Anyconnect IOS

Hey folks.
I have configured my router with anyconnect vpn. config seems ok. copy attached below. but once i access thru web, instead of taking me to the vpn page after authenticating its taking me to Cisco Configuration Professional Express.
Doesnt make sense to me. Some inputs pls.I tried redirecting my vpn to another port yet no luck. that gives me blank page.

R1(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
It is the normal command we use to give.If this doesn't work then you have to create webvpn directory in flash and copy anyconnect file in webvpn directory with the name svc.pkg
R1# mkdir flash:webvpn
R1# copy tftp:// x.x.x.x/anyconnect-win-3.1.02026-k9.pkg flash:/webvpn/svc.pkg
R1# webvpn install svc flash:/webvpn/svc.pkg
HTH

Similar Messages

Anyconnect IOS OSX lion unstable

I have a tac case opened on this but I wanted to throw this out to the community. I am running 15.0(1)M6 on a 881. Anyconnect version is 3.0.3.3054 on osx lion Mac book pro.
I connect fine to the router but it will go through a series of disconnect then reconnects several
times during a session. In a 2 minute period I have seen it renegotiate the connection 7 times once.
It appears to be worse when streaming video over the tunnel. I have tried snow leopard and different
IOS versions with no success. Anyone else experience this isse?
Thanks

For iOS devices, tap Settings > iCloud
Switch Documents & Data off then back on.
For your Mac. Open System Preferences > iCloud
Deselect the box next to Documents & Data then reselect it.
Give iCloud a few minutes to re sync the data.

Anyconnect ios Wifi issues after roaming

Hi,
After roaming with cellular network, the wifi does not access the network despite the connection established. I have to renew the lease of the connection to have access to the network.
I encounter the problem on IOS 5.1 with the latest version of AnyConnect. Have you everencountered this problem?
thank you,
Cedric H.
France

Hi,
After roaming with cellular network, the wifi does not access the network despite the connection established. I have to renew the lease of the connection to have access to the network.
I encounter the problem on IOS 5.1 with the latest version of AnyConnect. Have you everencountered this problem?
thank you,
Cedric H.
France

Anyconnect IOS Radius

Hallo,
i hace a cisco 881 router with a Anyconnect VPN. the web interface works
but when i enter a username i'm getting a login failt.
looking at the Eventviewer of the NPS i can see that is is using the wrong NETWORK and CONNECT POLICY,
it needs to use the VPN policy.
configuration router Radius:
aaa group server radius VPN
server 172.16.200.10 auth-port 1645 acct-port 1646
configuration router AnyConnect:
webvpn gateway ANYCONNECT
ip interface FastEthernet4 port 8080
ssl trustpoint TP-self-signed-4264276022
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
webvpn context ANYCONNECT-CONTEXT
title "welcome to office"
ssl authenticate verify all
policy group ANYCONNECT-POLICY
   functions svc-required
   svc address-pool "Pool"
   svc keep-client-installed
   svc dns-server primary 8.8.8.8
default-group-policy ANYCONNECT-POLICY
aaa authentication list VPN
gateway ANYCONNECT
inservice
WHAT IS GOING WRONG?

Looks like settings on your server.
Have a look at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configldap
Step 2.

Standard (application-based) firewall with one additional port open?

Lion and Snow Leopard both have application based firewalls. I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java. How can I open one port in addition to leaving the standard firewall in place?

Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

No SSL VPN tunnel from AnyConnect to IOS

Dear all
Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
But I simply cannot make it work.
I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
Here is my configuration on the router:
crypto pki trustpoint TP-self-signed-595019360
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-595019360
revocation-check none
rsakeypair TP-self-signed-595019360
crypto pki certificate chain TP-self-signed-595019360
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
[......skipped....]
interface Loopback123
ip address 192.168.123.254 255.255.255.0
ip local pool GS-POOL 192.168.123.1 192.168.123.10
webvpn gateway GS-GW
hostname GS-VPN-test
ip address x.x.x.x port 443
ssl trustpoint TP-self-signed-595019360
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context GS-CONTEXT
ssl authenticate verify all
policy group GS-POLICY
   functions svc-required
   svc address-pool "GS-POOL"
default-group-policy GS-POLICY
gateway GS-GW
inservice
These are my debug settings:
#sh debug
WebVPN Subsystem:
WebVPN (verbose) debugging is on
debug webvpn entry GS-CONTEXT
WebVPN HTTP (verbose) debugging is on
WebVPN AAA debugging is on
WebVPN tunnel (verbose) debugging is on
WebVPN Single Sign On debugging is on
And these are all debug messages I get upon incoming connection:
Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
At this point the Anyconnect client says "Connection attempt failed" and that's all.
So please, any advice how to solve this?
And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
Thanks a lot for any suggestions,
Grischa

Some more restrictions:
12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
In short, if it's possible to upgrade, go to 15.0(1)M7 (or latest 12.4(24)Tx if 15.0 is out of the question)
If you're stuck with 12.4(15)T, only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
hth
Herbert

IOS WebVPN AnyConnect keeps reconnecting

Hi
AnyConnect 3.1.05152 and 3.1.04063 reconnects about every minute on Windows 7 x64 and Windows 8.1 x32. This issue happens whether I'm connected via cable or wireless. Sometimes I see strange messages on the routers console depending on the client I use:
169BEE80: 16030300 89010000 85030352 BD99CFBD ...........R=.O=169BEE90: DBFF9A0E BFC9ADB6 8F77265E 80728829 [...?I-6.w&^.r.)169BEEA0: 42F01ED7 6999F45E 0CDCB800 0026003C Bp.Wi.t^.\8..&.<..
Gateway: Cisco 897VAW router, Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(1)T, RELEASE SOFTWARE (fc2). The problem also exists in with 15.3.3M1.
For troubleshooting purposes I connected the router and the client on the same subnet. On the client I'm pinging a loopback address of the router.
Message history in AnyConnect:
[12/27/13 16:33:21] Establishing VPN...[27.12.2013 16:33:21] Connected to 192.168.x.y.[27.12.2013 16:33:50] Reconnecting to 192.168.x.y...[27.12.2013 16:33:50] Connected to 192.168.x.y.[27.12.2013 16:34:20] Reconnecting to 192.168.x.y...[27.12.2013 16:34:22] Connected to 192.168.x.y.[27.12.2013 16:34:52] Reconnecting to 192.168.x.y...[27.12.2013 16:34:56] Connected to 192.168.x.y.[27.12.2013 16:35:26] Reconnecting to 192.168.x.y...[27.12.2013 16:35:43] Establishing VPN - Examining system...[27.12.2013 16:35:43] Establishing VPN - Activating VPN adapter...[27.12.2013 16:35:43] Establishing VPN - Configuring system...[27.12.2013 16:35:44] Establishing VPN...[27.12.2013 16:35:44] Connected to 192.168.x.y.[27.12.2013 16:36:13] Reconnecting to 192.168.x.y...[27.12.2013 16:36:13] Connected to 192.168.x.y.[27.12.2013 16:36:43] Reconnecting to 192.168.x.y...[27.12.2013 16:36:45] Connected to 192.168.x.y.[27.12.2013 16:37:15] Reconnecting to 192.168.x.y...[27.12.2013 16:37:20] Connected to 192.168.x.y.[27.12.2013 16:37:49] Reconnecting to 192.168.x.y...[27.12.2013 16:38:06] Establishing VPN - Examining system...[27.12.2013 16:38:06] Establishing VPN - Activating VPN adapter...[27.12.2013 16:38:06] Establishing VPN - Configuring system...[27.12.2013 16:38:07] Establishing VPN...[27.12.2013 16:38:07] Connected to 192.168.x.y.[27.12.2013 16:38:36] Reconnecting to 192.168.x.y...[27.12.2013 16:38:36] Connected to 192.168.x.y.[27.12.2013 16:39:06] Reconnecting to 192.168.x.y...[27.12.2013 16:39:08] Connected to 192.168.x.y.[27.12.2013 16:39:38] Reconnecting to 192.168.x.y...[...]
Messages found via DART:
Date        : 12/27/2013Time        : 16:33:50Type        : ErrorSource      : acvpnagentDescription : Function: CTlsTunnelMgr::OnTunnelReadCompleteFile: .\TlsTunnelMgr.cppLine: 1690Invoked Function: CTunnelStateMgr::readTunnelReturn Code: -31588336 (0xFE1E0010)Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer.callback******************************************Date        : 12/27/2013Time        : 16:33:50Type        : WarningSource      : acvpnagentDescription : Tunnel level reconnect reason code 6:Disruption of the VPN connection to the secure gateway.Caching the default reconnect reason for SSL******************************************Date        : 12/27/2013Time        : 16:33:50Type        : InformationSource      : acvpnagentDescription : The Primary SSL connection to the secure gateway is being re-established.******************************************Date        : 12/27/2013Time        : 16:33:50Type        : InformationSource      : acvpnagentDescription : The VPN client has sent the following close message to the gateway:Reconnecting to recover from error.******************************************Date        : 12/27/2013Time        : 16:33:50Type        : WarningSource      : acvpnagentDescription : A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify
Example session on router:
show webvpn session user xy context all detailSession Type      : Full TunnelClient User-Agent : AnyConnect Windows 3.1.04063Username          : xy                   Num Connection : 1Public IP         : 192.168.x.x          VRF Name       : NoneContext           : PLUTO                Policy Group   : VPN-POLICYLast-Used         : 00:00:00             Created        : 16:10:49.136 UTC Fri Dec 27 2013Session Timeout   : Disabled             Idle Timeout   : 2100DPD GW Timeout    : 300                  DPD CL Timeout : 300Address Pool      : webvpn-pool          MTU Size       : 1399Rekey Time        : 3600                 Rekey Method   :Lease Duration    : 43200Tunnel IP         : 192.168.30.14        Netmask        : 255.255.255.0Tunnel-mode filte : VPN-ACLRx IP Packets     : 85                   Tx IP Packets : 175CSTP Started      : 00:00:04             Last-Received : 00:00:00CSTP DPD-Req sent : 0                    Virtual Access : 1Msie-ProxyServer : None                 Msie-PxyPolicy : DisabledMsie-Exception    :Split Include     : 192.168.34.0 255.255.255.0                    192.168.30.0 255.255.255.0Client Ports      : 49390
Relevant router configuration:
aaa new-modelaaa authentication login WEBVPN local-caseusername xy@domain ...crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.04063-k9.pkg sequence 1webvpn gateway STARGATE ip interface Vlan1 port 443 ssl encryption aes256-sha1 rsa-dhe-aes128-sha1 rsa-dhe-aes256-sha1 ssl trustpoint webvpn inservice !webvpn context PLUTO[...] acl "VPN-ACL"   permit ip 192.168.30.0 255.255.255.0 ... ! acl "DENY-ACL"   deny ip any any aaa authentication list WEBVPN aaa authentication domain @domain gateway STARGATE max-users 5 ! ssl authenticate verify all ! inservice ! policy group VPN-POLICY   acl "DENY-ACL"   functions svc-enabled   functions svc-required   filter tunnel VPN-ACL   svc address-pool "webvpn-pool" netmask 255.255.255.255   svc split include 192.168.34.0 255.255.255.0   svc split include 192.168.30.0 255.255.255.0 default-group-policy VPN-POLICY
I've already tried to use rc4-md5 as SSL encryption in the gateway, but it didn't solve the problem.
How can I fix this problem?

Hi !
I have exactly same error ! AnyConnect session is reconnecting every 30 seconds, when CSTP timer reaches 29 seconds.
Router#sh webvpn session user USER context all
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:28:07 Created : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites :
Session Type : Full Tunnel
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 1
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:00:00 Created : 20:57:04.657 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
DPD GW Timeout : 300 DPD CL Timeout : 300
Address Pool : RemoteAdminsPool MTU Size : 1199
Rekey Time : 3600 Rekey Method :
Lease Duration : 43200
Tunnel IP : 100.100.100.2 Netmask : 255.255.255.0
Rx IP Packets : 1329 Tx IP Packets : 2023
CSTP Started : 00:00:29 Last-Received : 00:00:00
CSTP DPD-Req sent : 0 Virtual Access : 4
Msie-ProxyServer : None Msie-PxyPolicy : Disabled
Msie-Exception :
Split Include : ACL ACL_1
Client Ports : 31054
Next sh webvpn session output looks like:
Router#sh webvpn session user USER context all
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:36:22 Created : 20:49:47.999 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites :
Session Type : Clientless
Client User-Agent : AnyConnect Windows 4.0.00048
Username : USER Num Connection : 0
Public IP : 10.10.10.10 VRF Name : None
Context : VPN Policy Group : POLICY
Last-Used : 00:00:00 Created : 21:25:41.482 MSK Mon Apr 6 2015
Session Timeout : Disabled Idle Timeout : 2100
DNS primary serve : 1.1.1.1
DNS secondary ser : 1.1.1.2
Citrix : Disabled Citrix Filter : None
Capabilites : svc-required
svc-enabled
So my FullTunnel session change to Clientless after 30 seconds, and back to FullTunnel. CSTP timer reaches 29 seconds and all repeats.

Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
end

I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts

Does AnyConnect 3.0 supports in IOS 12.4(20)?

Hello.
We have Cisco 2821 and IOS 12.4(20)T2.
In browser-initiated mode AnyConnect 3.0.5075 works fine.
But in standalone mode it doesn't work.

Check your case on the "srst_Cisco..." - do a show flash and make sure Cisco is not all caps.
From a 12.4 config...
application
service srstaa flash:srst_CISCO.2.0.0.0.tcl
paramspace english index 1
paramspace english language en
param operator 30098
paramspace english location flash:
paramspace english prefix en
param aa-pilot 47200
global
service alternate Default
dial-peer voice 47200 pots
service srstaa
incoming called-number 47200
port 0/1/0:23

Anyconnect App in IOS 8

Hello
Im facing with an issue after upgrading IOS 7 to 8, Cisco Anyconnect app is unstable connection and skip after few minutes and needs to be reconnect. is any body here have experience on this issue?
Thank You
Ali

We are also facing this problem in our company 50-75% of all users that updated to IOS 8 are reporting this problem.
Some disconnect once a day, others multiple times a day. And others don't have the problem at all.
We are thinking that it happens when the users are using other apps, but we can't be sure.
All users have the latest IOS (8.0.2 at the moment) and the latest Anyconnect (3.0.12119).
They didn't have this problem when they were still on IOS 7.

IOS: AnyConnect 2.5.3055, Windows 7 x64 fails to connect to Webvpn on 2811

I am attempting to add SSLVPN to my 2811 and 2801 production routers. These devices currently run IOS 12.4(24)T4 ADV SECURITY images. I have succesfully configured the SSL VPN gateway via CCP. I can connect via web browser to https://2811IP/sslvpn, log in, and use the web portal. When I attempt to use the full tunnel AnyConnect client on Windows 7 x64 (I have nothing else to test with right now) I get the simple and vague error: "Connection attempt has failed." This error occurs before I would receive a prompt to provide credentials. It never prompts me. There is no further information such as timeout, certificate error, or anything like that.
running term mon and debug webvpn on the router produces only the following when the client attempts to connect:
002121: Oct 23 00:10:35.081: WV: sslvpn process rcvd context queue event
002122: Oct 23 00:10:35.085: WV: sslvpn process rcvd context queue event
002123: Oct 23 00:10:38.973: WV: sslvpn process rcvd context queue event
002124: Oct 23 00:10:38.977: WV: sslvpn process rcvd context queue event
002125: Oct 23 00:10:39.041: WV: sslvpn process rcvd context queue event
002126: Oct 23 00:10:39.041: WV: Entering APPL with Context: 0x47FE4C90,
Data buffer(buffer: 0x4732ABC0, data: 0x3F5BE498, len: 172,
offset: 0, domain: 0)
002127: Oct 23 00:10:39.041: WV: http request: /sslvpn with no cookie
002128: Oct 23 00:10:39.041: WV: Client side Chunk data written..
buffer=0x4732AA20 total_len=188 bytes=188 tcb=0x481CF0A8
I've tried adding a program exception for anyconnect to the windows firewall.
I've tried disabling the windows firewall.
I've tried connecting via different ISPs, both wired and cellular.
I've tried the previous release of AnyConnect for Windows.
The TP certificate on the device is self-signed and valid from 1/23/2006 to 12/31/2019. I am prompted to accept the cert when I client Select (Connect) in the client. After I click Accept on the certificate window the connection fails. If I wait a while (perhaps a minute) the following error pops up, but ONLY if I wait a while before clicking Accept:
"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network"
What else can I check?

Does the iPod work OK?
Does it charge when connect to the computer?
Does it appear in My Computer?
Look at the dock connector on the iPod. Compare with the iPod that does work/connect.
I suspect you have a 2G iPod. Those can only go to iOS 4.2.1
http://support.apple.com/kb/HT1353#iPod_touch_late2009
iPod touch (3rd generation)
iPod touch (3rd generation) features a 3.5-inch (diagonal) widescreen multi-touch display and 32 GB or 64 GB flash drive. You can browse the web with Safari and watch YouTube videos with Wi-Fi. You can also search, preview, and buy songs from the iTunes Wi-Fi Music Store on iPod touch.
The iPod touch (3rd generation) can be distinguished from iPod touch (2nd generation) by looking at the back of the device. In the text below the engraving, look for the model number. iPod touch (2nd generation) is model A1288, and iPod touch (3rd generation) is model A1318.

AnyConnect VPN Client on IOS Router

Hi Guys, I configured AnyConnect SSL VPN on Cisco 2811 router. It works perfectly when I login via web and run secure mobility client. However, when I connect directly from the mobility client connection fails. It does not even ask me for username and password.
Mar 7 21:36:47.613: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: VPN_GATEWAY i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at
Mar 7 21:36:47.617: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.621: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.745: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
      Data buffer(buffer: 0x4925DA18, data: 0x3F57ED98, len: 1,
      offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Fragmented App data - buffered
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
      Data buffer(buffer: 0x4925D818, data: 0x3F2033F8, len: 242,
      offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Appl. processing Failed : 2
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.753: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.753: WV: server side not ready to send.
====================
Here is the config:
=====================
crypto pki trustpoint VPN_TRUSTPOINT
enrollment selfsigned
serial-number
subject-name CN=academy-certificate
revocation-check crl
rsakeypair RSA_KEY
crypto pki certificate chain VPN_TRUSTPOINT
ip local pool VPN_POOL 192.168.7.100 192.168.7.150
webvpn gateway VPN_GATEWAY
ip address <ip>
ssl trustpoint VPN_TRUSTPOINT
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.02040-k9.pkg sequence 1
webvpn context VPN_CONTEXT
title "<title>"
ssl authenticate verify all
login-message "<message>"
policy group VPNPOLICY
   functions svc-required
   svc address-pool "VPN_POOL"
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 192.168.1.0 255.255.255.0
default-group-policy VPNPOLICY
aaa authentication list default
gateway VPN_GATEWAY
max-users 10
inservice
I have not figured out yet, why mobility client works when launched from the web and why it does not work directly. Any input or hints would be much appreciated

Hi Giorgi,
This could be related to CSCti89976.
AnyConnect 3.0 doesn't work with existing IOS.
Symptoms:
Standalone AnyConnect 3.0 client does not work with an existing IOS headend.
Conditions:
AnyConnect 3.0 with an IOS Router as the headend.
Workaround:
Use AnyConnect 2.5 or use weblaunch.
Upgrade IOS
Would it be possible to upgrade the IOS version?
HTH.
Portu.

AnyConnect and IKEv2 with IOS Local AAA

Hi,
Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
Cheers,
Matt

Your NAT is nearly correct. There are just two small things:
1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
nat (inside,outside) source static WAN interface
2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

Anyconnect on IOS and licensing

Hi,
I would like to know if any license i required to run anyconnect on Cisco ISO 12.4(24) T? If not when is a license required? in 15?
Best regards,
Laurent

Laurent,
IOS 15.x for ISR G2 only introduces licensing. Old ISR code especially in 12.4 trains is not affected.
Marcin

IOS devices authentication and verification with AnyConnect

Hi,
We are currently using Anyconnect on IOS devices to remotely access our network via our ASA. We want to implement a security check to valide that the user is using his corporate device, and not de personal device...Is there a way to achieve that? By checking a property on the device or a certificate?
We are managing our devices with Xenmobile mdm...so we can oush properties or certificate trouth it..
Thanks!

It should work but something lately has caused the typical apple names to fail.
I recommend you rename everything in the TC.. ie TC name , wireless and hard disk to SMB type names.. ie short, no space and pure alphanumeric.
Set fixed channels can also help, not auto.. for 2.4ghz which is the most important there are only three channels that do not overlap.. 1, 6, 11.. try each in turn.
Use WPA2 Personal security.
From Lion use the 5.6 utility for setup.. it has tool quality.. 6.1 in Lion and Mountain Lion has a certain Toy like quality.
http://support.apple.com/kb/DL1482

Anyconnect IOS

Similar Messages

Maybe you are looking for