Tag Archives: secure gateway

AnyConnect Error – ‘Failed To Get Configuration From Secure Gateway’

Posted on by
4

KB ID 0001354

Problem

Saw this while attempting to connect to my ASA this week.

AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator

Solution

Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.

Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.

So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;

[box]

Petes-ASA# show run webvpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles AnyConnect-VPN-Profile disk0:/anyconnect-vpn-profile.xml
 anyconnect enable
 tunnel-group-list enable

[/box]

Note: You can ‘show flash‘ and make sure the file is in flash memory as well.

I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).

[box]

Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
 anyconnect mtu 1398
 anyconnect profiles value PNL-Profile type user
 anyconnect ssl df-bit-ignore enable

[/box]

It’s easy to remove it.

[box]

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles

[/box]

Then simply add the correct one back in, and save the changes.

[box]

Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787

23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]

[/box]

Now if you ‘refresh’ your ASDM, you will see it displays correctly again;

 

Problem Solved.

Related Articles, References, Credits, or External Links

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

Cisco AnyConnect Error: ‘The VPN client driver has encountered an error’

Cisco AnyConnect Error: ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

AnyConnect Error:  ‘The secure gateway has rejected the connection attempt, No assigned address’

Cisco AnyConnect Error: (Mobile Devices)

AnyConnect Error ‘The secure gateway has rejected the connection attempt, No assigned address’

Posted on by

KB ID 0000876 

Problem

I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;

The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.

Solution

Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;

[box]

WHAT IT SHOULD LOOK LIKE

Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#

[/box]

In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.

If you are missing both (I was post upgrade)

Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

[/box]

If you are missing the address-pool command

The IP pool used, is defined in the tunnel group, (in the general-attributes section).

[box]

HERE THE POOL REFERENCE IS MISSING;

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#

WHAT IT SHOULD LOOK LIKE

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

[/box]

 

Finally, don’t forget to save the changes.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Afterthoughts

This happened because (pre migration) I had the following command in the firewall config;

[box]

ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0

[/box]

 

The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.

Related Articles, References, Credits, or External Links

NA