anyconnect enable
Enables AnyConnect VPN access on the ASA for a specific group policy or tunnel group.
Overview
The 'anyconnect enable' command is a fundamental configuration directive on Cisco ASA firewalls that activates the AnyConnect Secure Mobility Client for remote access VPN connections. AnyConnect is a modern SSL/TLS-based VPN solution that provides secure remote access for users from various devices, including Windows, macOS, Linux, iOS, and Android. The command is used within the context of a group policy or a tunnel group to permit AnyConnect client connections. Without this command, the ASA will not accept AnyConnect connections even if other VPN parameters are configured. The command is simple but critical; it essentially flips a switch that allows the ASA to negotiate SSL VPN tunnels with AnyConnect clients. In a typical deployment, you create a group policy that defines attributes like DNS servers, split tunneling, and AnyConnect client image, then apply that policy to a tunnel group. The 'anyconnect enable' command must be present in both the group policy and the tunnel group (or inherited from the default group policy) for the VPN to function. This command is often one of the first steps in configuring remote access VPN on ASA, alongside setting up authentication, address pools, and network access rules. Understanding its placement and effect is crucial for troubleshooting connectivity issues, as missing this command is a common oversight. In troubleshooting workflows, verifying that 'anyconnect enable' appears in the running configuration of the relevant group policy and tunnel group is a quick check to ensure the ASA is configured to accept AnyConnect connections.
anyconnect enableWhen to Use This Command
- Enable AnyConnect VPN for remote employees accessing corporate resources.
- Configure a group policy to allow AnyConnect client connections.
- Enable AnyConnect on a tunnel group for site-to-client VPN.
- Activate AnyConnect after initial ASA setup for remote access VPN.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| none | anyconnect enable | The command has no parameters. It is a simple enable/disable toggle. To disable, use 'no anyconnect enable'. |
Command Examples
Enable AnyConnect in a Group Policy
group-policy DfltGrpPolicy attributes
anyconnect enableciscoasa(config-group-policy)# anyconnect enable ciscoasa(config-group-policy)#
The command is entered under group-policy configuration mode. No output confirms success. The group policy now allows AnyConnect connections.
Enable AnyConnect in a Tunnel Group
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool VPNPool
default-group-policy DfltGrpPolicy
anyconnect enableciscoasa(config-tunnel-general)# anyconnect enable ciscoasa(config-tunnel-general)#
The command is entered under tunnel-group general-attributes mode. It enables AnyConnect for that tunnel group. No output indicates success.
Understanding the Output
The 'anyconnect enable' command does not produce verbose output. When entered correctly, the ASA simply accepts the command and returns to the prompt. If the command is rejected, it indicates a syntax error or that the command is not available in the current mode. The command is typically used in group-policy or tunnel-group configuration modes. A successful entry means AnyConnect is enabled for that policy or tunnel group. To verify, use 'show running-config group-policy' or 'show running-config tunnel-group' and look for 'anyconnect enable' in the output. If missing, AnyConnect is not enabled.
Configuration Scenarios
Basic AnyConnect Remote Access VPN
A company wants to allow remote employees to connect to the corporate network using AnyConnect. The ASA is already configured with basic network settings.
Topology
Internet --- ASA (outside) --- Inside Network
Remote PC with AnyConnect clientSteps
- 1.Create an IP address pool for VPN clients.
- 2.Configure a group policy with AnyConnect enabled and other attributes.
- 3.Create a tunnel group of type remote-access and enable AnyConnect.
- 4.Apply the group policy to the tunnel group.
- 5.Configure authentication (e.g., local database or AAA server).
- 6.Configure network access rules to allow VPN traffic.
! Configure IP pool ip local pool VPNPool 192.168.10.1-192.168.10.100 mask 255.255.255.0 ! Configure group policy group-policy DfltGrpPolicy attributes anyconnect enable dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client ! Configure tunnel group tunnel-group RemoteAccess type remote-access tunnel-group RemoteAccess general-attributes address-pool VPNPool default-group-policy DfltGrpPolicy anyconnect enable tunnel-group RemoteAccess webvpn-attributes authentication aaa LOCAL ! Enable webvpn webvpn enable outside
Verify: Use 'show running-config group-policy DfltGrpPolicy' and 'show running-config tunnel-group RemoteAccess' to verify 'anyconnect enable' is present. Then test by connecting from an AnyConnect client.
Watch out: If the group policy does not have 'anyconnect enable', the tunnel group's enable will not work because the group policy overrides. Ensure both are enabled.
Troubleshooting with This Command
When troubleshooting AnyConnect connectivity issues, the 'anyconnect enable' command is a primary check. If clients cannot connect, first verify that the command is present in the relevant group policy and tunnel group. Use 'show running-config | include anyconnect enable' to quickly see if it's configured anywhere. If missing, add it under the appropriate configuration mode. Also check that the tunnel group type is 'remote-access' and that webvpn is enabled on the outside interface. Another common issue is that the group policy applied to the tunnel group does not have 'anyconnect enable', causing the client to be rejected even if the tunnel group has it. Use 'show vpn-sessiondb anyconnect' to see active sessions; if no sessions, the enable command might be missing. Additionally, ensure that the AnyConnect client image is uploaded to the ASA if using clientless or if the client needs to download the image. The 'anyconnect enable' command does not affect clientless SSL VPN; it specifically enables the full tunnel AnyConnect client. If you are using clientless (browser-based) VPN, this command is not needed. For troubleshooting, also check that the ASA has the AnyConnect license installed. Without a valid license, the command may be accepted but connections will fail. Use 'show version' to check for AnyConnect licenses. In summary, the 'anyconnect enable' command is a simple but essential toggle; its absence is a frequent cause of AnyConnect VPN failures.
CCNA Exam Tips
Remember that 'anyconnect enable' is configured under group-policy or tunnel-group, not globally.
For CCNP Security, know that this command is required for AnyConnect remote access VPN to function.
Be aware that 'anyconnect enable' is a prerequisite for AnyConnect client connections; without it, clients cannot connect.
Common Mistakes
Mistake: Entering 'anyconnect enable' in global configuration mode. Consequence: Command is rejected because it's only valid under group-policy or tunnel-group.
Mistake: Forgetting to enable AnyConnect in both the group policy and tunnel group. Consequence: Clients may fail to connect or get inconsistent behavior.
Mistake: Using 'anyconnect enable' without first configuring other required parameters like address pool and authentication. Consequence: VPN may not work even though AnyConnect is enabled.
Platform Notes
On Cisco ASA, the 'anyconnect enable' command is used in group-policy and tunnel-group configuration modes. This differs from Cisco IOS routers, where AnyConnect is not natively supported (IOS uses IPsec or other VPN technologies). On ASA, the command is straightforward and has no parameters. In newer ASA versions (9.x and later), the command remains the same. There is no equivalent on Cisco Firepower Threat Defense (FTD) as FTD uses a different configuration model (via Firepower Management Center). On FTD, AnyConnect is enabled through policy objects and access control policies, not via CLI commands. For ASA with multiple context mode, the command is available in each context. The command is also used in both single and multiple context modes. There are no version-specific differences for this command; it has been consistent across ASA code versions. Note that the command must be entered exactly as 'anyconnect enable' (lowercase, no hyphen). Some older documentation might show 'anyconnect enable' as part of 'webvpn' configuration, but it is now correctly placed under group-policy or tunnel-group.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions