AnyConnect VPN Client on IOS Router

Similar Messages

• IPhone 2.1 now supports Cisco VPN Client to IOS router

  Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.

  I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
  The relevant isakmp/ipsec config should be:
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group myvpn
  key mysecretkey
  dns 10.0.0.2 10.0.0.3
  wins 10.0.0.2
  domain mydomain.example.com
  pool ippool
  acl 150
  split-dns mydomain.example.com
  netmask 255.255.255.0
  crypto isakmp profile ike-myvpn-profile
  match identity group myvpn
  client authentication list userauthen
  isakmp authorization list groupauthor
  client configuration address respond
  virtual-template 2
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile myvpn
  set transform-set ESP-3DES-SHA
  set isakmp-profile ike-myvpn-profile
  interface Virtual-Template2 type tunnel
  ip unnumbered FastEthernet1
  ip nat inside
  ip virtual-reassembly
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile myvpn
  See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
  If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting.

• Dynamic VPN - client to IOS - with shaping

  I have 3640s and want to encrypt wireless clients to the router, since not all win2k laptops do leap. Peap tested is flaky. I have VPN client to IOS using dynamic cryptomap with back-end RADIUS xauth working, only, one 2.5meg FTP stream brings the proc utilization to 80% with AES or 1DES. I came up with the idea of using class-based shaping to throttel the encrypted traffic to under 2 meg on the ingress and egress, which brings the utilization down to 50%. I hammering the shapping queues and see no drops, what are the implications on this VPN
  This is a temp fix until non-cisco wireless clients start supporting PEAP, and will only have 2 or 3 clients on at a time.

  hello thx for the replay
  but all the trafic is routed  to my firewall and i have a message in my firerwall by its look like my firewall didn't response
  thx for help

• Problem using SunRay with Cisco AnyConnect VPN Client

  I am using Cisco AnyConnect VPN Client Version 2.5.3046
  I  have a PC and a SunRay connected to my router. I use VPN to connect my  SunRay and my PC to my work computer. My PC works fine, I am able to  connect to the internet and also run cisco VPN to connect to my work  computer. But when I try to use my SunRay, I get a window on the screen  with the message:
      VPN IKE Phase 1 agg I msg1This window  keeps moving around on the screen. I am not able to connect my SunRay  through VPN to my work computer. Any idea what could be wrong and how I  can fix this?

  2.2 is definitely better.
  On one PC, I'm fine. On another -- very similar -- it tells me it can't start the VPN even after uninstalling and re-installing and everything else I can think of, with plenty of re-boots inbetween.
  Aaaaarrrrrrggggggghhhh.

• Cisco AnyConnect VPN client and 256 AES encryption in IE8

  Hey,
  We have a site that we are trying to connect to with the AnyConnect VPN client version 2.5.3055 on Windows XP SP3. As soon as we enter the site info and hit select, it says a connection was unable to be established.
  I believe this has to do with the encryption, its set up with 256 bit AES. We are only able to install IE8, which on XP only supports up to 128 bit encryption, so in IE8 the page will not load. To fix that issue we installed firefox which supports 256 bit encryption. We can get to the page there, but when we go to connect to the same site VIA the VPN client it still will not connect. It will work fine on a windows 7 box with IE9 installed from the same network.
  My question mainly pertains to how the AnyConnect client connects on the back end. Does it use Internet explorer's SSL layer by default? Or does it have its own? If it connects through internet explorer, is there a way to change it to firefox so it will actually be able to open up a connection?
  Thank you for your answers in advance,
  John

  Hey Jeff,
  Thanks for answering that question. Hmm, so it doesnt go through the browsers SSL layer. We have systems on the same network (same proxy, firewall, vlan, etc). All the systems with windows XP SP3 and IE8/IE7 can not connect to the VPN (they arent even able to start the connection and ask for proxy/logon info.), all the systems with windows 7 and IE9 can. Same setups on each one as far as the security policies go as well. I thought it may have to do with the 256 bit encryption that they are using.
  If thats not the case, what else could be causing the problem? weve tested it on about 5 XP machines and 5 Win 7 machines, same results on each. Connects on Win 7, does not connect on Win XP.
  Thanks,
  John

• How to download anyconnect vpn client 64 bit win 7

  Good day all,
  please i wanted to download anyconnect vpn client 64 bit win 7 from software.cisco.com and i was not able to do that after login in. please can someone help me on how or the steps i can take to get the download.
  secondly can i be able to install it using ASDM after the download because i do not have a tftp server for now. thanks

  Hi csco12434455 , 
  Try to go to the following link, the name of the file is: Web deployment package for Windows platforms.   
  This file does support W7 32 and 64 bits
  https://software.cisco.com/download/release.html?mdfid=286281272&flowid=72042&softwareid=282364313&release=3.1.06073&relind=AVAILABLE&rellifecycle=&reltype=latest
  Reference link:
  http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#47680
  And yes you can use ASDM to upload the file to the ASA flash , just go to  Tools > File managment. 
  Please rate helpful posts !
  Hope it helps
  - Randy - 

• Issue with Mac OS 10.8.3 and Anyconnect VPN Client 3.1.02026

  Hi all,
    I am running Anyconnect VPN Client 3.1.02026 on Mac OS X 10.8.3.  I am unable to connect to my corporate network as the connection fails with following error :
  The VPN client was unable to successfully verify the IP forwarding table modifications.  A VPN connection will not be established.
  Can anyone suggest remedies. I am completely stuck. I had an older AnyConnect client and it was working until  a few days back when it stopped working. I then upgraded to 3.1.02026.
  As suggested in some of the pots on the web, i  have disabled the following  AirPort, Bonjour, Bluetooth, Adium, restarted after these changes and yet i am seeing this.
  My company has corporate license for Cisco AnyConnect VPN.
  TIA
  kumar

  MartyP wrote:
  Or is there a problem with both OS's writing stuff to the
  ~/Home/Library folder that may be incompatible?
  Yes, big time.  Mail, for sure, has a different file/folder structure, and would not be happy.
  Plus, a number of apps (Apple and 3rd-party) are "Sandboxed."  That's a security feature, to prevent malware or bad coding from affecting things it shouldn't.  Some of their files, including the preferences files, aren't even stored in the same places!
  Or to other places I'm not aware of?
  Probably.  If you have two versions of the same app, they may or may not expect the same data setup.
  To have one User folder for both OS's would save a lot of drive space
  Not if you use some or all of woodmeister50's suggestions. 
  But I'm also not sure how I'd use Time machine with such a set up.
  Just as you do now.  By default, Time Machine backs-up everything (except things like system work files, most caches and logs, trash) for all users and all internal drives & partitions.  By default, it excludes external drives.
  You can change those defaults, of course, via TM Preferences > Options.
  See Time Machine - Frequently Asked Question #32 for details and considerations of multiple drives.
  Presently I backup with . . . clones to other HD's
  Good.   Yes, clones are different.  You need multiple "tasks" to back up multiple drives/partitions.  But once set up, that shouldn't be a big deal.

• CiscoSystems AnyConnect VPN Client 3.0.3054 Posture module

  Hello,
  I have aproblem installing the posture module of AnyConnect VPN Client. During the installation I get an error:
  "Product: Cisco AnyConnect Posture Module -- Error 1335. The cabinet file 'disk1.cab' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package."
  I found out that this error appears when I'm installing from a local copy of the files from the ISO. If the installation is from a virtual drive it installs fine.
  I need to install the client to multiple users so I have to use the source out of the ISO.
  Is there a way to to install this module from HDD?
  Thanks in advance!
  Iliyan

  Thanks for your reply.
  The problem was because of brocken source.
  I downloaded it from another location and everything is fine now
  The discussion can be closed.

• Trouble with Cisco Anyconnect VPN Client

  Hello,
  our Cisco AnyConnect VPN Client has stopped working, we are a medical office and we are attempting to connect to "clientvpn.e-mds.com" however it will not connect, the username and password we input are irrelevant it doesnt come up with a "wrong credentials" window it just erases the password and at the bottom of the window it says "Please enter your username and password". our version is 2.5.0217 does anyone know anything to try? any help would be appreciated

  you may want to try the OS X networking forums:
  http://discussions.apple.com/forum.jspa?forumID=733

• Strange issue with 3.6.3 VPN Client and IOS firewall

  I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
  Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
  Router is running 12.2(13)T.
  Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
  You Cisco gurus have any thoughts?
  Thanks,
  Jamey
  Config below:
  jamey#wr t
  Building configuration...
  Current configuration : 3947 bytes
  ! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
  ! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
  version 12.2
  service timestamps debug datetime msec
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname "jamey"
  no logging buffered
  no logging console
  username XXXX password 7 XXXXX
  clock timezone GMT 0
  aaa new-model
  aaa authentication login tac local
  aaa session-id common
  ip subnet-zero
  no ip domain lookup
  ip inspect name myfw ftp
  ip inspect name myfw realaudio
  ip inspect name myfw smtp
  ip inspect name myfw streamworks
  ip inspect name myfw vdolive
  ip inspect name myfw tftp
  ip inspect name myfw rcmd
  ip inspect name myfw tcp
  ip inspect name myfw udp
  ip inspect name firewall http java-list 3
  ip audit notify log
  ip audit po max-events 100
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group XXXX
  key XXXXXXX
  dns x.x.x.x
  domain xxx.com
  pool ipsec-pool
  acl 191
  crypto ipsec security-association lifetime kilobytes 536870911
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set foxset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set foxset
  crypto map clientmap client authentication list tac
  crypto map clientmap isakmp authorization list XXXXX
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback10
  description just for test purposes
  ip address 172.16.45.1 255.255.255.0
  interface Ethernet0/0
  description "Internet"
  ip address x.x.x.x 255.255.255.224
  ip access-group 103 in
  ip inspect myfw out
  no ip route-cache
  no ip mroute-cache
  half-duplex
  crypto map clientmap
  interface Ethernet0/1
  description "LAN"
  ip address 192.168.45.89 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  half-duplex
  ip local pool ipsec-pool 192.168.100.1 192.168.100.254
  ip classless
  ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  no logging trap
  access-list 3 permit any
  access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
  access-list 103 permit icmp any any log
  access-list 103 permit udp any eq isakmp any log
  access-list 103 permit esp any any log
  access-list 103 permit ahp any any log
  access-list 103 permit udp any any eq non500-isakmp log
  access-list 103 permit tcp any any eq 1723 log
  access-list 103 permit udp any any eq 1723 log
  access-list 103 deny tcp any any log
  access-list 103 deny udp any any log
  access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  radius-server authorization permit missing Service-Type
  call rsvp-sync
  line con 0
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  password XXXXXX
  line vty 5 15
  end
  Some debugging info:
  At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
  .Jan 22 01:27:38.284: ICMP type=8, code=0
  .Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:38.288: ICMP type=0, code=0
  .Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
  40, access denied
  .Jan 22 01:27:38.637: UDP src=2301, dst=2301
  .Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
  40, rcvd 2
  .Jan 22 01:27:38.641: UDP src=2301, dst=2301
  .Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:38.765: ICMP type=8, code=0
  .Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:38.765: ICMP type=0, code=0
  .Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:39.286: ICMP type=8, code=0
  .Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:39.290: ICMP type=0, code=0
  .Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:39.767: ICMP type=8, code=0
  .Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:39.767: ICMP type=0, code=0
  .Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:40.287: ICMP type=8, code=0
  .Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:40.291: ICMP type=0, code=0
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
  .52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
  .52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
  here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
  from a host on the internal side (LAN) (192.168.45.1)
  .Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
  g=2.2.2.2, len 44, forward
  .Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
  SYN
  .Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  here is where by VPN connection breaks
  .Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check

  Ok..I found the bug ID for this:
  CSCdz46552
  the workaround says to configure an ACL on the dynamic ACL.
  I don't understand what that means.
  I found this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
  and they talk about it, but I'm having a hard time decoding what this means:
  "To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• AnyConnect VPN Clients IP Address access rules

  I setup ASA5540 for SSL-VPN (clientless) works fine.
  But I try to use Client (AnyConnect) to access internal resources, it is failed.  It is stiil initiate sessions from remote client IP.
  I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
  How I setup it?

  I use Cisco VPN client (remote access VPN)to connect ASA.
  There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
  Second, remote client  connect ASA, I should get the client IP address which I setup on ASA.
  It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
  How I setup this ( SSL VPN on this ASA works).

• Control what AnyConnect VPN clients can Access

  Hello!
  How do I ensure that my VPN users that are connected using AnyConnect VPN to my ASA5520 have the same access restrictions/permissions as those connected locally?
  Assign a pool in the same vlan/subnet as those connected locally?
  Any input helps. Thanks

  Your annyconnect RA clients should have unique separate network from any other internal subnets and you will find much easier management and administration as soon as you start creating different RA tunnels for different purposes in future, at least this is my practice and find easy to administer and/or troubleshoot. If you decide using VPN tunnel network the same as an inside subnet you may encounter problems down the road which will be hard to troubleshoot.
  Now you have VLAN10 subnet internally, if I understand correctly you want RA clients have the same access VLAN10 users have,my question to you is what type of access are you refering to? does VLAN10 users have access to certain internal networks or specific hosts and some don't? if this is so when you use vpn filters build the same access control you have defined for VLAN10 users, you don't necessarily have to create per user vpn filers but rather a group policy defining the permit access through the acl and apply it to the Annyconnect RA tunnel if the intend is for the whole tunnel group, just as shown in the RA vpn filter example link posted excluding the per user vpn filer.
  Rgds
  Jorge

• Idle timeout for cisco anyconnect vpn client

  Hi All,
  Can you please let me know how to set idle timeout for the cisco vpn client, I configured the idle timeout setting under the group policy for the ssl vpn but it is not making any difference, is there any bug in asa firmware ? but I am using the latest version 9.3(2) now but this change is not taking any effect.
  Please let me know if you need more information, config etc ?
  Thanks

  Hi Alex,
  That file is indeed subjected to the same download restrictions than the other Anyconnect client files. You should contact the person who provided you with the Anyconnect  client installer, or who is managing the ASA that you are connecting  to, asking her/him to get the file and provide it to you - that person  should have the necessary access rights.
  Alternatively there is a command line interface executable provided as part of the Anyconnect  client, which can return tunnel statistics (among which tunnel status) -  invoking that program and parsing the output should be doable from  pretty much any programming/scripting tool - not the most optimal  approach in C++ though, but you wouldn't need anything else than what is provided with the client software.
  The executable is with the other Anyconnect client files and is named vpncli.exe.
  Try vpncli -h to get the argument syntax.
  I hope it helps, please let me know.
  Best regards,
  Christophe

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.