04-17-2024 09:31 AM
Hi Everyone
I'm using a trial version of ASAv and i believe it has full functionality but is limited in 100kbps. I'm trying to set up remote access anyconnect vpn which authenticates to our NPS radius server. As you can see in the radius debug, it seems to be connecting to the radius successfully. The radius server goes to an AD server to authenticate the user:
rad_procpkt: ACCEPT
radius.c 1374: status = 1
MSChapv2 authenticator received.
Added decoded MS MPPE recv key for RADIUS
Added decoded MS MPPE send key for RADIUS
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x00007fc812693f60 session 0x2b54 id 111
free_rip 0x00007fc812693f60
radius: send queue empty
The problem is that the authentication fails on the anyconnect. Now i've checked the licence on my trial ASAv and it is showing:
Firewall throughput limited to 100 Kbps
Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
Botnet Traffic Filter : Enabled
Cluster : Enabled
It is showing anyconnect as disabled. Am i mistaken into thinking the anyconnect feature should work in the trial or do i have an issue between the ASAv and radius server or the radius server and the AD domain server?
Thanks
04-17-2024 11:06 AM - edited 04-17-2024 11:07 AM
Share ouput of this
Show vpn sessiondb summary
MHM
04-18-2024 01:30 AM
ciscoasa# show vpn-sessiondb summary
No sessions to display.
04-18-2024 01:37 AM
show vpn-sessiondb license-summary
The ASA by defualt accept three anyconnect' but let check license by above command
Then we start troubleshooting the anyconnect-asa-radius(AD)
MHM
04-18-2024 02:31 AM
Ive done the anyconnect command above and also the command you stated:
ciscoasa# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 750 : 0 : NONE
AnyConnect Essentials : DISABLED : 750 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 750 : 750 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------
---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
All : Peak : Eff. :
In Use : In Use : Limit : Usage
---------------------------------
AnyConnect Premium : : 0 : 1 : 750 : 0%
Other VPN : : 0 : 0 : 750 : 0%
L2TP Clients
---------------------------------------------------------------------------
04-18-2024 02:50 AM
Asa# show activation-key
This must show yoh that you use two anyconnect Premium' as you share below show verison it zero but let more check.
Check it.
I will share you later today some steps to debug traffic between asa and radius
MHM
04-18-2024 02:53 AM
Thanks.
show activation-key
command does not work
04-18-2024 01:44 AM
Not a 100% sure about the ASAv but yes you're right, usually the ASA would come with 2x AnyConnect licenses. Try please to enable AnyConnect essentials and see if that makes any difference. To do so please issue the following commands:
webvpn
anyconnect-essentials
04-18-2024 02:29 AM
There is no essentials command but there is an enable command which i have tried but does not seem to do anything:
webvpn mode commands/options:
enable Enable the AnyConnect Client
external-browser-pkg Configure the AnyConnect external browser package file
path
image Configure the AnyConnect client package file path
profiles Configure the AnyConnect client profiles package
filepath
Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
04-18-2024 02:58 AM
Could you please type "anyconnect ?" under webvpn and share the output of the available commands for review?
04-18-2024 03:17 AM
ciscoasa(config-webvpn)# anyconnect ?
webvpn mode commands/options:
enable Enable the AnyConnect Client
external-browser-pkg Configure the AnyConnect external browser package file
path
image Configure the AnyConnect client package file path
profiles Configure the AnyConnect client profiles package
filepath
I have tried anyconnect enable under webvpn but seems to be the same:
Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
Not sure if i have to reboot for it to take effect.
04-18-2024 03:47 AM
AnyConnect enable would enable the premium licenses I think.
A. Yes. But please note that ASAv, which utilizes Cisco Smart Licensing, does not require any Cisco Secure Client license to be physically applied to the actual platform. The same licenses must still be purchased and you must still link the Contract number to your Cisco.com ID for SW Center access and tech support.
Answer Cisco Secure Client Licensing Frequently Asked Questions - Cisco
Seems that the ASAv supports only the smart licenses? maybe @Marvin Rhoads or @Rob Ingram can help on this.
04-18-2024 03:56 AM
Tried the command but does not seem to work or do anything.
04-18-2024 04:20 AM - edited 04-18-2024 04:22 AM
That's correct @Aref Alsouqi - ASAv only supports smart licenses - including for AnyConnect / Secure Client. It does not include the two AnyConnect licenses that traditional ASA hardware appliances offered.
Thus, you must register the ASAv with a Smart Account to use that feature. Even if the account is non-compliant (i.e., no available AnyConnect licenses) it should allow you to use the feature.
04-18-2024 04:27 AM
Hi Marvin
i've tried the anyconnect enable command but i still cannot connect via the anyconnect app.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide