Configuration of SSL VPN in IOS-XE (Version 03.13.01.S)

Similar Messages

• AnyConnect (SSL VPN on IoS) - Connection stuck on Android

  Hiya,
  I have an Any Connect WebVpn (ssl vpn?) set up on an IOS 15.2(4)M4. My current WebVPN is set up for Cisco Phones to use SSL VPN to connect to a Cisco Call Manager (CUCM 9.x). I also tried connecting with an Any Connect client from a PC and it seems to work fine.
  The issue is when I try to connect through an Android device, I get the following output from 'debug webvpn':
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.220: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2930, data: 0xD9E7658, len: 0,
        offset: 0, domain: 0)
  Jan 10 16:04:17.224: WV: Fragmented App data - buffered
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2470, data: 0xEA4D858, len: 884,
        offset: 0, domain: 0)
  tbr-edi-2901#
  Jan 10 16:04:17.224: WV: http request: / with no cookie
  Jan 10 16:04:17.224: WV: validated_tp :  cert_username :  matched_ctx :
  Jan 10 16:04:17.224: WV: failed to get sslvpn appinfo from opssl
  Jan 10 16:04:17.224: WV: Error: Failed to get vw_ctx
  Jan 10 16:04:17.224: WV: Appl. processing Failed : 2
  Jan 10 16:04:18.344: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.348: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.376: WV: sslvpn process rcvd context queue event
  and then the messages in italics above keep on appearing in an endless loop.
  Any ideas what could be the issue.
  Any help is highly appreciated.
  Thanks,
  David

  Hi,
  I'm having the same issue please let me know if yo found the solution. Thanks in advance

• IOS SSL VPN problem

  I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
  The error on the router is:
  Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
  Jun 5 16:07:55.755: WV: server side not ready to send.
  The following is the configuration:
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context vpn1
  ssl authenticate verify all
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  policy group vpn1
  url-list "eng"
  default-group-policy vpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context vpn2
  ssl authenticate verify all
  policy group vpn2tunnel
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc split include 10.0.0.2 255.255.255.255
  default-group-policy vpn2tunnel
  gateway ISR2801-RM domain tunnel
  inservice

  Thanks for the reply !!!!
  the configation is the following:
  interface Ethernet 0
  ip address 10.0.0.128 255.255.255.0
  ip http secure-server
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  ssl encryption aes-sha1
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context context-sslvpn1
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn1/
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  nbns-list cifs-servers
  nbns-server 172.16.1.1 master
  nbns-server 172.16.2.2 timeout 10 retries 5
  nbns-server 172.16.3.3 timeout 10 retries 5
  login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
  this device are logged and violations of this policy may result in disciplinary action."
  port-forward "portlist"
  local-port 30019 remote-server ssh-server remote-port 22 description SSH
  local-port 30020 remote-server mailserver remote-port 143 description IMAP
  local-port 30021 remote-server mailserver remote-port 110 description POP3
  local-port 30022 remote-server mailserver remote-port 25 description SMTP
  policy group policy-sslvpn1
  url-list "eng"
  port-forward "portlist"
  nbns-list "cifs-servers"
  functions file-access
  functions file-browse
  functions file-entry
  citrix enabled
  default-group-policy policy-sslvpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context context-sslvpn2
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn2/
  policy group policy-sslvpn2
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc keep-client-installed
  svc dpd-interval gateway 30
  svc dpd-interval client 300
  svc rekey method new-tunnel
  svc rekey time 3600
  svc split include 10.0.0.0 255.255.255.0
  svc default-domain cisco.com
  svc dns-server primary 192.168.3.1
  svc dns-server secondary 192.168.4.1
  default-group-policy policy-sslvpn2
  gateway ISR2801-RM domain tunnel
  inservice
  ISR2801-RM#show webvpn install status svc
  SSLVPN Package SSL-VPN-Client version installed:
  CISCO STC win2k+
  2,2,0133
  Mon 05/19/2008 12:58:52.34 v
  ISR2801-RM#
  WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
  https://1.2.3.4/tunnel
  * the ssl client installed on the pc tell me can't connect.
  * on the router the log:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
  Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
  offset: 0, domain: 0)
  Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
  Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
  Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
  Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
  Jun 6 10:28:08.287: X-CSTP-Version: 1
  Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
  Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
  Jun 6 10:28:08.287: X-CSTP-MTU: 1406
  Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
  Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
  Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
  Jun 6 10:28:08.287:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
  Jun 6 10:28:08.291: WV: server side not ready to send.
  SSLVPN sock pid 182 sid 161: closing

• SSL VPN and Dynamic DNS - ddns on IOS

  Hello,
  I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
  Regards
  Gerard

  Seems like i have fixed the problem using:
  webvpn gateway gateway_1
  ip interface Dialer0 port 443
  ssl trustpoint local
  inservice
  However when the router is rebooted, it results in this error:
  Invalid ip address First configure an IP address for the gateway
  Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ?

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• SSL VPN message "This (client) machine does not have the web access privilege."

  Hello!
  I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
  enable password xxxxxxxx
  aaa new-model
  aaa authentication login userAuthen local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization network groupauthor local
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1279712955
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1279712955
  revocation-check none
  rsakeypair TP-self-signed-1279712955
  crypto pki certificate chain TP-self-signed-1279712955
  certificate self-signed 01
    3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
    33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
    31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
    A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
    649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
    9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
    B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
    551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
    11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
    ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
    48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
    265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
    7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
    495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
     quit
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.0.1 192.168.0.10
  ip dhcp pool myPOOL
     network 192.168.0.0 255.255.255.0
     default-router 192.168.0.1
     dns-server 87.216.1.65 87.216.1.66
  ip cef
  ip name-server 87.216.1.65
  ip name-server 87.216.1.66
  ip ddns update method mydyndnsupdate
  HTTP
    add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  interval maximum 1 0 0 0
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group pppoe
  request-dialin
    protocol pppoe
  username cisco privilege 15 password 0 xxxxxxxx
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp fragmentation
  crypto isakmp client configuration group vpnclient
  key cisco123
  domain selfip.net
  pool ippool
  acl 110
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map clientmap client authentication list userAuthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive
  log config
    hidekeys
  interface Loopback0
  ip address 10.11.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Loopback2
  description SSL VPN Website IP address
  ip address 10.10.10.1 255.255.255.0
  interface Loopback1
  description SSL DHCP Pool Gateway Address
  ip address 192.168.250.1 255.255.255.0
  interface FastEthernet0
  description $ES_LAN$
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 2
  interface FastEthernet3
  interface FastEthernet4
  interface FastEthernet5
  interface FastEthernet6
  interface FastEthernet7
  interface FastEthernet8
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  bundle-enable
  dsl operating-mode auto
  interface Vlan1
  no ip address
  interface Dialer1
  ip ddns update hostname myserver.selfip.net
  ip ddns update mydyndnsupdate host members.dyndns.org
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip policy route-map VPN-Client
  dialer pool 1
  ppp chap hostname xxx
  ppp chap password 0 xxxx
  ppp pap sent-username xxx password 0 xxxx
  crypto map clientmap
  ip local pool ippool 192.168.50.100 192.168.50.200
  ip local pool sslvpnpool 192.168.250.2 192.168.250.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
  ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
  ip nat inside source list 102 interface Dialer1 overload
  ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
  ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
  access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 102 permit ip 192.168.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 144 permit ip 192.168.50.0 0.0.0.255 any
  route-map VPN-Client permit 10
  match ip address 144
  set ip next-hop 10.11.0.2
  control-plane
  banner motd ^C
  ================================================================
                  UNAUTHORISED ACCESS IS PROHIBITED!!!
  =================================================================
  ^C
  line con 0
  line aux 0
  line vty 0 4
  password mypassword
  transport input telnet ssh
  webvpn gateway MyGateway
  ip address 10.10.10.1 port 443 
  http-redirect port 80
  ssl trustpoint TP-self-signed-1279712955
  inservice
  webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context SecureMeContext
  title "My SSL VPN Service"
  secondary-color #C0C0C0
  title-color #808080
  ssl authenticate verify all
  url-list "MyServers"
     heading "My Intranet"
     url-text "Cisco" url-value "http://192.168.0.2"
     url-text "NetGear" url-value "http://192.168.0.3"
  login-message "Welcome to My VPN"
  policy group MyDefaultPolicy
     url-list "MyServers"
     functions svc-enabled
     svc address-pool "sslvpnpool"
     svc keep-client-installed
  default-group-policy MyDefaultPolicy
  aaa authentication list userAuthen
  gateway MyGateway domain testvpn
  max-users 100
  csd enable
  inservice
  end
  Thank you!

  Hi,
  Please check SAP note:
  2004579 - You cannot create a FR company from a Package
  Thanks & Regards,
  Nagarajan

• ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

  Hi there, please forgive if I have missed any forum protocols as this is my first post.
  I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
  Inside              192.168.1.254/24
  Outside           dhcp
  VPN Pool        192.168.250.1-50/24
  Inside LAN     192.168.1.0/24
  : Saved
  ASA Version 8.4(4)1
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface GigabitEthernet0/1
  nameif inside
  security-level 99
  ip address 192.168.1.254 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 99
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dock.local
  same-security-traffic permit inter-interface
  object network inside-network-object
  subnet 192.168.1.0 255.255.255.0
  object network management-network-object
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.250.0_25
  subnet 192.168.250.0 255.255.255.128
  object-group network AllInside-networks
  network-object object inside-network-object
  network-object object management-network-object
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic AllInside-networks interface
  nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 4433
  http 192.168.100.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 192.168.100.0 255.255.255.0 management
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_anyconnect internal
  group-policy GroupPolicy_anyconnect attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelall
  split-tunnel-network-list value split_tunnel
  default-domain value dock.local
  username test password JAasdf434ey521ZCT encrypted privilege 15
  tunnel-group anyconnect type remote-access
  tunnel-group anyconnect general-attributes
  address-pool vpn_pool
  default-group-policy GroupPolicy_anyconnect
  tunnel-group anyconnect webvpn-attributes
  group-alias anyconnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:24bcba3c4124ab371297d52260135924
  : end :

  : Saved
  ASA Version 8.4(4)1
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface GigabitEthernet0/1
  nameif inside
  security-level 99
  ip address 192.168.1.254 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 99
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dock.local
  same-security-traffic permit inter-interface
  object network inside-network-object
  subnet 192.168.1.0 255.255.255.0
  object network management-network-object
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.250.0_25
  subnet 192.168.250.0 255.255.255.0
  object-group network AllInside-networks
  network-object object inside-network-object
  network-object object management-network-object
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic AllInside-networks interface
  nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
  nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.100.2 255.255.255.255 management
  http 192.168.100.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 192.168.100.0 255.255.255.0 management
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_Anyconnect_VPN internal
  group-policy GroupPolicy_Anyconnect_VPN attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelall
  split-tunnel-network-list value split_tunnel
  default-domain value dock.local
  username sander password f/J.5nLef/EqyPfy encrypted
  username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
  tunnel-group Anyconnect_VPN type remote-access
  tunnel-group Anyconnect_VPN general-attributes
  address-pool Anyconnect-pool
  default-group-policy GroupPolicy_Anyconnect_VPN
  tunnel-group Anyconnect_VPN webvpn-attributes
  group-alias Anyconnect_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
  : end:

• SSL VPN Full Tunnel - Not Reliable

  We have been trying to deploy SSL VPN on a 3825 router running 12.4.20T2 with Anyconnect V2.2.0140. It works normally for a few days, then begins to fail in different ways. First, the users do not get the login screen from the Web access. This can be reset by stopping and starting the service. However, now I get fully connected and in a single session, sometimes I can access network resources and sometimes I can't (comes and goes to various parts of the network). I know if I reboot the router, everything will be fine for a few days. I also run Client VPN on this same router and it is very stable. Whenever I call TAC, the first question I get is "Do you have an ASA that you can run SSL VPN on?", and everytime I ask if they know something about the reliability of SSL VPN on IOS. They always say "it should work".
  I guess what I am asking is, are there known reliability issues with full tunnel SSL VPN on IOS? Or, if anyone else has seen these kinds of problems and found solutions? Thanks!

  Please enable the following command and then try to connect:
  ip inspect log drop-pkt
  If I am not overlooking at the configuration, it seems to be ok, so I would like to check ZBF.
  Please check the logs generated by the Router and let me know if you see anything related to your connection.
  Thanks.
  Portu.

• Why does SSL VPN require client for full functionality?So What's the point?

  I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
  However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
  Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
  "...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

  Hi,
  Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
  Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
  1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
  Dandy

• No SSL VPN tunnel from AnyConnect to IOS

  Dear all
  Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
  But I simply cannot make it work.
  I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
  Here is my configuration on the router:
  crypto pki trustpoint TP-self-signed-595019360
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-595019360
  revocation-check none
  rsakeypair TP-self-signed-595019360
  crypto pki certificate chain TP-self-signed-595019360
  certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  [......skipped....]
  interface Loopback123
  ip address 192.168.123.254 255.255.255.0
  ip local pool GS-POOL 192.168.123.1 192.168.123.10
  webvpn gateway GS-GW
  hostname GS-VPN-test
  ip address x.x.x.x port 443
  ssl trustpoint TP-self-signed-595019360
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context GS-CONTEXT
  ssl authenticate verify all
  policy group GS-POLICY
     functions svc-required
     svc address-pool "GS-POOL"
  default-group-policy GS-POLICY
  gateway GS-GW
  inservice
  These are my debug settings:
  #sh debug
  WebVPN Subsystem:
    WebVPN (verbose) debugging is on
    debug webvpn entry GS-CONTEXT
    WebVPN HTTP (verbose) debugging is on
    WebVPN AAA debugging is on
    WebVPN tunnel (verbose) debugging is on
    WebVPN Single Sign On debugging is on
  And these are all debug messages I get upon incoming connection:
  Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
  At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
  Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
  buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
  Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
  buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
  At this point the Anyconnect client says "Connection attempt failed" and that's all.
  So please, any advice how to solve this?
  And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
  Thanks a lot for any suggestions,
  Grischa

  Some more restrictions:
  12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
  In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
  CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
  In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
  If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
  hth
  Herbert

• IOS SSL VPN

  hi all,
  i've been trying to setup an SSL VPN on my 1841 lab router but with no luck. i tried both clientless (anyconnect 2.5) and using a vpn client (anyconnect 3.0).
  i'm using a win 7 PC with IP 172.16.1.50 directly connected to 1841 FE0/1 port. tried disabling PC FW, used both IE and FF and delete cookes but to no avail. below are my config and some show and debug output. could someone advise if my config is ok and what other steps i should take? thanks in advance!
  SSL_VPN_GW#show webvpn gateway
  Gateway Name                       Admin  Operation
  SSL_VPN_GW                         up     up
  SSL_VPN_GW#show webvpn context
  Codes: AS - Admin Status, OS - Operation Status
         VHost - Virtual Host
  Context Name        Gateway  Domain/VHost      VRF      AS    OS
  SSL_VPN_CONTEXT     SSL_VPN_ -                 -        up    up
  SSL_VPN_GW#debug webvpn
  WebVPN debugs debugging is on
  SSL_VPN_GW#
  Jan 27 03:19:56.691: SSLVPN: [Q]Client side Chunk data written..
  buffer=0x649035B8 total_len=2033 bytes=2033 tcb=0x642479E8
  Jan 27 03:19:56.691: SSLVPN: Client side Chunk data written..
  buffer=0x64903598 total_len=1121 bytes=1121 tcb=0x642479E8
  Jan 27 03:19:56.691: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:21:15.711: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:15.715: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:21:20.775: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x649035D8, data: 0xE7201D98, len: 1,
            offset: 0, domain: 0)
  Jan 27 03:21:20.779: SSLVPN: Fragmented App data - buffered
  Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x64903598, data: 0xE75C0BB8, len: 483,
            offset: 0, domain: 0)
  Jan 27 03:21:20.779: SSLVPN: Appl. processing Failed : 2
  Jan 27 03:21:20.779: SSLVPN: server side not ready to send.
  SSL_VPN_GW#
  Jan 27 03:21:50.879: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.883: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.887: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x64903598, data: 0xE75BD6B8, len: 1,
            offset: 0, domain: 0)
  Jan 27 03:21:50.887: SSLVPN: Fragmented App data - buffered
  Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 483,
            offset: 0, domain: 0)
  Jan 27 03:21:50.887: SSLVPN: Appl. processing Failed : 2
  SSL_VPN_GW#
  Jan 27 03:21:50.887: SSLVPN: server side not ready to send.
  SSL_VPN_GW#
  Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:22:21.791: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.795: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.799: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.799: SSLVPN: Entering APPL with Context: 0x64703988,
            Data buffer(buffer: 0x649035D8, data: 0xE7204718, len: 426,
            offset: 0, domain: 0)
  Jan 27 03:22:21.799: SSLVPN: Appl. processing Failed : 2
  Jan 27 03:22:21.799: SSLVPN: server side not ready to send.
  Jan 27 03:22:22.599: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:22.603: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:22:23.691: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.695: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.699: SSLVPN: Entering APPL with Context: 0x64703B70,
            Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 147,
            offset: 0, domain: 0)
  Jan 27 03:22:23.699: SSLVPN: http request: / with no cookie
  Jan 27 03:22:23.699: SSLVPN: Client side Chunk data written..
  buffer=0x64903598 total_len=196 bytes=196 tcb=0x642DA46C
  Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.811: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.815: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.927: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.931: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.935: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.935: SSLVPN: Entering APPL with Context: 0x64703F40,
            Data buffer(buffer: 0x649035D8, data: 0xE7204A58, len: 200,
            offset: 0, domain: 0)
  Jan 27 03:22:23.935: SSLVPN: http request: /webvpn.html with domain cookie
  SSL_VPN_GW#
  Jan 27 03:22:23.939: SSLVPN: [Q]Client side Chunk data written..
  buffer=0x64903598 total_len=2033 bytes=2033 tcb=0x640B5608
  Jan 27 03:22:23.939: SSLVPN: Client side Chunk data written..
  buffer=0x649035B8 total_len=1121 bytes=1121 tcb=0x640B5608
  Jan 27 03:22:23.939: SSLVPN: sslvpn process rcvd context queue event
  AnyConnect v3.0.0629
  [Sun Jan 27 11:46:15 2013] Contacting 172.16.1.254.
  [Sun Jan 27 11:46:38 2013] Connection attempt has failed.
  [Sun Jan 27 11:48:52 2013] Contacting 172.16.1.254.
  [Sun Jan 27 11:49:06 2013] Connection attempt has failed.
  [Sun Jan 27 11:52:16 2013] Network error. Unable to lookup host names.
  [Sun Jan 27 11:52:46 2013] Verify your network connection.
  [Sun Jan 27 11:52:53 2013] Network error. Unable to lookup host names.
  [Sun Jan 27 11:53:23 2013] Verify your network connection.
  SSL_VPN_GW#sh run
  Building configuration...
  Current configuration : 3203 bytes
  ! Last configuration change at 03:19:18 UTC Sun Jan 27 2013
  ! NVRAM config last updated at 02:52:22 UTC Sun Jan 27 2013
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SSL_VPN_GW
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login SSL_VPN_AUTHENTICATION local
  aaa session-id common
  resource policy
  ip cef
  ip name-server 172.16.1.254
  crypto pki trustpoint TP-self-signed-514137430
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-514137430
  revocation-check none
  rsakeypair TP-self-signed-514137430
  crypto pki certificate chain TP-self-signed-514137430
  certificate self-signed 02
    30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 35313431 33373433 30301E17 0D313330 31323730 32353232
    325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34313337
    34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    BDB083BB AC2D3D47 E76A38C2 3CFE97F6 A70B07B6 3BC9EE89 D261AB83 EE78F03C
    E9719CB5 128C16F9 3AD658A5 49B3A220 1170C75C A15A5EA8 4FCBF4E4 42DF67B0
    9B78BCDB 29C92794 9C932933 C978BB97 7F7B0B8C 19A37C14 B35B1937 415FA79E
    EE9D39B2 AFCF3502 1C8241E2 A6EF9369 AD02BD5F 7556030C 2B7B579F 659F433F
    02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
    11040E30 0C820A53 534C5F56 504E5F47 57301F06 03551D23 04183016 8014FBF5
    F3C6F2E1 1CFB888B BE2736A7 5151480C FCEB301D 0603551D 0E041604 14FBF5F3
    C6F2E11C FB888BBE 2736A751 51480CFC EB300D06 092A8648 86F70D01 01040500
    03818100 B85ECA67 B6302EFA A7E31A65 96836F44 F3AA3336 3580F231 E9C3BA4C
    2802EEE8 AADDFA1D BF4BB36A C21FCE3D 0960284E F58AD227 3FA9F1A0 CDF48A28
    9C1CE5BC EF3449D0 D3E8CC9C 7EDB7CFE 193477E0 4407E5F8 B7956546 2F4E5D61
    5E542E6D 8A242B33 C21C77BF 2BB9E366 E80DD4F0 7937FBC4 51D6E258 13157D13 870097BE
    quit
  username vpnuser password 0 cisco123
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 172.16.1.254 255.255.255.0
  duplex auto
  speed auto
  ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
  ip http server
  ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSL_VPN_GW
  ip address 172.16.1.254 port 443
  http-redirect port 80
  ssl encryption 3des-sha1 aes-sha1
  ssl trustpoint TP-self-signed-514137430
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSL_VPN_CONTEXT
  ssl authenticate verify all
  policy group SSL_VPN_POLICY
     functions svc-enabled
     banner "Welcom to SSL VPN Lab"
     svc address-pool "SSL_VPN_POOL"
     svc keep-client-installed
  default-group-policy SSL_VPN_POLICY
  aaa authentication list SSL_VPN_AUTHENTICATION
  gateway SSL_VPN_GW
  inservice
  end

  just an update, when i tried a different encryption under the webvpn gateway config it seemed to work (clientless).
  i guess my windows 7 machine doesn't like the stronger encryption types.
  SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
  SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M

  Dear Community,
  I have a strange issue that I am hoping some of you will be able to assist with.
  I am running an environment with the following specifications
  Cisco ISR G2 2901 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  VPN Licence enabled
  Cisco ISR G2 2951 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  SM with ESX server.
  Desktop Environment
  Windows XP SP3
  Internet Explorer 8
  Desktop Environment 2
  Windows 8
  Internet Explorer 10
  I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
  This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
  PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
  If anyone can assit me here it would really make my day.
  Thanks,
  Will

  Can anyone help with this ?

• Cisco IOS SSL VPN Not Working - Internet Explorer

  Hi All,
  I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
  Below is the config snippet:
  username vpntest password XXXXX
  aaa authentication login default local
  crypto pki trustpoint TP-self-signed-1873082433
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1873082433
  revocation-check none
  rsakeypair TP-self-signed-1873082433
  crypto pki certificate chain TP-self-signed-1873082433
  certificate self-signed 01
  --- omitted ---
          quit
  webvpn gateway SSLVPN
  hostname Router
  ip address X.X.X.X port 443 
  ssl encryption aes-sha1
  ssl trustpoint TP-self-signed-1873082433
  inservice
  webvpn context SSLVPN
  title "Blah Blah"
  ssl authenticate verify all
  login-message "Enter the magic words..."
  port-forward "PortForwardList"
     local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
  policy group SSL-Policy
     port-forward "PortForwardList" auto-download
  default-group-policy SSL-Policy
  gateway SSLVPN
  max-users 3
  inservice
  I've tried:
  *Enabling SSL 2.0 in IE
  *Adding the site to the Trusted Sites in IE
  *Adding it to the list of sites allowed to use Cookies
  At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
  Thanks

  Hi,
  I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
  Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

• VPN: Configuration loses SSL certificate

  Hi there,
  *The challenge.*
  I'd like to conncet to our VPN netzwork with my MacBook Pro.
  In my network configuration I choose my SSL certificate.
  *The problem*
  Each time i try to connect, i get stucked at the "identification" (Normaly i should get this "trust certificate dialog".
  Having again a look into my network configuration the SSL certificate isnt select anymore.
  *Please help!*
  +// The SSL certificate passes severals tests on my windows-machine.+
  Please help.

  Not enough information, such as what VPN software you are using. For VPN issues, it almost always ends up that resolving the issue involves consulting with whomever manages the VPN.