While attempting to connect to a clients AnyConnect, this happened;
The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.
Or on older clients, you may see;
The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again.
Solution
I was trying to connect from my house, I’d used this connection before from work and it was fine. I worked my way round the problem got my work finished, then re-looked at it the next time I was working from home.
The problem is actually quite simple, take a look at the IP I was using in my house.
Then take a look at the VPN Pool addresses that get allocated to the remote VPN clients (they overlap);
[box]
show run | incl pool
[/box]
Note: This assumes you are using an ‘IP Pool’, If you are using an external DHCP server at the ‘Head end’ then you will need to check/change the scope there.
I fixed the problem by simply changing the ‘pool’ so it didn’t overlap.
WARNING: If you have any routing going on behind your firewall (i.e you have layer 3 switches internally, routing between networks or VLANS) you may need to change them to route the ‘new’ AnyConnect subnet back to the firewall.
Update: Solution Windows 10
If you are experiencing this problem on Windows 10, and the above solution is not applicable, consider deleting the following two files;
Normally if I were deploying Duo 2FA with AnyConnect I’d deploy a Cisco RADIUSVPN on my LAN, (usually on my Duo Authentication Proxy). See the following article;
However, last time I set this up, a colleague said ‘Oh by the way, you don’t need to do that, you can just point the firewall directly at Duo‘. I was initially skeptical but I tried it, and it worked. I thought no more about it until this week when another colleague asked me to help him setup Duo for AnyConnect.
As you can see the firewall queries Duo using LDAPS, but the Duo product I’m using is called ‘Cisco RADIUS VPN’. This makes my networking OCD itch tremendously! (RADIUS and LDAPS are completely different protocols!) But it works, so here we go.
Solution
Note: For this solution you don’t even need to sync your users to Duo, (but it’s OK if you do)! As long as the users exist there.
With Duo, you need to select ‘protect an application‘ and select ‘Cisco RADIUS VPN‘. If you are unfamiliar with Duo you need to take a copy of the Integration Key, the Secret Key and the API Hostname. (Note: Don’t try using these ones, they have been changed!)
On the Firewall > Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups > Add > Call it ‘DUO-EXTERNAL’ > Select LDAPS > OK.
With your DUO-EXTERNAL group selected > In the bottom window > Add.
TO TEST: Press Test > Select Authentication > Use the username displayed in Duo > Type push into the password box, and your phone should then prompt for 2fa authentication. (If it fails: Make sure the time is correct on the ASA, and at least do some debugging before posting below!)
Now either create a new AnyConnect profile, and use this new AAA method, or simply change the AAA method for an existing AnyConnect profile, (like below).
A word of warning, when I did this, (both in production and on my test ASA,) I got a strange error, I’ve documented that and the fix, below.
I was assisting a colleague to setup some AnyConnect for a client this afternoon, when all of a sudden I was met with this;
VPN
Logon denied, unauthorised connection mechanism, contact your administrator
Solution
This was a confusing one, I replicated the problem on my own test firewall. All I had done was change the AAA method from LOCAL to LDAP? It took me a while to figure out what was going on?
The reason why this is happening is because the GROUP POLICY your AnyConnect PROFILE is using does not have SSL enabled. (This makes no sense as it was working with LOCAL authentication, but this is how I fixed it).
You will be either using a specific group policy or the DfltGrpPolicy
[box]
IF USING THE DEFAULT GROUP POLICY
Petes-ASA(config)# group-policy DfltGrpPolicy attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless
IF USING A SPECIFIC GROUP POLICY (Remember to include any, that already exist! e.g. l2tp-ipsec)
Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless l2tp-ipsec
Note: This WONTWORK if you ‘force-tunnel’ or ‘tunnel-all’ remote VPN traffic, (if you are unsure Google ‘what’s my ip’ > Take note of it > Connect to AnyConnect and repeat the procedure, if your public IP address has changed to the IP address of the ASA then you force-tunnel/tunnel-all traffic).
With more people remote working now, I’m getting a lot more questions about RA-VPN and particularly AnyConnect. By default when connecting to any Cisco remote access VPN, it pretty much stops you connecting to anything outside the VPN tunnel, (unless you enable Split Tunnelling). This includes stopping you talking to assets on your remote network also.
This is basically ‘Good practice’, as a corporate entity you have authenticated a remote machine NOT the entire network it is on! But what happens when your MD want to print a work document on his/her home printer? Or you have a NAS drive at home with documents on it you can access while connected to the VPN?
Well, then you can ‘make a judgement call’ to whether or not you want to enable ‘Local LAN Access’ for your remote clients.
Full Disclosure: While this does not let everything on the remote clients LAN connect to the corporate network. If another client on a remote network was infected and compromised, and it proliferated its infection via the LAN, (to your authenticated remote client), then that client could infect the corporate network. This is what’s known as a ‘pivot attack’.
Solution
Assuming you are happy to enable local LAN access its a TWO STEP procedure. Firstly you enable Local LAN Access on the AnyConnect Client Profile, then you enable split tunnelling and allow all networks, (because you don’t know what all the remote network addresses may be).
Step 1: Add Local LAN Access to the AnyConnect Client Profile
If you are unfamiliar with ‘AnyConnect Client profiles’, they are simply XML files that are applied to to an AnyConnect Connection Profile, I already have one so I just need to edit it, And tick ‘Local LAN Access’.
What If you Don’t Already Have One? Not a problem. In the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Give it a name > Set the Group Policy to your AnyConnect Group Policy > OK > Apply > Edit.
What Does User Controllable Mean? It means your users can enable or disable it, (see below.) If you untick this then they wont have that option.
Step 2: Add 0.0.0.0/32 to Split Tunnelling
You configure split tunnelling in your AnyConnect Group-Policy (ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies) Locate yours and edit it, navigate to Advanced > Split Tunnelling > Policy: Untick inherit, and set to Exclude Network List Below > Network List: Untick Inherit and click Manage.
Firstly: Create an ACL and call it “ACL-Local-LAN-Access’ > OK
Secondly: Select the ACL you just created and add an ACE to it > permit 0.0.0.0/32 > OK > OK > OK > Apply > File > Save Running Configuration to Flash.
Your remote workers will need to disconnect and reconnect before it will take effect. In some cases with older clients they need to reboot, (or have the AnyConnect service stopped and restarted.) If you experience problems make sure your clients have got the new XML file with;
A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.
Solution
Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;
I wont insult your intelligence, the setup is straight forward;
Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).
Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.
Once you have finished, you can simply save the settings as an XML file.
Import an AnyConnect ‘Profile XML File’ into Cisco ASA
As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).
Import an AnyConnect ‘Profile XML File’ into Cisco FTD
Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.
Browse to, and select the previously created XML file > Open.
Then save and deploy the changes (this takes ages!).
You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.
Related Articles, References, Credits, or External Links
In this article I will focus on ‘Remote Access’ VPN, which for Cisco FTD means using the AnyConnect client. Ive spent years deploying this solution for ASA so it’s a product I know well. As with all things Cisco, there are a couple of things that could trip you up. Let’s get them out of the way first.
If you are used to AnyConnect then you probably have the client software. It’s the same software package that’s installed with Cisco ASA. Sometimes just getting access to the download is a trial! Anyway you will need the AnyConnect ‘Package’ files, these typically have a .pkg extension, (Cisco refer to these as Head-End packages). Theres one for macOS, one for Windows, (well another one now for ARM processors, but I’ve not needed it yet), and one for Linux. You will need to download a package for each platform your users will need to connect with.
AnyConnect Licence! After years of getting a few free with a Cisco ASA, I was unhappy to find that’s not the case with Cisco FTD. If you want to use AnyConnect you need to have a licence, and it needs to be in your Smart Licensing Account, (before you enable Remote Access VPN).
Final Gotcha! Make sure you HAVE NOT enabled HTTPS management on the outside interface of the FTD before you start configuring AnyConnect, or you will get all the way to the end, and it will fall over and you will have to start again (thanks Cisco! How hard would it be to say, if you enable this, I will disable https outside management is this OK?)
Solution
If you haven’t already done so enable the Remote Access VPN licence > Smart Licence > Fire Configuration > RA VPN License > Enable > Change to licence type (mines Apex). Have a coffee and recheck everything is licensed OK.
Give the profile a name, a group alias, and group URL > I’m using the FTD as my AAA Identity source (so my username and passwords are held on the firewall) that’s fine for small deployments, but in production you should think about deploying an AAA solution (called a Special Identities Realm in FTD). Scroll down.
I typically create a new network object for my remote clients to use, you can select your internal DHCP server to send out addresses if you wish > Next.
I’m using Cisco Umbrella DNS servers, (or the DNS servers formally known as OpenDNS) > I’m setting a ‘welcome banner’ but you dont need to, (some people find them annoying!) > Scroll down.
Split tunnelling: As always Cisco assume you want to tunnel everything, in most cases that’s NOT the requirement (BUT it IS the most secure!) I setup split tunnelling by Excluding my internal networks > Next.
Client Profiles: If you have one you can set it here, if you want to create one, see the following article;
Select the certificate the FTD will present (don’t choose the web one it will error!) > Select the interface your client will connect to (typically outside) > Enter the FQDN of the device > I allow bypass for VPN traffic, if you want to scan remote traffic with firepower etc DON’T select this > Enable NAT Exemption (select the internal interface) > Internal Networks: Then add in the internal network, I’ve already got an object for that, (you may need to create one.) > Scroll down.
Here you upload your .pkg files (I mentioned above) when you have finished > Next.
Review the settings > Finish.
Cisco FTD Create User (via FDM)
You will need a username and password to authenticate (skip this as you are not using the FTD’s internal user database.) Objects > Users > Add > Supply a username and password > OK
Pending Changes > Deploy Now.
Go and have a coffee again, keep clicking pending changes until it looks like this. (Quite why it takes so long, I have no idea?) It’s even more fun, if you made a mistake, because it will just error and fall over, so you have to find the error (if you can) > then remove the pending change and start all over again. Cheers Cisco!
Finally go to an external client and give it a try, if your clients don’t have the client software installed simply ‘browse’ to the FTD to get it.
Related Articles, References, Credits, or External Links
If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;
VPN establishment capability for a remote user is disabled. A VPN connection will not be established
VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;
Profile settings do not allow VPN initiation from a remote desktop.
Note: This is fixed in version 4.8 and you will se the error at the top of the page.
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)
Edit AnyConnect Profile With ASDM
Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
Give the profile a name > Select a group policy to apply it to > OK.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
OR (older versions)
Apply the changes, and then save to the running configuration.
Edit AnyConnect Profile With Stand-Alone Profile Editor
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).
Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to step 3, and skip all the other steps.
If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the “VPN Profile Editor”.
3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
Related Articles, References, Credits, or External Links
This page will be used as a central repository and ‘index’ for configuration on the Cisco Firepower 1010 series firewall. I intend to add to it as I test the capabilities and work out any problems whilst trialing/deploying and operating this platform.
Cisco released information on their blog a few days ago to say that they would be offering free Umbrella, Duo and AnyConnect Licences to customers in the wake of the the COVID-19 outbreak.
Thats great news, but there’s no information on how to get the AnyConnect licences. It just says speak to your Cisco partner. As I am a Cisco partner I was confused, and it seems my colleagues were also. So I contacted Cisco Partner help, who passed me to licensing, who passed me to Cisco TAC, who opened a call. 24 hours later still no reply. Luckily by this time a colleague had managed to set this up for a client, and he pointed me in the right direction, (cheers Trev!)
Solution
Note: This procedure DOES NOT work for vASA or FTD. You can email licensing@cisco.com Subject: ‘COVID-19 AnyConnect License Request’. Provide your platform information, and smart account details, and they will provision licenses for your account that you can then assign via the usual methods.
Note: I exclusively work at command line, I realise some people are terrified of doing this, so if you want to work with activation keys and serial numbers in the ASDM then read this post.
Log into your Cisco Device (in my case a Cisco ASA) and get the serial number. (Issue a show version command).
Note: I would also take a copy of the Activation Key at this point paste it into Notepad and keep it somewhere safe.
Also from the show version command you will see I only have the factory default 2 AnyConnect premium licences.
You will need a Cisco CCO account, these are free to setup and once you have one you can log into the licensing portal, from there, (either using classic licences or SMART licences) > Get Licences > Demo and Evaluation > Security Products > AnyConnect Plus/Apex(ASA) Demo Licence and Emergency COVID-19 Licence > Next.
Enter the Serial Number of your ASA (from above), Here I asked for 10 users, you will get the maximum for your model of ASA, if you don’t know what the maximum is see this article > Next.
Review > Next.
You will get sent the licence by email, (this has a habit of going into spam!) But I download them directly anyway.
Heres you new activation key, copy it to the clipboard;
Excute the following commands;
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# activation-key a27ed158 406176b7 799f41f2 6184be43 12345678
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.
[/box]
Now if you recheck your AnyConnect Licence count, it will match the maximum for your hardware.
I Need More! Sorry buddy, you need to replace the hardware with a larger one.
Related Articles, References, Credits, or External Links
I was asked if I’d ever set this up the other week. Surprisingly I had not, I’d deployed Duo for other things, but not for Cisco AnyConnect. As I had some other ‘Duo’ related tasks coming up, I was deploying it on the test bench, then adding in my Cisco ASA and AnyConnect wasn’t much more work!
Here’s my topology;
My ASA is running version 9.1
My Duo Authentication Proxy is installed on Windows 2019
I’m running Cisco AnyConnect Version 4.8
Cisco AnyConnect Duo Pre-Requisites
I already have a Duo Authentication Proxy server setup and my users are enrolled, you will need to set this up first. See the following article;
Log into the the Duo Admin Portal > Applications > Protect an Application > Search for and select Cisco RADIUS VPN > Copy the Integration Key, Secret Key and the API hostname to notepad.
Back on your Duo Authentication Proxy, (because you completed the pre-requisites) add the following to the bottom of your authproxy.cfg file;
Note: 192.168.254.254 is the inside interface of the Cisco ASA, and 666999 is the shared secret we will enter on the firewall in a moment. I’m not sure you have to, but at this point I’d restart the Duo Auth Proxy service as well.
Configure Cisco ASA for Duo RADIUS
Log into the ASDM > Configuration > Device Management > Users/AAA > AAA Server Groups > Add.
You only need to add the name of the server group i.e DUO-RADIUS, and ensure protocol is set to RADIUS > OK > Apply.
Now select the DUO-RADIUS group in the top window, and click ‘Add’ in the bottom window > Specify the interface that’s facing the Duo Auth Proxy Server > Add its IP address > Change the Timeout to 60 seconds > Set the Server Authentication port to 1812 > Set the Server Accounting Port to 1813, (though it will NOT do accounting) > Type in the Secret Key you specified above > Untick Microsoft CHAPv2 Capable > OK.
Testing Cisco ASA Duo 2FA Authentication
I’ve written about testing AAA before in the following article;
But essentially with the SERVER selected > Test > Select Authentication > Enter the username and password for a user.
What about passcodes and 2FA? This will send a push notification to the users Duo Authenticator (phone), you can enter the password then a comma, then the passcode from the Duo App if you wish, I just prefer the push notification).