AnyConnect: Unauthorized Connection Mechanism

KB ID 0001699


I was assisting a colleague to setup some AnyConnect for a client this afternoon, when all of a sudden I was met with this;


Logon denied, unauthorised connection mechanism, contact your administrator


This was a confusing one, I replicated the problem on my own test firewall. All I had done was change the AAA method from LOCAL to LDAP? It took me a while to figure out what was going on?

The reason why this is happening is because the GROUP POLICY your AnyConnect PROFILE is using does not have SSL enabled. (This makes no sense as it was working with LOCAL authentication, but this is how I fixed it).

You will be either using a specific group policy or the DfltGrpPolicy

Petes-ASA(config)# group-policy DfltGrpPolicy attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless

IF USING A SPECIFIC GROUP POLICY (Remember to include any, that already exist! e.g. l2tp-ipsec)

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless l2tp-ipsec 

Or, if you really HAVE TO use the ASDM.

Configuration > RemoteAccess VPN > Network (Client) Access > Group Policies > Select the Group Policy you are using > Edit.

General > More Options > Tick the SSL Options > OK > Apply.

Don’t forget to save your changes! Then try connecting again.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *