enable
  auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all

>group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec   <-- I do not have anthing like this under the default policy

Author

Commented:
turned out to be an issue with the group and enabling svc that i noticed after looking at your response. Also thanks for pointing out the auto-signon on command..i had skipped over that when cleaning up some work for a citrix/SSL project. Thanks for the help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial