Anyconnect & WebVPN for ssl vpn

I already have anyconnect running in my network, planning to use Webvpn also to let specific users access the web based applications via webvpn( i believe for this they just have to put in the url and they would be prompted by SSL VPN's login page).
I followed some cisco documents but my ASA doesnt show any webvpn option on the left side pane.
Please help to set this up
Thanks.

Hi Sunny,
I attached our test config of the WebVPN of confirmed work for your reference.
HTH
Tomoyuki

Similar Messages

  • ASA 5505 WebVPN - It has taken a while for SSL VPN Relay to load. You need to verify Java is enabled in your browser

    ASA 5505
    ASA Version 9.0.(2)
    Suddently on the webvpn Interface when i click on my web bookmarks (and java launches in browser) i get this fail in Chrome and FF 'It has take a while for SSL VPN Relay til load. You need to verify Java is enabled in your browser' and nothing happens...
    Java IS enabled and running. Tried this in both 7.45 and 7.51
    No problem in IE 11 and java 7.45 and 7.51
    I've googled alot but have not been able to find any suggetions
    Hope you have a solution
    Best Regards.

    Any resolution on this?  Firefox/Chrome my cifs work but smart tunnel RDP doesn't, and in IE my shares don't work but RDP smart tunnel does....
    Cisco, if you're not going to do something good, just don't do it.  The SSL VPN is a hack job.

  • RVL200 firmware 1.1.12.1 - Windows 7 still fails for SSL VPN

    Try to connect RVL200 with SSL VPN using Windows 7 IE 8.
    After upgrading to firmware 1.1.12.1, I am able to install the webcachecleaner, but when I tried to click the padlock on the screen, I keep getting
    "Error: Virtual Passage not installed.  Please install as administrator".
    I am already the only administrator on the computer, and I have installed the C++ 2005 Redistributable Package (x64) according to the release note.  The XTunnel IE add-on shows date 3 Mar 2010.  The certificate is updated (expiry 2011).
    Any ideas how to get around this issue?
    Thanks.  Christina

    On Windows 7 or Vista, Internet Explorer does not always run with administrative privilege. You have to select the option of "Run As Administrator" when you start the IEv8.

  • WEBVPN/SSL VPN doesn't work over WLANs

    Hi,
    Please can someone help me establish why only wired connections (outside the network/over the internet) are able to connect to SSL VPN?
    If I use a wifi connection at any location outside of my network, then I cannot connect to my SSL VPN. I can only use wired connections.
    I suppose this is an MTU issue, but I don't know where and I've tried many combinations of settings. How do I calculate the correct MTU?
    Many thanks in advance for your support.
    ~Matt

    You can adjust the MTU size (from 256 to 1406 bytes) for SSL VPN connections established by the client with the svc mtu command from group policy webvpn or username webvpn configuration mode:
    [no] svc mtu size
    This command affects only the AnyConnect client. The legacy Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes.
    The default for this command in the default group policy is no svc mtu. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.

  • Anyconnect SSL VPN States Contacting...

            I had my ssl vpn working and now the anyconnect client that I downloaded just says Contacting...  It will not give me an error at all.  If I use the Anyconnect App on my droid phone it says "Anyconnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."  I previously had the droid app work as well and I have made no changes to the VPN configuration.  Here is my config and version numbers:
    anyconnect-win-2.5.2014-k9.pkg
    c2800nm-adventerprisek9-mz.151-4.M5.bin
    webvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN" netmask 255.255.255.0
       svc default-domain "<DOMAIN>"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary <IP>
    default-group-policy policy_1
    gateway gateway_1
    inservice
    Any suggestions would be greatly appriciated.

            I had my ssl vpn working and now the anyconnect client that I downloaded just says Contacting...  It will not give me an error at all.  If I use the Anyconnect App on my droid phone it says "Anyconnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."  I previously had the droid app work as well and I have made no changes to the VPN configuration.  Here is my config and version numbers:
    anyconnect-win-2.5.2014-k9.pkg
    c2800nm-adventerprisek9-mz.151-4.M5.bin
    webvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN" netmask 255.255.255.0
       svc default-domain "<DOMAIN>"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary <IP>
    default-group-policy policy_1
    gateway gateway_1
    inservice
    Any suggestions would be greatly appriciated.

  • SSL-VPN Anyconnect fails after rebooting 2811

    Hello all,
    I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails.  I think it has something to do with the SSL Cert being ereased.  Here is my configuration, please let me know if you need anything else:
    ! Last configuration change at 02:03:27 CDT Thu Sep 27 2012
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    aaa new-model
    aaa session-id common
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-XXXXXXXXXX
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX
    revocation-check none
    crypto pki certificate chain TP-self-signed-XXXXXXXXXX
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534
      34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48
      E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC
      5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875
      7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E
      BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06
      03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609
      2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A
      A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43
      9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416
      10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8
      23191E2E E4BF390B D62DAA2B 351C09
            quit
    username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.
    ip local pool SSL-VPN 192.168.11.5 192.168.11.8
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    bvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN"
       svc default-domain "DOMAIN"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary DNS-SERVER
    default-group-policy policy_1
    gateway gateway_1
    inservice

    Here is the bug description that matches your explaination of the issue:
    MF: HTTPS generates a new self-signed cert on reboot even if one exists
    Symptom:
    With Secure HTTP server enabled, IOS device  generates a new self-signed certificate when it reloads even if a valid  self-signed certificate already exists.
    Conditions:
    When there is no CA(Certificate Authority) provided certificate on the device
    Workaround:
    Use CA provided certificate.
    The resolution is to upgrade it to version 15.2(1)T or higher.
    Unfortunately you would need to have SmartNet contract to be able to download the software from CCO.

  • IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

    hi all,
    I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
    I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
    thanks for your input!
    Samuel

    Samuel,
    Did you ever find an answer to your question? I have a similar scenario.
    Any input would be appreciated.

  • Bandwith Capacity Planning for 100 user SSL VPN Facility

    What are things we should conisde while doing the  bandwidth capacity planning for SSL VPN Facility for 100 users  ?       

    Hi Surya,
    This is not an easy question, since there are so many things to consider that I may miss some of them.
    1- In case you are planning to use an ASA, check this to find the ideal throughput for you:
             Compare Models
    2- What type of traffic? TCP or UDP?
         If TCP
              Make sure you avoid fragmentation, adjust the MSS value if necessary.
         If UDP
              If fragmentation must happen, then set the DF bit to clear to allow it.
    3- Make sure the clients always negotiate DTLS (which is by default).
    As mentioned in the document above:
    "Maximum throughput measured under ideal test conditions.
    VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning."
    Thanks.
    Portu.
    Please rate any post you find useful.

  • SSL VPN on C2821 Radius auth issues

    I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
    I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
    This is what the config looks like
    Building configuration...
    Current configuration : 24735 bytes
    ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname N****
    aaa new-model
    aaa group server radius IAS_AUTH
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa group server radius Global ***made for testing. Redundant
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa session-id common
    clock timezone Arizona -7
    dot11 syslog
    ip source-route
    ip cef
    password encryption aes
    crypto pki trustpoint TP-self-signed-2464190257
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2464190257
    revocation-check none
    rsakeypair TP-self-signed-2464190257
    crypto pki certificate chain TP-self-signed-2464190257
    certificate self-signed 01
    REMOVED
    interface GigabitEthernet0/0
    INTERFACES REMOVED
    ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip flow-cache timeout inactive 10
    ip flow-cache timeout active 5
    ip flow-export source GigabitEthernet0/0
    ip flow-export version 5 peer-as
    ip flow-export destination 10.12.1.17 2048
    ROUTES REMOVED
    ACLS REMOVED SSL IS ALLOWED
    route-map STAT_NAT permit 10
    match ip address 109
    route-map DYN_NAT permit 10
    match ip address 108
    snmp-server community $DCI$ RO
    control-plane
    banner login ^C
    line con 0
    password 7 01100F175804
    login authentication local
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address **outside ip*** port 443
    http-redirect port 80
    ssl trustpoint TP-self-signed-2464190257
    no inservice
    webvpn context webvpn
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    port-forward "portforward_list_1"
       local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
    policy group policy_1
       port-forward "portforward_list_1"
    default-group-policy policy_1
    aaa authentication list SSL_Global
    aaa authentication domain @n****
    gateway gateway_1 domain N****
    max-users 10
    no inservice
    end
    Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

    OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?    

  • Configuration of SSL VPN in IOS-XE (Version 03.13.01.S)

    Hi,
    I am looking for some advice in regard to the configuration of SSL VPN in IOS-XE (Version 03.13.01.S).
    I have been following the Cisco Guide (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html#topic_D5CE388EB64446E0897B4741801C84A5) but I am not really having any luck.
    I am testing my config in my lab using a CSR1000V before putting it into the production box.
    When I try to fire up a https connection from a Windows client to the listening IP address in the router all what I get is a blank page (after clicking OK in the certficate error). In the virtual router though, I can see that the CRYPTO-SSL-WEBSERVICE is running, but I am not getting prompted with the page for me to enter the username and password.
    I am using a self signed certificate and AAA is using local authentication to authenticate my users.
    The version of the Anyconnect I am using is 3.1 for Windows, but I have not been to the point where the router pushes the Anyconnect software to the client.
    The Windows host is running the latest version of Java (Version 8 Update 31).
    I have to be honest and admit that this is not my area of expertise. Therefore, I am afraid I have some very silly questions such as what sort of webpage I should be getting when starting a https section to the router. Is it a default one?
    I have not been able to find any real examples on the web and that's why I decided to reach out to you guys for help. Could you please have a look at my config and shed some light about why this is not working?
    I created the annyconect.xml profile file using the Anyconnect Profile Editor.
    CSR_1000V_VPN#sh debugging 
    IOSXE Conditional Debug Configs:
    Conditional Debug Global State: Stop
    IOSXE Packet Tracing Configs: 
    Crypto SSL Subsystem:
      Crypto SSL (verbose) debugging is on
      Crypto SSL Web Service debugging is on
      Crypto SSL AAA debugging is on
      Crypto SSL Tunnel debugging is on
      Crypto SSL Tunnel Events debugging is on
      Crypto SSL Tunnel Errors debugging is on
      Crypto SSL Tunnel Packets debugging is on
      Crypto SSL Client Package debugging is on
    This is what happens when I browse to the listening IP address (1.1.1.1) from the client:
    CSR_1000V_VPN#
    *Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.217: CRYPTO-SSL: Fragmented App data - buffered
    *Feb 12 05:38:23.217: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
    *Feb 12 05:38:23.217: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
    *Feb 12 05:38:23.217: CRYPTO-SSL: Chunk data written..
     buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
    *Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.278: CRYPTO-SSL: sslvpn process rcvd context queue event
    *Feb 12 05:38:23.278: CRYPTO-SSL: Fragmented App data - buffered
    *Feb 12 05:38:23.278: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
    CSR_1000V_VPN#
    *Feb 12 05:38:23.278: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
    *Feb 12 05:38:23.278: CRYPTO-SSL: Chunk data written..
     buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
    *Feb 12 05:38:23.279: CRYPTO-SSL: sslvpn process rcvd context queue event
    Thanks in advance,
    Alejandro

    Hi Alejandro,
    Weblaunch for SSL VPN is not supported on CSR 1000v. Here's the enhancement request: https://tools.cisco.com/bugsearch/bug/CSCus02767/?reffering_site=dumpcr
    Please save this bug so that you get notified if any changes are made to the bug's status.
    Regards,
    Anu

  • 1841 IOS for Web Vpn

    I have a cisco 1841 router and i want to use web vpn on it i mean ssl vpn which ios is needed for ssl vpn as well as plz tell me the ssl vpn licence cost . I have heard that 2 SSL VPN Client Licence are free on but SDM doesnt allow me to do that

    12.3.14T6 with Advanced Security should be the smallest ...

  • IPhone SSL VPN Support

    So I'll be going to George Washington University in the fall and I was curious this morning and looked into what type of WLAN they deploy to their students and it looks like they run a SSL VPN. I was just at the campus a couple of weeks ago and got the network to work with my Macbook Pro but could not get it to work with my iPhone. Now that the new 2.0 software update is out I was wondering if Apple added support for SSL VPN networks. Does anyone know if they did or if there are any current solutions to making an iPhone to work with such a network?

    Can anyone else shed some light on this?
    The only official information available is what Apple has published on its web site and what is revealed in the video of the Announcement from yesterday.
    Any developers who reveal anything more will be speaking against the terms of the Non-Disclosure Agreement they signed with Apple.

  • SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

    Hi,
    Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
    some relevant config
    webvpn
    enable wan
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    group-policy vpnpolicy1 internal
    group-policy vpnpolicy1 attributes
    vpn-tunnel-protocol svc
    tunnel-group admins type remote-access
    tunnel-group admins general-attributes
    address-pool sslpool2
    default-group-policy vpnpolicy1
    username myuser password 1234567890 encrypted privilege 15
    username myuser  attributes
    vpn-group-policy vpnpolicy1
    Debug:
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
    webvpn_add_auth_handle: auth_handle = 17
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    webvpn_session.c:http_webvpn_create_session[184]
    WebVPN: error creating WebVPN session!
    webvpn_remove_auth_handle: auth_handle = 17
    webvpn_free_auth_struct: net_handle = CD5734D0
    webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_free_auth_struct: net_handle = CD5734D0

    AnyConnect says:
    "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
    The following message was received from the secure gateway: Host or network is 0"
    Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
    ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# debug http 255
    debug http enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
    webvpn_add_auth_handle: auth_handle = 22
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    HTTP: net_handle->standalone_client [0]
    webvpn_session.c:http_webvpn_create_session[184]
    webvpn_session.c:http_webvpn_find_session[159]
    WebVPN session created!
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_remove_auth_handle: auth_handle = 22
    webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CC894AA8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    Close 1043041832
    webvpn_free_auth_struct: net_handle = CC894AA8

  • SSL VPN (WebVPN) issues with IOS 15.0(1)M1

    Hello everyone... I need your help!
    I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
    Symptoms:
    - AnyConnect Client prompts users with the following error:
    "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
    Debug:
    Mar  5 13:09:45:
    Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
    Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
    Mar  5 13:09:45: WV-TUNL: Allocating stc_config
    Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
    Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
    Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
    Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
    Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
    Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
    Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
    WV-TUNL:      Severity ERROR Type USER_LOGOUT
    WV-TUNL:      Text: HTTP response contained an HTTP error code.
    Mar  5 13:09:45: WV-TUNL: Call user logout function
    Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
    When the error occurs, the "SVCIP install TCP failed" counter increments:
    VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
    [snip]
    Tunnel Statistics:
        Active connections       : 1       
        Peak connections         : 3          Peak time                : 19:09:04
        Connect succeed          : 9          Connect failed           : 5       
        Reconnect succeed        : 0          Reconnect failed         : 0       
        SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
        SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
        SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
        DPD timeout              : 0        
    [snip]
    IOS Version Details:
    Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
    System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
    The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
    Config:
    webvpn context CUSTOMER-VPN
    title "SSL VPN for Customer"
    ssl authenticate verify all
    login-message "Enter username and passcode"
    policy group CUSTOMER-VPN
       functions svc-required
       svc keep-client-installed
       svc split include 10.1.16.0 255.255.240.0
       svc split include 10.1.2.0 255.255.254.0
    vrf-name CUSTOMER-VPN
    default-group-policy CUSTOMER-VPN
    aaa authentication list AAA-LIST
    aaa authentication auto
    aaa accounting list AAA-LIST
    gateway vpn virtual-host customer.xx.com
    logging enable
    inservice
    The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

    Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
    At that point in time we were running with local pool definition.
    As the http 401 rc happens very sporadically we still gathering incident reports internally.
    Will open a case if you did not yet.
    cheers, Andy

  • No SSL VPN tunnel from AnyConnect to IOS

    Dear all
    Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
    But I simply cannot make it work.
    I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
    Here is my configuration on the router:
    crypto pki trustpoint TP-self-signed-595019360
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-595019360
    revocation-check none
    rsakeypair TP-self-signed-595019360
    crypto pki certificate chain TP-self-signed-595019360
    certificate self-signed 01
      3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    [......skipped....]
    interface Loopback123
    ip address 192.168.123.254 255.255.255.0
    ip local pool GS-POOL 192.168.123.1 192.168.123.10
    webvpn gateway GS-GW
    hostname GS-VPN-test
    ip address x.x.x.x port 443
    ssl trustpoint TP-self-signed-595019360
    inservice
    webvpn install svc flash:/webvpn/svc.pkg
    webvpn context GS-CONTEXT
    ssl authenticate verify all
    policy group GS-POLICY
       functions svc-required
       svc address-pool "GS-POOL"
    default-group-policy GS-POLICY
    gateway GS-GW
    inservice
    These are my debug settings:
    #sh debug
    WebVPN Subsystem:
      WebVPN (verbose) debugging is on
      debug webvpn entry GS-CONTEXT
      WebVPN HTTP (verbose) debugging is on
      WebVPN AAA debugging is on
      WebVPN tunnel (verbose) debugging is on
      WebVPN Single Sign On debugging is on
    And these are all debug messages I get upon incoming connection:
    Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
    At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
    Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
    Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
    Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
    buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
    Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
    Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
    buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
    Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
    At this point the Anyconnect client says "Connection attempt failed" and that's all.
    So please, any advice how to solve this?
    And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
    Thanks a lot for any suggestions,
    Grischa

    Some more restrictions:
    12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
    In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
    CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
    In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
    If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
    hth
    Herbert

Maybe you are looking for