AnyConnect Error – ‘Failed To Get Configuration From Secure Gateway’

KB ID 0001354

Problem

Saw this while attempting to connect to my ASA this week.

Failed to get configuration from secure gateway

AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator

Solution

Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.

Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.

AnyConnect Group Policy Missing

So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;

Petes-ASA# show run webvpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles AnyConnect-VPN-Profile disk0:/anyconnect-vpn-profile.xml
 anyconnect enable
 tunnel-group-list enable

Note: You can ‘show flash‘ and make sure the file is in flash memory as well.

I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).

Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
 anyconnect mtu 1398
 anyconnect profiles value PNL-Profile type user
 anyconnect ssl df-bit-ignore enable

It’s easy to remove it.

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles

Then simply add the correct one back in, and save the changes.

Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787

23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]

Now if you ‘refresh’ your ASDM, you will see it displays correctly again;

AnyConnect Group Policy Profile Fixed

 

Problem Solved.

Related Articles, References, Credits, or External Links

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

Cisco AnyConnect Error: ‘The VPN client driver has encountered an error’

Cisco AnyConnect Error: ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

AnyConnect Error:  ‘The secure gateway has rejected the connection attempt, No assigned address’

Cisco AnyConnect Error: (Mobile Devices)

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *