ANY CONNECT PART - 12

AnyConnect Error 'The secure gateway has rejected the connection attempt, No assigned address'

KB ID 0000876 Dtd 15/11/13

Problem

I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;
The secure gateway has rejected the connection attempt
The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.

Solution

Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I'm missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;
WHAT IT SHOULD LOOK LIKE
Petes-ASA# show run | incl pool
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
address-pool SSL-POOL
Petes-ASA#
In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I'm using for AnyConnect.

If you are missing both (I was post upgrade)

Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

If you are missing the address-pool command

The IP pool used, is defined in the tunnel group, (in the general-attributes section).
HERE THE POOL REFERENCE IS MISSING;
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#
TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#
WHAT IT SHOULD LOOK LIKE
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

Finally, don't forget to save the changes.
Petes-ASA# configure terminal
Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

Afterthoughts

This happened because (pre migration) I had the following command in the firewall config;
ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0

The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.

No comments:

Post a Comment