IOS SSL VPN application issues

Similar Messages

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• Cisco IOS SSL VPN Not Working - Internet Explorer

  Hi All,
  I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
  Below is the config snippet:
  username vpntest password XXXXX
  aaa authentication login default local
  crypto pki trustpoint TP-self-signed-1873082433
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1873082433
  revocation-check none
  rsakeypair TP-self-signed-1873082433
  crypto pki certificate chain TP-self-signed-1873082433
  certificate self-signed 01
  --- omitted ---
          quit
  webvpn gateway SSLVPN
  hostname Router
  ip address X.X.X.X port 443 
  ssl encryption aes-sha1
  ssl trustpoint TP-self-signed-1873082433
  inservice
  webvpn context SSLVPN
  title "Blah Blah"
  ssl authenticate verify all
  login-message "Enter the magic words..."
  port-forward "PortForwardList"
     local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
  policy group SSL-Policy
     port-forward "PortForwardList" auto-download
  default-group-policy SSL-Policy
  gateway SSLVPN
  max-users 3
  inservice
  I've tried:
  *Enabling SSL 2.0 in IE
  *Adding the site to the Trusted Sites in IE
  *Adding it to the list of sites allowed to use Cookies
  At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
  Thanks

  Hi,
  I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
  Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

• SSL VPN Connection Issue

  Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
  *************Equipment/Software
  Cisco 2851 Router Version 15.4(M9) Software
  anyconnect-win-3.1.07021-k9.pkg
  *************Configuration
  ip local pool webvpn1 172.16.100.80 172.16.100.90
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip access-list extended webvpn-acl
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
  webvpn gateway CCIELAB
   hostname Porshe_GT3
   ip interface GigabitEthernet0/0 port 443
   http-redirect port 80
   ssl trustpoint my-sslvpn-ca
   inservice
  webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
  webvpn context CCIELab
   title "Networking Lab"
   ssl authenticate verify all
   login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
   policy group Labrats
     functions svc-enabled
     banner "Success, You Made It"
     filter tunnel webvpn-acl
     svc address-pool "webvpn1" netmask 255.255.255.0
     svc keep-client-installed
     svc rekey method new-tunnel
     svc split include 172.16.100.0 255.255.255.0
   default-group-policy Labrats
   aaa authentication list webvpn
   gateway CCIELAB
   inservice
  *********************Debugs
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
  *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
  *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *********************Verification
  Porshe_GT3#show webvpn policy group Labrats context all
  WEBVPN: group policy = Labrats ; context = CCIELab
        banner = "Success, You Made It"
        idle timeout = 2100 sec
        session timeout = Disabled
        functions = 
                  svc-enabled 
        citrix disabled
        address pool name = "webvpn1"
        netmask = 255.255.255.0
        tunnel-mode filter = "webvpn-acl"
        dpd client timeout = 300 sec
        dpd gateway timeout = 300 sec
        keepalive interval = 30 sec
        SSLVPN Full Tunnel mtu size = 1406 bytes
        keep sslvpn client installed = enabled
        rekey interval = 3600 sec
        rekey method = new-tunnel 
        lease duration = 43200 sec
        split include = 172.16.100.0 255.255.255.0

  The problem is related to either of these issues:
  Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  Fragmentation policy during encryption
  Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

• IOS SSL VPN problem

  I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
  The error on the router is:
  Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
  Jun 5 16:07:55.755: WV: server side not ready to send.
  The following is the configuration:
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context vpn1
  ssl authenticate verify all
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  policy group vpn1
  url-list "eng"
  default-group-policy vpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context vpn2
  ssl authenticate verify all
  policy group vpn2tunnel
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc split include 10.0.0.2 255.255.255.255
  default-group-policy vpn2tunnel
  gateway ISR2801-RM domain tunnel
  inservice

  Thanks for the reply !!!!
  the configation is the following:
  interface Ethernet 0
  ip address 10.0.0.128 255.255.255.0
  ip http secure-server
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  ssl encryption aes-sha1
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context context-sslvpn1
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn1/
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  nbns-list cifs-servers
  nbns-server 172.16.1.1 master
  nbns-server 172.16.2.2 timeout 10 retries 5
  nbns-server 172.16.3.3 timeout 10 retries 5
  login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
  this device are logged and violations of this policy may result in disciplinary action."
  port-forward "portlist"
  local-port 30019 remote-server ssh-server remote-port 22 description SSH
  local-port 30020 remote-server mailserver remote-port 143 description IMAP
  local-port 30021 remote-server mailserver remote-port 110 description POP3
  local-port 30022 remote-server mailserver remote-port 25 description SMTP
  policy group policy-sslvpn1
  url-list "eng"
  port-forward "portlist"
  nbns-list "cifs-servers"
  functions file-access
  functions file-browse
  functions file-entry
  citrix enabled
  default-group-policy policy-sslvpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context context-sslvpn2
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn2/
  policy group policy-sslvpn2
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc keep-client-installed
  svc dpd-interval gateway 30
  svc dpd-interval client 300
  svc rekey method new-tunnel
  svc rekey time 3600
  svc split include 10.0.0.0 255.255.255.0
  svc default-domain cisco.com
  svc dns-server primary 192.168.3.1
  svc dns-server secondary 192.168.4.1
  default-group-policy policy-sslvpn2
  gateway ISR2801-RM domain tunnel
  inservice
  ISR2801-RM#show webvpn install status svc
  SSLVPN Package SSL-VPN-Client version installed:
  CISCO STC win2k+
  2,2,0133
  Mon 05/19/2008 12:58:52.34 v
  ISR2801-RM#
  WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
  https://1.2.3.4/tunnel
  * the ssl client installed on the pc tell me can't connect.
  * on the router the log:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
  Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
  offset: 0, domain: 0)
  Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
  Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
  Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
  Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
  Jun 6 10:28:08.287: X-CSTP-Version: 1
  Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
  Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
  Jun 6 10:28:08.287: X-CSTP-MTU: 1406
  Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
  Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
  Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
  Jun 6 10:28:08.287:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
  Jun 6 10:28:08.291: WV: server side not ready to send.
  SSLVPN sock pid 182 sid 161: closing

• IOS SSL VPN

  hi all,
  i've been trying to setup an SSL VPN on my 1841 lab router but with no luck. i tried both clientless (anyconnect 2.5) and using a vpn client (anyconnect 3.0).
  i'm using a win 7 PC with IP 172.16.1.50 directly connected to 1841 FE0/1 port. tried disabling PC FW, used both IE and FF and delete cookes but to no avail. below are my config and some show and debug output. could someone advise if my config is ok and what other steps i should take? thanks in advance!
  SSL_VPN_GW#show webvpn gateway
  Gateway Name                       Admin  Operation
  SSL_VPN_GW                         up     up
  SSL_VPN_GW#show webvpn context
  Codes: AS - Admin Status, OS - Operation Status
         VHost - Virtual Host
  Context Name        Gateway  Domain/VHost      VRF      AS    OS
  SSL_VPN_CONTEXT     SSL_VPN_ -                 -        up    up
  SSL_VPN_GW#debug webvpn
  WebVPN debugs debugging is on
  SSL_VPN_GW#
  Jan 27 03:19:56.691: SSLVPN: [Q]Client side Chunk data written..
  buffer=0x649035B8 total_len=2033 bytes=2033 tcb=0x642479E8
  Jan 27 03:19:56.691: SSLVPN: Client side Chunk data written..
  buffer=0x64903598 total_len=1121 bytes=1121 tcb=0x642479E8
  Jan 27 03:19:56.691: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:21:15.711: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:15.715: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:21:20.775: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x649035D8, data: 0xE7201D98, len: 1,
            offset: 0, domain: 0)
  Jan 27 03:21:20.779: SSLVPN: Fragmented App data - buffered
  Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x64903598, data: 0xE75C0BB8, len: 483,
            offset: 0, domain: 0)
  Jan 27 03:21:20.779: SSLVPN: Appl. processing Failed : 2
  Jan 27 03:21:20.779: SSLVPN: server side not ready to send.
  SSL_VPN_GW#
  Jan 27 03:21:50.879: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.883: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.887: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x64903598, data: 0xE75BD6B8, len: 1,
            offset: 0, domain: 0)
  Jan 27 03:21:50.887: SSLVPN: Fragmented App data - buffered
  Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
            Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 483,
            offset: 0, domain: 0)
  Jan 27 03:21:50.887: SSLVPN: Appl. processing Failed : 2
  SSL_VPN_GW#
  Jan 27 03:21:50.887: SSLVPN: server side not ready to send.
  SSL_VPN_GW#
  Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:22:21.791: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.795: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.799: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:21.799: SSLVPN: Entering APPL with Context: 0x64703988,
            Data buffer(buffer: 0x649035D8, data: 0xE7204718, len: 426,
            offset: 0, domain: 0)
  Jan 27 03:22:21.799: SSLVPN: Appl. processing Failed : 2
  Jan 27 03:22:21.799: SSLVPN: server side not ready to send.
  Jan 27 03:22:22.599: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:22.603: SSLVPN: sslvpn process rcvd context queue event
  SSL_VPN_GW#
  Jan 27 03:22:23.691: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.695: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.699: SSLVPN: Entering APPL with Context: 0x64703B70,
            Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 147,
            offset: 0, domain: 0)
  Jan 27 03:22:23.699: SSLVPN: http request: / with no cookie
  Jan 27 03:22:23.699: SSLVPN: Client side Chunk data written..
  buffer=0x64903598 total_len=196 bytes=196 tcb=0x642DA46C
  Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.811: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.815: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.927: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.931: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.935: SSLVPN: sslvpn process rcvd context queue event
  Jan 27 03:22:23.935: SSLVPN: Entering APPL with Context: 0x64703F40,
            Data buffer(buffer: 0x649035D8, data: 0xE7204A58, len: 200,
            offset: 0, domain: 0)
  Jan 27 03:22:23.935: SSLVPN: http request: /webvpn.html with domain cookie
  SSL_VPN_GW#
  Jan 27 03:22:23.939: SSLVPN: [Q]Client side Chunk data written..
  buffer=0x64903598 total_len=2033 bytes=2033 tcb=0x640B5608
  Jan 27 03:22:23.939: SSLVPN: Client side Chunk data written..
  buffer=0x649035B8 total_len=1121 bytes=1121 tcb=0x640B5608
  Jan 27 03:22:23.939: SSLVPN: sslvpn process rcvd context queue event
  AnyConnect v3.0.0629
  [Sun Jan 27 11:46:15 2013] Contacting 172.16.1.254.
  [Sun Jan 27 11:46:38 2013] Connection attempt has failed.
  [Sun Jan 27 11:48:52 2013] Contacting 172.16.1.254.
  [Sun Jan 27 11:49:06 2013] Connection attempt has failed.
  [Sun Jan 27 11:52:16 2013] Network error. Unable to lookup host names.
  [Sun Jan 27 11:52:46 2013] Verify your network connection.
  [Sun Jan 27 11:52:53 2013] Network error. Unable to lookup host names.
  [Sun Jan 27 11:53:23 2013] Verify your network connection.
  SSL_VPN_GW#sh run
  Building configuration...
  Current configuration : 3203 bytes
  ! Last configuration change at 03:19:18 UTC Sun Jan 27 2013
  ! NVRAM config last updated at 02:52:22 UTC Sun Jan 27 2013
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SSL_VPN_GW
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login SSL_VPN_AUTHENTICATION local
  aaa session-id common
  resource policy
  ip cef
  ip name-server 172.16.1.254
  crypto pki trustpoint TP-self-signed-514137430
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-514137430
  revocation-check none
  rsakeypair TP-self-signed-514137430
  crypto pki certificate chain TP-self-signed-514137430
  certificate self-signed 02
    30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 35313431 33373433 30301E17 0D313330 31323730 32353232
    325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34313337
    34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    BDB083BB AC2D3D47 E76A38C2 3CFE97F6 A70B07B6 3BC9EE89 D261AB83 EE78F03C
    E9719CB5 128C16F9 3AD658A5 49B3A220 1170C75C A15A5EA8 4FCBF4E4 42DF67B0
    9B78BCDB 29C92794 9C932933 C978BB97 7F7B0B8C 19A37C14 B35B1937 415FA79E
    EE9D39B2 AFCF3502 1C8241E2 A6EF9369 AD02BD5F 7556030C 2B7B579F 659F433F
    02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
    11040E30 0C820A53 534C5F56 504E5F47 57301F06 03551D23 04183016 8014FBF5
    F3C6F2E1 1CFB888B BE2736A7 5151480C FCEB301D 0603551D 0E041604 14FBF5F3
    C6F2E11C FB888BBE 2736A751 51480CFC EB300D06 092A8648 86F70D01 01040500
    03818100 B85ECA67 B6302EFA A7E31A65 96836F44 F3AA3336 3580F231 E9C3BA4C
    2802EEE8 AADDFA1D BF4BB36A C21FCE3D 0960284E F58AD227 3FA9F1A0 CDF48A28
    9C1CE5BC EF3449D0 D3E8CC9C 7EDB7CFE 193477E0 4407E5F8 B7956546 2F4E5D61
    5E542E6D 8A242B33 C21C77BF 2BB9E366 E80DD4F0 7937FBC4 51D6E258 13157D13 870097BE
    quit
  username vpnuser password 0 cisco123
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 172.16.1.254 255.255.255.0
  duplex auto
  speed auto
  ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
  ip http server
  ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSL_VPN_GW
  ip address 172.16.1.254 port 443
  http-redirect port 80
  ssl encryption 3des-sha1 aes-sha1
  ssl trustpoint TP-self-signed-514137430
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSL_VPN_CONTEXT
  ssl authenticate verify all
  policy group SSL_VPN_POLICY
     functions svc-enabled
     banner "Welcom to SSL VPN Lab"
     svc address-pool "SSL_VPN_POOL"
     svc keep-client-installed
  default-group-policy SSL_VPN_POLICY
  aaa authentication list SSL_VPN_AUTHENTICATION
  gateway SSL_VPN_GW
  inservice
  end

  just an update, when i tried a different encryption under the webvpn gateway config it seemed to work (clientless).
  i guess my windows 7 machine doesn't like the stronger encryption types.
  SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
  SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5

• IP Phone Over SSL VPN Registering Issue

  I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

  Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
  Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
  If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IOS SSL VPN WITH RADIUS Authorization

  Hi
  I'm trying to authenitcate and authorize  the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
  *Jun  6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
  Rack1R1(config)#                          
  *Jun  6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  *Jun  6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
  *Jun  6 22:40:21.409: RADIUS(00000000): sending
  *Jun  6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
  *Jun  6 22:40:21.409: RADIUS:  authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
  *Jun  6 22:40:21.409: RADIUS:  User-Name           [1]   16  "SSLUSER@SSLVPN"
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: RADIUS:  User-Password       [2]   18  *
  *Jun  6 22:40:21.409: RADIUS:  NAS-IP-Address      [4]   6   150.1.1.1                
  *Jun  6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
  *Jun  6 22:40:21.669: RADIUS:  authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
  *Jun  6 22:40:21.669: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255          
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  28 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22  "webvpn:svc-enabled=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  29 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23  "webvpn:svc-required=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  50 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44  "webvpn:split-include=6.6.6.0 255.255.255.0"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  35 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29  "webvpn:keep-svc-installed=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  31 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25  "webvpn:addr-pool=SSLVPN"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  41 
  *Jun  6 22:40:21.669: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  *Jun  6 22:40:21.669: RADIUS:  Class               [25]  36 
  *Jun  6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30  [CACS:0/470/96010]
  *Jun  6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56  [101/SSLUSER@SSLV]
  *Jun  6 22:40:21.669: RADIUS:   50 4E                                            [PN]
  *Jun  6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
  *Jun  6 22:40:21.673: RADIUS(00000000): Unique id not in use
  Rack1R1(config)#                          
  *Jun  6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
  *Jun  6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
  Rack1R1(config)#                          
  *Jun  6 22:40:23.673: WV-AAA: AAA Authentication Failed!
  Rack1R1(config)#                          
  *Jun  6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
  Rack1R1(config)# 
  router Configuration
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Rack1R1
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/1
  logging message-counter syslog
  enable password cisco
  aaa new-model
  aaa authentication login RAD group radius
  aaa authorization network RAD group radius
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  no ip domain lookup
  ip domain name INE.com
  ip host cisco.com 136.1.121.1
  ip host www.cisco.com 136.1.121.1
  ip host www.google.com 136.1.121.1
  ip host www.ripe.net 136.1.121.1
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3354934498
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3354934498
  revocation-check none
  rsakeypair TP-self-signed-3354934498
  crypto pki certificate chain TP-self-signed-3354934498
  certificate self-signed 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
    33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
    DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
    74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
    DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
    B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
    551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
    18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
    04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
    F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
    C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
    49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
    A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
    9DC4C940 E91AACBB 4EAFFA
          quit
  username admin privilege 15 password 0 admin
  username SSLUSER@SSLVPN password 0 cisco
  archive
  log config
    hidekeys
  crypto ipsec client ezvpn EZVPN_CLIENT
  connect auto
  mode client
  xauth userid mode interactive
  ip tcp synwait-time 5
  interface Loopback0
  ip address 150.1.1.1 255.255.255.0
  interface Loopback6
  ip address 6.6.6.6 255.255.255.0
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/1.11
  encapsulation dot1Q 12
  ip address 136.1.11.1 255.255.255.0
  interface FastEthernet0/1.121
  encapsulation dot1Q 121
  ip address 136.1.121.1 255.255.255.0
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  interface Vlan1
  no ip address
  router rip
  version 2
  passive-interface FastEthernet0/1.11
  network 136.1.0.0
  network 150.1.0.0
  no auto-summary
  ip local pool SSLVPN 40.0.0.1 40.0.0.254
  ip forward-protocol nd
  ip route 10.0.0.0 255.255.255.0 136.1.121.12
  ip http server
  ip http secure-server
  ip dns server
  ip access-list extended SPLIT
  permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
  ip radius source-interface Loopback0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  line vty 0 4
  password cisco
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface Loopback0 port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-3354934498
  logging enable
  inservice
  webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
  webvpn context SSLVPN
  title "**SSLVPN  **"
  ssl encryption rc4-md5
  ssl authenticate verify all
  aaa authentication list RAD
  aaa authentication domain @SSLVPN
  aaa authorization list RAD
  gateway SSLVPN
  inservice
  end
  Any Idea?

  Hi,
  As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
  There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
  You can use the following link  for more information:-
  Assigning static ip  for user present locally on ASA:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
  For user present on Active Directory:-
  http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
  The following is the link for assigning ip address using DHCP:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
  I hope it helps.
  Thanks,
  Shilpa

• No SSL VPN tunnel from AnyConnect to IOS

  Dear all
  Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
  But I simply cannot make it work.
  I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
  Here is my configuration on the router:
  crypto pki trustpoint TP-self-signed-595019360
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-595019360
  revocation-check none
  rsakeypair TP-self-signed-595019360
  crypto pki certificate chain TP-self-signed-595019360
  certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  [......skipped....]
  interface Loopback123
  ip address 192.168.123.254 255.255.255.0
  ip local pool GS-POOL 192.168.123.1 192.168.123.10
  webvpn gateway GS-GW
  hostname GS-VPN-test
  ip address x.x.x.x port 443
  ssl trustpoint TP-self-signed-595019360
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context GS-CONTEXT
  ssl authenticate verify all
  policy group GS-POLICY
     functions svc-required
     svc address-pool "GS-POOL"
  default-group-policy GS-POLICY
  gateway GS-GW
  inservice
  These are my debug settings:
  #sh debug
  WebVPN Subsystem:
    WebVPN (verbose) debugging is on
    debug webvpn entry GS-CONTEXT
    WebVPN HTTP (verbose) debugging is on
    WebVPN AAA debugging is on
    WebVPN tunnel (verbose) debugging is on
    WebVPN Single Sign On debugging is on
  And these are all debug messages I get upon incoming connection:
  Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
  At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
  Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
  buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
  Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
  buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
  At this point the Anyconnect client says "Connection attempt failed" and that's all.
  So please, any advice how to solve this?
  And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
  Thanks a lot for any suggestions,
  Grischa

  Some more restrictions:
  12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
  In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
  CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
  In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
  If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
  hth
  Herbert

• AnyConnect (SSL VPN on IoS) - Connection stuck on Android

  Hiya,
  I have an Any Connect WebVpn (ssl vpn?) set up on an IOS 15.2(4)M4. My current WebVPN is set up for Cisco Phones to use SSL VPN to connect to a Cisco Call Manager (CUCM 9.x). I also tried connecting with an Any Connect client from a PC and it seems to work fine.
  The issue is when I try to connect through an Android device, I get the following output from 'debug webvpn':
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.220: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2930, data: 0xD9E7658, len: 0,
        offset: 0, domain: 0)
  Jan 10 16:04:17.224: WV: Fragmented App data - buffered
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2470, data: 0xEA4D858, len: 884,
        offset: 0, domain: 0)
  tbr-edi-2901#
  Jan 10 16:04:17.224: WV: http request: / with no cookie
  Jan 10 16:04:17.224: WV: validated_tp :  cert_username :  matched_ctx :
  Jan 10 16:04:17.224: WV: failed to get sslvpn appinfo from opssl
  Jan 10 16:04:17.224: WV: Error: Failed to get vw_ctx
  Jan 10 16:04:17.224: WV: Appl. processing Failed : 2
  Jan 10 16:04:18.344: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.348: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.376: WV: sslvpn process rcvd context queue event
  and then the messages in italics above keep on appearing in an endless loop.
  Any ideas what could be the issue.
  Any help is highly appreciated.
  Thanks,
  David

  Hi,
  I'm having the same issue please let me know if yo found the solution. Thanks in advance

• Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M

  Dear Community,
  I have a strange issue that I am hoping some of you will be able to assist with.
  I am running an environment with the following specifications
  Cisco ISR G2 2901 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  VPN Licence enabled
  Cisco ISR G2 2951 with IOS 15.3.3M
  Security Licence enabled
  Data Licence enabled
  SM with ESX server.
  Desktop Environment
  Windows XP SP3
  Internet Explorer 8
  Desktop Environment 2
  Windows 8
  Internet Explorer 10
  I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
  This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
  PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
  If anyone can assit me here it would really make my day.
  Thanks,
  Will

  Can anyone help with this ?

• Browsing Oracle application using CISCO SSL VPN forms not opening

  Hi all,
  Any idea why am not able to access my application using CISCO SSL VPN.Normal clients are able to use our application there is no problem.i have modifyed the "certdb.txt",still i am having the same problem.here am attaching the Java console output.
  java.net.ConnectException: Operation timed out: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(Unknown Source)
       at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
       at java.net.PlainSocketImpl.connect(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmwebutil.jar
  java.net.ConnectException: Operation timed out: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(Unknown Source)
       at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
       at java.net.PlainSocketImpl.connect(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmall_jinit.jar
  java.net.ConnectException: Operation timed out: connect

  Hi,
  From your description, my understanding is that you get invalid workflowinstanceid error when you click on workflow link like "inprogress” in the current list.
  Please check the URL of workflow “inprogress” (also URL for workflow approval instance to open task form) to see if it’s correct.
  Please use your company network directly instead of CISCO SSL VPN, then access SharePoint portal url “https://vpnssl.companyname.com/”,  see if the issue still occur.
  Also, check the ULS log on the SharePoint server based on the Correlation ID value, get more detailed information about this error message.
  And you could refer to this similar issue:
  https://social.technet.microsoft.com/Forums/en-US/08aa6b33-cef6-4b01-8af7-6c25ed7d9953/invalid-workflowinstanceid-parameter-in-url?forum=sharepointgeneralprevious.
  Best Regards
  Vincent Han
  TechNet Community Support

• SSL VPN Login failure issue

  Hello,
  I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
  Function: ConnectMgr::setPromptAttributes
  File: .\ConnectMgr.cpp
  Line: 2657
  Invoked Function: setPromptAttributes
  Return Code: -33554423 (0xFE000009)
  Description: GLOBAL_ERROR_UNEXPECTED
  Error text:
  Login failed.
  If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
  This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
  Regards.
  After a little more testing, seems somehow related to users being in to many groups in AD.      
  Message was edited by: Rich Viola

  Hello,
  If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
  Solution (workaround):
  You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
  You can implement it as follow:
  Add a Bookmark
  Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
  For further information you can find it here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
  Let me know how tit works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• SSL VPN on C2821 Radius auth issues

  I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
  I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
  This is what the config looks like
  Building configuration...
  Current configuration : 24735 bytes
  ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname N****
  aaa new-model
  aaa group server radius IAS_AUTH
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa group server radius Global ***made for testing. Redundant
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa session-id common
  clock timezone Arizona -7
  dot11 syslog
  ip source-route
  ip cef
  password encryption aes
  crypto pki trustpoint TP-self-signed-2464190257
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2464190257
  revocation-check none
  rsakeypair TP-self-signed-2464190257
  crypto pki certificate chain TP-self-signed-2464190257
  certificate self-signed 01
  REMOVED
  interface GigabitEthernet0/0
  INTERFACES REMOVED
  ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip flow-cache timeout inactive 10
  ip flow-cache timeout active 5
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5 peer-as
  ip flow-export destination 10.12.1.17 2048
  ROUTES REMOVED
  ACLS REMOVED SSL IS ALLOWED
  route-map STAT_NAT permit 10
  match ip address 109
  route-map DYN_NAT permit 10
  match ip address 108
  snmp-server community $DCI$ RO
  control-plane
  banner login ^C
  line con 0
  password 7 01100F175804
  login authentication local
  line aux 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  webvpn gateway gateway_1
  ip address **outside ip*** port 443
  http-redirect port 80
  ssl trustpoint TP-self-signed-2464190257
  no inservice
  webvpn context webvpn
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  port-forward "portforward_list_1"
     local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
  policy group policy_1
     port-forward "portforward_list_1"
  default-group-policy policy_1
  aaa authentication list SSL_Global
  aaa authentication domain @n****
  gateway gateway_1 domain N****
  max-users 10
  no inservice
  end
  Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

  OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?