01-05-2021

Cisco Anyconnect The Secure Gateway Has Rejected



Jul 20, 2008 'The secure gateway has rejected the connection attempt. The connection to the same or another secure gateway is needed, which requires re-authentication. The follow message was received from the secure gateway: No assigned address.' I shut the laptop down as I normally would and did not change any of the settings. Apr 11, 2021 Cisco Bug: CSCvs40531 - AnyConnect 4.8 not able to establish RA SSL to ASA/FTD headend. The secure gateway has rejected the connection attempt.

Contents

Introduction

This document describes different error messages generated when using the Cisco AnyConnect VPN Client on Apple iPad devices. Corresponding resolutions required in order to eliminate those error messages are also included.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco AnyConnect Secure Mobility Client 2.5.x for Apple iOS and later

  • Cisco ASA Security Appliance that runs software version 8.2 and later

  • Apple iOS 4.x and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Error Messages

This section provides examples of error messages and their respective solutions.

Licensing Issue

This error message is received on the iPad client when trying to launch the AnyConnect application:

Solution

You need to have the required license in order to use the AnyConnect VPN Client on iPad clients. Refer to this CLI snippet from the ASA show version command:

Provide details like 'PAK number' and 'Serial number of the device' at the Cisco Licensing Page (registered customers only) in order to obtain the license. You could also contact Cisco Technical Support or send an e-mail to licensing@cisco.com.

Certificate Authentication Issue

This error log message is received on the Cisco ASA:

%ASA-6-725007: SSL session with client outside:XX.YY.ZZ.ZZ/51249 terminated.

CERT-C: E ../cert-c/source/certobj.c(719) : Error #73ch

CRYPTO_PKI: can not set ca cert object (0x73c)

These error messages are received on the iPad client application:

Solution

The client certificate authentication is failing and the Cisco ASA can parse some certificate extensions successfully, but cannot validate the client certificate. In order to resolve this issue, configure the CA on the ASA and enroll the iPad. Once complete, you should connect successfully using the client certificate.

Address Assignment Issue

This error message is received when trying to connect to an ASA from an iPad AnyConnect Client.

Solution

Verify that the tunnel-group has a valid address-pool/dhcp server and that there are available addresses in that pool.

Cisco Anyconnect Secure Gateway Has Rejected

Group URL Issue

This error message is received while trying to connect:

Error Messages On AnyConnect For Apple IOS Devices - Cisco

Solution

Check that the group-url is properly configured on the iOS device and on the head-end. They must match exactly, minus the https://, which should exist on the head-end.

Other

Related Information

Cisco Bug: CSCtx92190 - Connection Failure Due To Address ...


Date: Oct 10, 2013
By: Mike Khzouz (Mike@bostonIT.com)
Scenario:
When using the Linux Cisco AnyConnect client x64 (like MAC, Ubuntu, Redhat RHEL and Debian) you might get the error above or if you connect through command like you might get the following errors:
Resolution:
1- Before you start troubleshooting the issue on the client side, make sure SSL certificates are installed and configured properly on the ASA. Go to http://www.digicert.com/help/ and test your server SSL certificate, if you see any issues, talk to your system admin to fix. In addition to your company SSL certificate, intermediate certificate from the ssl provider needs to be installed on the asa too, and that web tool can show you any issues in that regard (this is a common issue - missing intermediate cert) .
2- Important: Upgrade to the latest Cisco AnyConnect client. You can download that from the cisco TAC site but you need a username and a password. The latest version of Anyconnect as of this article is 3.1.04066.
3- In one of the cases the Cisco ASA had a Go Daddy SSL Certificate. Copying Go Daddy certificate from that Linux SSL Certificate folder to Cisco SSL certificate folder on the linux machine forced Anyconnect to trust that certificate.
sudo cp /etc/ssl/certs/Go* /opt/.cisco/certificates/ca/
If you are using a different 3rd party SSL certificate on the ASA, then you need to copy that certificate the same way
You can also copy all the certificates from /etc/ssl/certs/ to /opt/.cisco/certificates/ca/ if you are not sure what certificate you are using.
If you get this error in Windows make sure you stop Internet Sharing service in Windows services
If you find this article helpful, please click to like our facebook page below so we can keep on adding quality hands-on articles.

How To Configure Cisco AnyConnect VPN Client For Windows | Univ...


VPN - Uninstall Cisco AnyConnect Client On Windows ...