Cisco ASA5500 Change the AnyConnect Port
KB ID 0000422 Problem AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443. Why you would NOT want to do this. Bear in mind that https is a well known port, and its open in most places for secure...
AnyConnect – “Error Contacting Host”
KB ID 0000555 Problem I was creating some “Bookmarks” on a client’s AnyConnect web portal last week. They were simply CIFS links to shared folders on his servers so he could access them remotely from his Android tablet PC’s. However every time I clicked a link I got this error; Solution A bit of searching later and I found that in the release notes for version 8.0(4) this was a known problem that had been...
Cisco AnyConnect Error – ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’
KB ID 0000558 Problem Seen when trying to use the AnyConnect client to connect to your Cisco Device. Error: Cisco AnyConnect The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address. Solution Note: Common sense dictates, make sure you actually have internet connectivity first! Essentially this is caused because the AnyConnect client wants to connect to the...
Cisco AnyConnect – Essentials / Premium Licenses. Explained
KB ID 0000628 Problem Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing. When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials. Solution Cisco ASA AnyConnect Premium Licenses. You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client...
Cisco ASA – Configuring for NTP
KB ID 0000608 Problem With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.) Solution Allow internal host(s) to get system time though the firewall. 1. Connect to the ASA, go to “enable...
Cisco AnyConnect – Untrusted VPN Server Blocked!
KB ID 0000651 Problem The newest versions of the AnyConnect client now show you the following; If you are seeing this you’re using the (default) self signed certificate, or you connected to an IP address rather than the FQDN. But unlike before, you can now ‘lower’ the security so it does not warn you every time. Solution 1. From the warning screen (shown above) select ‘Change Settings…’. 2. Untick...
Redirect AnyConnect Browser Connections From HTTP to HTTPS
KB ID 0000707 Problem AnyConnect, is great for users, but most of them are not used to typing full URL’s into their browsers. Modern browsers will prefix your URL with ‘http://’ for you. That’s brilliant most of the time, but AnyConnect and SSL VPN need to go to ‘https://’. Wouldn’t it be good if your users typed vpn.petenetlive.com into their browsers, and instead of the browser...
AnyConnect Error ‘The secure gateway has rejected the connection attempt, No assigned address’
KB ID 0000876 Problem I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error; The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address. Solution Thankfully the error is pretty descriptive, the remote client can not get an...
Cannot Manage ASA via AnyConnect VPN
KB ID 0000925 Problem I haven’t needed to use my AnyConnect for a long time. But this week I needed to spin up some test servers. I connected fine, but I could not access the ASA via telnet, SSH or ASDM. Solution 1. Traditionally all you needed to do to manage an ASA from a remote VPN session, was to set the management-access to inside. User Access Verification Password: Type help or ‘?’ for a list of available...
AnyConnect – ‘Service Provider is Restricting Access’
KB ID 0000950 Problem I only tend to use AnyConnect for VPN. So while I was at a clients site the other week, I wanted to jump onto my test servers at home and was greeted by this; “The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.” Solution I...