Anyconnect IOS Radius

Hallo,
i hace a cisco 881 router with a Anyconnect VPN. the web interface works
but when i enter a username i'm getting a login failt.
looking at the Eventviewer of the NPS i can see that is is using the wrong NETWORK and CONNECT POLICY,
it needs to use the VPN policy.
configuration router Radius:
aaa group server radius VPN
server 172.16.200.10 auth-port 1645 acct-port 1646
configuration router AnyConnect:
webvpn gateway ANYCONNECT
ip interface FastEthernet4 port 8080
ssl trustpoint TP-self-signed-4264276022
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
webvpn context ANYCONNECT-CONTEXT
title "welcome to office"
ssl authenticate verify all
policy group ANYCONNECT-POLICY
   functions svc-required
   svc address-pool "Pool"
   svc keep-client-installed
   svc dns-server primary 8.8.8.8
default-group-policy ANYCONNECT-POLICY
aaa authentication list VPN
gateway ANYCONNECT
inservice
WHAT IS GOING WRONG?

Looks like settings on your server.
Have a look at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configldap
Step 2.

Similar Messages

Anyconnect IOS OSX lion unstable

I have a tac case opened on this but I wanted to throw this out to the community. I am running 15.0(1)M6 on a 881. Anyconnect version is 3.0.3.3054 on osx lion Mac book pro.
I connect fine to the router but it will go through a series of disconnect then reconnects several
times during a session. In a 2 minute period I have seen it renegotiate the connection 7 times once.
It appears to be worse when streaming video over the tunnel. I have tried snow leopard and different
IOS versions with no success. Anyone else experience this isse?
Thanks

For iOS devices, tap Settings > iCloud
Switch Documents & Data off then back on.
For your Mac. Open System Preferences > iCloud
Deselect the box next to Documents & Data then reselect it.
Give iCloud a few minutes to re sync the data.

Anyconnect ios Wifi issues after roaming

Hi,
After roaming with cellular network, the wifi does not access the network despite the connection established. I have to renew the lease of the connection to have access to the network.
I encounter the problem on IOS 5.1 with the latest version of AnyConnect. Have you everencountered this problem?
thank you,
Cedric H.
France

Hi,
After roaming with cellular network, the wifi does not access the network despite the connection established. I have to renew the lease of the connection to have access to the network.
I encounter the problem on IOS 5.1 with the latest version of AnyConnect. Have you everencountered this problem?
thank you,
Cedric H.
France

Anyconnect IOS

Hey folks.
I have configured my router with anyconnect vpn. config seems ok. copy attached below. but once i access thru web, instead of taking me to the vpn page after authenticating its taking me to Cisco Configuration Professional Express.
Doesnt make sense to me. Some inputs pls.I tried redirecting my vpn to another port yet no luck. that gives me blank page.

R1(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
It is the normal command we use to give.If this doesn't work then you have to create webvpn directory in flash and copy anyconnect file in webvpn directory with the name svc.pkg
R1# mkdir flash:webvpn
R1# copy tftp:// x.x.x.x/anyconnect-win-3.1.02026-k9.pkg flash:/webvpn/svc.pkg
R1# webvpn install svc flash:/webvpn/svc.pkg
HTH

Problem radius authetication ACS 5.4

Hi friends,
Do you know about this problem with radius authenticaction in ACS 5.
This is la log.
Best regard,
Marco

We are using MC75A terminals. The terminal says wrong username and password, but the user has green color in the ACE log.
Using the following ios radius statements on the NAS:
aaa authentication ppp default group radius local
aaa authorization network default group radius local
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server key 7 XXXX
Works fine with the old tacacs server.
regards
bjornar

TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding

TACACS+ configured on router and router is in ACS. I can ping the ACS but the router cannot establish a connection to authenticate users.
aaa group server tacacs+ hq_acs-1
server 10.20.17.2
ip tacacs source-interface GigabitEthernet0/0
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting auth-proxy default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
BigTree_3945#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.4.3.1        YES NVRAM down                  down
GigabitEthernet0/1         10.12.10.26     YES NVRAM up                    up
Serial0/2/0                unassigned      YES NVRAM down                  down
Serial0/2/0.602            10.12.15.10     YES NVRAM down                  down
Apr 13 11:08:13.673: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:13.673: TPLUS: processing authentication start request id 79
Apr 13 11:08:13.675: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:13.675: TPLUS: Using server 10.20.17.2
Apr 13 11:08:13.675: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:18.676: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:25.834: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:25.834: TPLUS: processing authentication start request id 79
Apr 13 11:08:25.834: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:25.834: TPLUS: Using server 10.20.17.2
Apr 13 11:08:25.834: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:30.836: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:43.689: TAC: Using default tacacs server-group "tacacs" list.
Apr 13 11:08:43.689: TAC+: Opening TCP/IP to 10.20.17.2/49 timeout=5
Apr 13 11:08:51.057: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:51.057: TPLUS: processing authentication start request id 79
Apr 13 11:08:51.057: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:51.057: TPLUS: Using server 10.20.17.2
Apr 13 11:08:51.057: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:54.692: TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding
Apr 13 11:08:54.692: TPLUS: Queuing AAA Accounting request 76 for processing
Apr 13 11:08:54.692: TPLUS: processing accounting request id 76
Apr 13 11:08:54.692: TPLUS: Sending AV task_id=332
Apr 13 11:08:54.692: TPLUS: Sending AV timezone=EDT
Apr 13 11:08:54.692: TPLUS: Sending AV service=shell
Apr 13 11:08:54.692: TPLUS: Sending AV start_time=1334329734
Apr 13 11:08:54.692: TPLUS: Sending AV priv-lvl=15
Apr 13 11:08:54.692: TPLUS: Sending AV cmd=show logging <cr>
Apr 13 11:08:54.692: TPLUS: Accounting request created for 76(n20j03t)
Apr 13 11:08:54.692: TPLUS: Using server 10.20.17.2
Apr 13 11:08:54.692: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: Started 5 sec timeout
Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:56.058: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out
Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out, clean up
Apr 13 11:08:59.693: TPLUS(0000004C)/1/20FD90EC: Processing the reply packet
BigTree_3945#
AAA Client IP Address
10.4.3.* 10.12.15.10
Key
Network Device Group
Test
NJT
AccessLink
(Not Assigned)
Authenticate Using
TACACS+ (Cisco IOS)
RADIUS (Cisco Aironet)
RADIUS (Cisco BBSM)
RADIUS (Cisco IOS/PIX)
RADIUS (Cisco VPN 3000)
RADIUS (Cisco VPN 5000)
RADIUS (IETF)
RADIUS (Ascend)
RADIUS (Juniper)
RADIUS (Nortel)
RADIUS (iPass)
Single Connect TACACS+ AAA Client (Record stop in accounting on failure).
The 10.12.10.* range is listed under the HQ site.
Your help is greatly appreciated.

You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?
What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?
Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?
Are you using VRFs?
What version of IOS?

Standard (application-based) firewall with one additional port open?

Lion and Snow Leopard both have application based firewalls. I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java. How can I open one port in addition to leaving the standard firewall in place?

Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

Assigned by AAA client pool problem

folks
i think i'm getting closer to resolving my problem with acs and dhcp
i have an acs se (4.1) authenticating dialin users on a management network
i'm getting duplicate ip addresses being issued by the acs so i want to use a router to allocate dhcp addresses to upto 8 scopes - one per user on the acs
i've added the router as a aaa client on the acs with cisco ios radius and in the user settings i selected Assigned by AAA client pool and selected the pool name used on the router
once the user tries they get authenticated but i don't see any dhcp requests to the router
the acs se has 4 other aaa clients
has anyone had an issue or successfully configured this before?
thanks to anyone taking the time to read this or to post a reply
greatly appreciated

With ACS v4 you could do this....
Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
Probably only works when users are external as you need group mapping to make it work.
A bit cludgy.. but should work.

IOS SSL VPN WITH RADIUS Authorization

Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name           [1]   16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password       [2]   18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address      [4]   6   150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 28
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 29
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 50
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 35
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 31
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type        [6]   6   Outbound                  [5]
*Jun 6 22:40:21.669: RADIUS: Class               [25] 36
*Jun 6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS:   50 4E                                            [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
        quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?

Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa

AnyConnect and IKEv2 with IOS Local AAA

Hi,
Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
Cheers,
Matt

Your NAT is nearly correct. There are just two small things:
1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
nat (inside,outside) source static WAN interface
2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

No SSL VPN tunnel from AnyConnect to IOS

Dear all
Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
But I simply cannot make it work.
I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
Here is my configuration on the router:
crypto pki trustpoint TP-self-signed-595019360
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-595019360
revocation-check none
rsakeypair TP-self-signed-595019360
crypto pki certificate chain TP-self-signed-595019360
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
[......skipped....]
interface Loopback123
ip address 192.168.123.254 255.255.255.0
ip local pool GS-POOL 192.168.123.1 192.168.123.10
webvpn gateway GS-GW
hostname GS-VPN-test
ip address x.x.x.x port 443
ssl trustpoint TP-self-signed-595019360
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context GS-CONTEXT
ssl authenticate verify all
policy group GS-POLICY
   functions svc-required
   svc address-pool "GS-POOL"
default-group-policy GS-POLICY
gateway GS-GW
inservice
These are my debug settings:
#sh debug
WebVPN Subsystem:
WebVPN (verbose) debugging is on
debug webvpn entry GS-CONTEXT
WebVPN HTTP (verbose) debugging is on
WebVPN AAA debugging is on
WebVPN tunnel (verbose) debugging is on
WebVPN Single Sign On debugging is on
And these are all debug messages I get upon incoming connection:
Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
At this point the Anyconnect client says "Connection attempt failed" and that's all.
So please, any advice how to solve this?
And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
Thanks a lot for any suggestions,
Grischa

Some more restrictions:
12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
In short, if it's possible to upgrade, go to 15.0(1)M7 (or latest 12.4(24)Tx if 15.0 is out of the question)
If you're stuck with 12.4(15)T, only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
hth
Herbert

IOS WebVPN AnyConnect keeps reconnecting

Hi
AnyConnect 3.1.05152 and 3.1.04063 reconnects about every minute on Windows 7 x64 and Windows 8.1 x32. This issue happens whether I'm connected via cable or wireless. Sometimes I see strange messages on the routers console depending on the client I use:
169BEE80: 16030300 89010000 85030352 BD99CFBD ...........R=.O=169BEE90: DBFF9A0E BFC9ADB6 8F77265E 80728829 [...?I-6.w&^.r.)169BEEA0: 42F01ED7 6999F45E 0CDCB800 0026003C Bp.Wi.t^.\8..&.<..
Gateway: Cisco 897VAW router, Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(1)T, RELEASE SOFTWARE (fc2). The problem also exists in with 15.3.3M1.
For troubleshooting purposes I connected the router and the client on the same subnet. On the client I'm pinging a loopback address of the router.
Message history in AnyConnect:
[12/27/13 16:33:21] Establishing VPN...[27.12.2013 16:33:21] Connected to 192.168.x.y.[27.12.2013 16:33:50] Reconnecting to 192.168.x.y...[27.12.2013 16:33:50] Connected to 192.168.x.y.[27.12.2013 16:34:20] Reconnecting to 192.168.x.y...[27.12.2013 16:34:22] Connected to 192.168.x.y.[27.12.2013 16:34:52] Reconnecting to 192.168.x.y...[27.12.2013 16:34:56] Connected to 192.168.x.y.[27.12.2013 16:35:26] Reconnecting to 192.168.x.y...[27.12.2013 16:35:43] Establishing VPN - Examining system...[27.12.2013 16:35:43] Establishing VPN - Activating VPN adapter...[27.12.2013 16:35:43] Establishing VPN - Configuring system...[27.12.2013 16:35:44] Establishing VPN...[27.12.2013 16:35:44] Connected to 192.168.x.y.[27.12.2013 16:36:13] Reconnecting to 192.168.x.y...[27.12.2013 16:36:13] Connected to 192.168.x.y.[27.12.2013 16:36:43] Reconnecting to 192.168.x.y...[27.12.2013 16:36:45] Connected to 192.168.x.y.[27.12.2013 16:37:15] Reconnecting to 192.168.x.y...[27.12.2013 16:37:20] Connected to 192.168.x.y.[27.12.2013 16:37:49] Reconnecting to 192.168.x.y...[27.12.2013 16:38:06] Establishing VPN - Examining system...[27.12.2013 16:38:06] Establishing VPN - Activating VPN adapter...[27.12.2013 16:38:06] Establishing VPN - Configuring system...[27.12.2013 16:38:07] Establishing VPN...[27.12.2013 16:38:07] Connected to 192.168.x.y.[27.12.2013 16:38:36] Reconnecting to 192.168.x.y...[27.12.2013 16:38:36] Connected to 192.168.x.y.[27.12.2013 16:39:06] Reconnecting to 192.168.x.y...[27.12.2013 16:39:08] Connected to 192.168.x.y.[27.12.2013 16:39:38] Reconnecting to 192.168.x.y...[...]
Messages found via DART:
Date        : 12/27/2013Time        : 16:33:50Type        : ErrorSource      : acvpnagentDescription : Function: CTlsTunnelMgr::OnTunnelReadCompleteFile: .\TlsTunnelMgr.cppLine: 1690Invoked Function: CTunnelStateMgr::readTunnelReturn Code: -31588336 (0xFE1E0010)Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer.callback******************************************Date        : 12/27/2013Time        : 16:33:50Type        : WarningSource      : acvpnagentDescription : Tunnel level reconnect reason code 6:Disruption of the VPN connection to the secure gateway.Caching the default reconnect reason for SSL******************************************Date        : 12/27/2013Time        : 16:33:50Type        : InformationSource      : acvpnagentDescription : The Primary SSL connection to the secure gateway is being re-established.******************************************Date        : 12/27/2013Time        : 16:33:50Type        : InformationSource      : acvpnagentDescription : The VPN client has sent the following close message to the gateway:Reconnecting to recover from error.******************************************Date        : 12/27/2013Time        : 16:33:50Type        : WarningSource      : acvpnagentDescription : A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify
Example session on router:
show webvpn session user xy context all detailSession Type      : Full TunnelClient User-Agent : AnyConnect Windows 3.1.04063Username          : xy                   Num Connection : 1Public IP         : 192.168.x.x          VRF Name       : NoneContext           : PLUTO                Policy Group   : VPN-POLICYLast-Used         : 00:00:00             Created        : 16:10:49.136 UTC Fri Dec 27 2013Session Timeout   : Disabled             Idle Timeout   : 2100DPD GW Timeout    : 300                  DPD CL Timeout : 300Address Pool      : webvpn-pool          MTU Size       : 1399Rekey Time        : 3600                 Rekey Method   :Lease Duration    : 43200Tunnel IP         : 192.168.30.14        Netmask        : 255.255.255.0Tunnel-mode filte : VPN-ACLRx IP Packets     : 85                   Tx IP Packets : 175CSTP Started      : 00:00:04             Last-Received : 00:00:00CSTP DPD-Req sent : 0                    Virtual Access : 1Msie-ProxyServer : None                 Msie-PxyPolicy : DisabledMsie-Exception    :Split Include     : 192.168.34.0 255.255.255.0                    192.168.30.0 255.255.255.0Client Ports      : 49390
Relevant router configuration:
aaa new-modelaaa authentication login WEBVPN local-caseusername xy@domain ...crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.04063-k9.pkg sequence 1webvpn gateway STARGATE ip interface Vlan1 port 443 ssl encryption aes256-sha1 rsa-dhe-aes128-sha1 rsa-dhe-aes256-sha1 ssl trustpoint webvpn inservice !webvpn context PLUTO[...] acl "VPN-ACL"   permit ip 192.168.30.0 255.255.255.0 ... ! acl "DENY-ACL"   deny ip any any aaa authentication list WEBVPN aaa authentication domain @domain gateway STARGATE max-users 5 ! ssl authenticate verify all ! inservice ! policy group VPN-POLICY   acl "DENY-ACL"   functions svc-enabled   functions svc-required   filter tunnel VPN-ACL   svc address-pool "webvpn-pool" netmask 255.255.255.255   svc split include 192.168.34.0 255.255.255.0   svc split include 192.168.30.0 255.255.255.0 default-group-policy VPN-POLICY
I've already tried to use rc4-md5 as SSL encryption in the gateway, but it didn't solve the problem.
How can I fix this problem?

Hi !
I have exactly same error ! AnyConnect session is reconnecting every 30 seconds, when CSTP timer reaches 29 seconds.
Router#sh webvpn session user USER context all
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:28:07 Created : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites :
Session Type : Full Tunnel
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 1
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:00:00 Created : 20:57:04.657 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
DPD GW Timeout : 300 DPD CL Timeout : 300
Address Pool : RemoteAdminsPool MTU Size : 1199
Rekey Time : 3600 Rekey Method :
Lease Duration : 43200
Tunnel IP : 100.100.100.2 Netmask : 255.255.255.0
Rx IP Packets : 1329 Tx IP Packets : 2023
CSTP Started : 00:00:29 Last-Received : 00:00:00
CSTP DPD-Req sent : 0 Virtual Access : 4
Msie-ProxyServer : None Msie-PxyPolicy : Disabled
Msie-Exception :
Split Include : ACL ACL_1
Client Ports : 31054
Next sh webvpn session output looks like:
Router#sh webvpn session user USER context all
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:36:22 Created : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites :
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:00:00 Created : 21:25:41.482 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites : svc-required
svc-enabled
So my FullTunnel session change to Clientless after 30 seconds, and back to FullTunnel. CSTP timer reaches 29 seconds and all repeats.

Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
end

I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts

IKEv2 AnyConnect and Pool allocation via RADIUS

I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
home                    Cleartext-Password := "cisco"
                             Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                             Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                              Framed-Pool = "CUST-A-POOL"
matt@home               Cleartext-Password := "test123"
Group and user authorization information is then merged and cloned onto the virtual template:
crypto ikev2 name-mangler EXTRACT-GROUP
eap suffix delimiter @
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match fvrf IPSEC-FVRF
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cacert.org
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List1
aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
aaa authorization user eap cached
virtual-template 1
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel vrf IPSEC-FVRF
tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
*Aug 16 21:36:39.384 BST: RADIUS: Framed-IP-Pool      [88] 13 "CUST-A-POOL"
However, the crypto debugs state that an IP address cannot be assigned:
*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
<snip>
Payload contents:
AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
Cheers,
Matt

Marcin,
Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
Cheers,
Matt

Does AnyConnect 3.0 supports in IOS 12.4(20)?

Hello.
We have Cisco 2821 and IOS 12.4(20)T2.
In browser-initiated mode AnyConnect 3.0.5075 works fine.
But in standalone mode it doesn't work.

Check your case on the "srst_Cisco..." - do a show flash and make sure Cisco is not all caps.
From a 12.4 config...
application
service srstaa flash:srst_CISCO.2.0.0.0.tcl
paramspace english index 1
paramspace english language en
param operator 30098
paramspace english location flash:
paramspace english prefix en
param aa-pilot 47200
global
service alternate Default
dial-peer voice 47200 pots
service srstaa
incoming called-number 47200
port 0/1/0:23

Anyconnect IOS Radius

Similar Messages

Maybe you are looking for