Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide

Contributed by Atri Basu and Marcin Latosiewicz, Cisco TAC
Engineers.
Jun 23, 2014

Introduction 
Prepare for the Connection
     Certificates with Proper EKU
     Configuration on the ASA
        Crypto Map Configuration
        IPsec Proposals
        IKEv2 Policies
        Client Services and Certificate
        Enable AnyConnect Profile
        Username, Group−Policy, and Tunnel−Group
     AnyConnect Profile
Make the Connection
Verification on ASA
Known Caveats

This document describes how to connect a PC to a Cisco Adaptive Security Appliance (ASA) with the use of
AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA)
authentication.

Note: The example that is provided in this document describes only the relevant parts that are used in order to
obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided.
Network Address Translation (NAT) or access−list configuration is not described or required in this
document.

This section describes the perparations that are required before you can connect your PC to the ASA.

It is important to note that even though it is not required for the ASA and AnyConnect combination, RFC
requires that certificates have Extended Key Usage (EKU):

The certificate for the ASA must contain the server−auth EKU.

• 

The certificate for the PC must contain the client−auth EKU.

• 

Note: An IOS router with the recent software revision can place EKUs onto certificates.