KB ID 0000876
Problem
I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;
The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.
Solution
Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;
[box]
WHAT IT SHOULD LOOK LIKE
Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#
[/box]
In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.
If you are missing both (I was post upgrade)
Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.
[box]
User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
[/box]
If you are missing the address-pool command
The IP pool used, is defined in the tunnel group, (in the general-attributes section).
[box]
HERE THE POOL REFERENCE IS MISSING; User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# show run tunnel-group tunnel-group SSL-PROFILE type remote-access tunnel-group SSL-PROFILE general-attributes authentication-server-group Windows-IAS default-group-policy SSL-POLICY tunnel-group SSL-PROFILE webvpn-attributes group-alias PROFILE enable Petes-ASA# TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above)) User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes Petes-ASA(config)# address-pool SSL-POOL Petes-ASA(config)# WHAT IT SHOULD LOOK LIKE User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# show run tunnel-group tunnel-group SSL-PROFILE type remote-access tunnel-group SSL-PROFILE general-attributes address-pool SSL-POOL authentication-server-group Windows-IAS default-group-policy SSL-POLICY tunnel-group SSL-PROFILE webvpn-attributes group-alias PROFILE enable Petes-ASA#
[/box]
Finally, don’t forget to save the changes.
[box]
Petes-ASA# configure terminal Petes-ASA(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] Petes-ASA(config)#
[/box]
Afterthoughts
This happened because (pre migration) I had the following command in the firewall config;
[box]
ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0
[/box]
The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.
Related Articles, References, Credits, or External Links
NA