IOS SSL VPN
hi all,
i've been trying to setup an SSL VPN on my 1841 lab router but with no luck. i tried both clientless (anyconnect 2.5) and using a vpn client (anyconnect 3.0).
i'm using a win 7 PC with IP 172.16.1.50 directly connected to 1841 FE0/1 port. tried disabling PC FW, used both IE and FF and delete cookes but to no avail. below are my config and some show and debug output. could someone advise if my config is ok and what other steps i should take? thanks in advance!
SSL_VPN_GW#show webvpn gateway
Gateway Name Admin Operation
SSL_VPN_GW up up
SSL_VPN_GW#show webvpn context
Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host
Context Name Gateway Domain/VHost VRF AS OS
SSL_VPN_CONTEXT SSL_VPN_ - - up up
SSL_VPN_GW#debug webvpn
WebVPN debugs debugging is on
SSL_VPN_GW#
Jan 27 03:19:56.691: SSLVPN: [Q]Client side Chunk data written..
buffer=0x649035B8 total_len=2033 bytes=2033 tcb=0x642479E8
Jan 27 03:19:56.691: SSLVPN: Client side Chunk data written..
buffer=0x64903598 total_len=1121 bytes=1121 tcb=0x642479E8
Jan 27 03:19:56.691: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:21:15.711: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:15.715: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:21:20.775: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
Data buffer(buffer: 0x649035D8, data: 0xE7201D98, len: 1,
offset: 0, domain: 0)
Jan 27 03:21:20.779: SSLVPN: Fragmented App data - buffered
Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
Data buffer(buffer: 0x64903598, data: 0xE75C0BB8, len: 483,
offset: 0, domain: 0)
Jan 27 03:21:20.779: SSLVPN: Appl. processing Failed : 2
Jan 27 03:21:20.779: SSLVPN: server side not ready to send.
SSL_VPN_GW#
Jan 27 03:21:50.879: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.883: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.887: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
Data buffer(buffer: 0x64903598, data: 0xE75BD6B8, len: 1,
offset: 0, domain: 0)
Jan 27 03:21:50.887: SSLVPN: Fragmented App data - buffered
Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 483,
offset: 0, domain: 0)
Jan 27 03:21:50.887: SSLVPN: Appl. processing Failed : 2
SSL_VPN_GW#
Jan 27 03:21:50.887: SSLVPN: server side not ready to send.
SSL_VPN_GW#
Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:22:21.791: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.795: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.799: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.799: SSLVPN: Entering APPL with Context: 0x64703988,
Data buffer(buffer: 0x649035D8, data: 0xE7204718, len: 426,
offset: 0, domain: 0)
Jan 27 03:22:21.799: SSLVPN: Appl. processing Failed : 2
Jan 27 03:22:21.799: SSLVPN: server side not ready to send.
Jan 27 03:22:22.599: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:22.603: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:22:23.691: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.695: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.699: SSLVPN: Entering APPL with Context: 0x64703B70,
Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 147,
offset: 0, domain: 0)
Jan 27 03:22:23.699: SSLVPN: http request: / with no cookie
Jan 27 03:22:23.699: SSLVPN: Client side Chunk data written..
buffer=0x64903598 total_len=196 bytes=196 tcb=0x642DA46C
Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.811: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.815: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.927: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.931: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.935: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.935: SSLVPN: Entering APPL with Context: 0x64703F40,
Data buffer(buffer: 0x649035D8, data: 0xE7204A58, len: 200,
offset: 0, domain: 0)
Jan 27 03:22:23.935: SSLVPN: http request: /webvpn.html with domain cookie
SSL_VPN_GW#
Jan 27 03:22:23.939: SSLVPN: [Q]Client side Chunk data written..
buffer=0x64903598 total_len=2033 bytes=2033 tcb=0x640B5608
Jan 27 03:22:23.939: SSLVPN: Client side Chunk data written..
buffer=0x649035B8 total_len=1121 bytes=1121 tcb=0x640B5608
Jan 27 03:22:23.939: SSLVPN: sslvpn process rcvd context queue event
AnyConnect v3.0.0629
[Sun Jan 27 11:46:15 2013] Contacting 172.16.1.254.
[Sun Jan 27 11:46:38 2013] Connection attempt has failed.
[Sun Jan 27 11:48:52 2013] Contacting 172.16.1.254.
[Sun Jan 27 11:49:06 2013] Connection attempt has failed.
[Sun Jan 27 11:52:16 2013] Network error. Unable to lookup host names.
[Sun Jan 27 11:52:46 2013] Verify your network connection.
[Sun Jan 27 11:52:53 2013] Network error. Unable to lookup host names.
[Sun Jan 27 11:53:23 2013] Verify your network connection.
SSL_VPN_GW#sh run
Building configuration...
Current configuration : 3203 bytes
! Last configuration change at 03:19:18 UTC Sun Jan 27 2013
! NVRAM config last updated at 02:52:22 UTC Sun Jan 27 2013
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SSL_VPN_GW
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login SSL_VPN_AUTHENTICATION local
aaa session-id common
resource policy
ip cef
ip name-server 172.16.1.254
crypto pki trustpoint TP-self-signed-514137430
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-514137430
revocation-check none
rsakeypair TP-self-signed-514137430
crypto pki certificate chain TP-self-signed-514137430
certificate self-signed 02
30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35313431 33373433 30301E17 0D313330 31323730 32353232
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34313337
34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BDB083BB AC2D3D47 E76A38C2 3CFE97F6 A70B07B6 3BC9EE89 D261AB83 EE78F03C
E9719CB5 128C16F9 3AD658A5 49B3A220 1170C75C A15A5EA8 4FCBF4E4 42DF67B0
9B78BCDB 29C92794 9C932933 C978BB97 7F7B0B8C 19A37C14 B35B1937 415FA79E
EE9D39B2 AFCF3502 1C8241E2 A6EF9369 AD02BD5F 7556030C 2B7B579F 659F433F
02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
11040E30 0C820A53 534C5F56 504E5F47 57301F06 03551D23 04183016 8014FBF5
F3C6F2E1 1CFB888B BE2736A7 5151480C FCEB301D 0603551D 0E041604 14FBF5F3
C6F2E11C FB888BBE 2736A751 51480CFC EB300D06 092A8648 86F70D01 01040500
03818100 B85ECA67 B6302EFA A7E31A65 96836F44 F3AA3336 3580F231 E9C3BA4C
2802EEE8 AADDFA1D BF4BB36A C21FCE3D 0960284E F58AD227 3FA9F1A0 CDF48A28
9C1CE5BC EF3449D0 D3E8CC9C 7EDB7CFE 193477E0 4407E5F8 B7956546 2F4E5D61
5E542E6D 8A242B33 C21C77BF 2BB9E366 E80DD4F0 7937FBC4 51D6E258 13157D13 870097BE
quit
username vpnuser password 0 cisco123
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSL_VPN_GW
ip address 172.16.1.254 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint TP-self-signed-514137430
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSL_VPN_CONTEXT
ssl authenticate verify all
policy group SSL_VPN_POLICY
functions svc-enabled
banner "Welcom to SSL VPN Lab"
svc address-pool "SSL_VPN_POOL"
svc keep-client-installed
default-group-policy SSL_VPN_POLICY
aaa authentication list SSL_VPN_AUTHENTICATION
gateway SSL_VPN_GW
inservice
end
just an update, when i tried a different encryption under the webvpn gateway config it seemed to work (clientless).
i guess my windows 7 machine doesn't like the stronger encryption types.
SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5
Similar Messages
-
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
The error on the router is:
Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
Jun 5 16:07:55.755: WV: server side not ready to send.
The following is the configuration:
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context vpn1
ssl authenticate verify all
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
policy group vpn1
url-list "eng"
default-group-policy vpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context vpn2
ssl authenticate verify all
policy group vpn2tunnel
functions svc-enabled
svc address-pool "WEBVPN"
svc split include 10.0.0.2 255.255.255.255
default-group-policy vpn2tunnel
gateway ISR2801-RM domain tunnel
inserviceThanks for the reply !!!!
the configation is the following:
interface Ethernet 0
ip address 10.0.0.128 255.255.255.0
ip http secure-server
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
ssl encryption aes-sha1
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context context-sslvpn1
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn1/
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
nbns-list cifs-servers
nbns-server 172.16.1.1 master
nbns-server 172.16.2.2 timeout 10 retries 5
nbns-server 172.16.3.3 timeout 10 retries 5
login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
this device are logged and violations of this policy may result in disciplinary action."
port-forward "portlist"
local-port 30019 remote-server ssh-server remote-port 22 description SSH
local-port 30020 remote-server mailserver remote-port 143 description IMAP
local-port 30021 remote-server mailserver remote-port 110 description POP3
local-port 30022 remote-server mailserver remote-port 25 description SMTP
policy group policy-sslvpn1
url-list "eng"
port-forward "portlist"
nbns-list "cifs-servers"
functions file-access
functions file-browse
functions file-entry
citrix enabled
default-group-policy policy-sslvpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context context-sslvpn2
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn2/
policy group policy-sslvpn2
functions svc-enabled
svc address-pool "WEBVPN"
svc keep-client-installed
svc dpd-interval gateway 30
svc dpd-interval client 300
svc rekey method new-tunnel
svc rekey time 3600
svc split include 10.0.0.0 255.255.255.0
svc default-domain cisco.com
svc dns-server primary 192.168.3.1
svc dns-server secondary 192.168.4.1
default-group-policy policy-sslvpn2
gateway ISR2801-RM domain tunnel
inservice
ISR2801-RM#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+
2,2,0133
Mon 05/19/2008 12:58:52.34 v
ISR2801-RM#
WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
https://1.2.3.4/tunnel
* the ssl client installed on the pc tell me can't connect.
* on the router the log:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
offset: 0, domain: 0)
Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
Jun 6 10:28:08.287: X-CSTP-Version: 1
Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
Jun 6 10:28:08.287: X-CSTP-MTU: 1406
Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
Jun 6 10:28:08.287:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
Jun 6 10:28:08.291: WV: server side not ready to send.
SSLVPN sock pid 182 sid 161: closing -
IOS SSL VPN WITH RADIUS Authorization
Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name [1] 16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password [2] 18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address [4] 6 150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 28
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 29
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 50
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 35
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 31
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 6 22:40:21.669: RADIUS: Class [25] 36
*Jun 6 22:40:21.669: RADIUS: 43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS: 31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS: 50 4E [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa -
IOS SSL VPN application issues
Hi,
I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.
Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).
If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.
I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.
Anyone else experienced this?
Thanks
ScottFarrukh,
As requested please see related config below:
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
ip cef
crypto pki trustpoint TP-self-signed-569873274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-569873274
revocation-check none
rsakeypair TP-self-signed-569873274
crypto pki certificate chain TP-self-signed-569873274
certificate self-signed 01
interface GigabitEthernet1/0
description $SWDMADDR:192.168.0.2$
ip address 10.0.0.1 255.255.255.0
no ip route-cache cef
interface GigabitEthernet1/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
no ip route-cache same-interface
interface GigabitEthernet1/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.0.0.1
no ip route-cache same-interface
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ip local pool TEST 192.168.20.200 192.168.20.240
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 101 remark WEBVPN
access-list 101 permit tcp any host 203.206.169.63 eq 443
access-list 101 deny ip any any log
route-map SDM_RMAP_1 permit 1
match ip address 102
webvpn gateway gateway_1
ip address 203.206.169.63 port 443
ssl trustpoint TP-self-signed-569873274
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn context Default_context
ssl authenticate verify all
no inservice
webvpn context visicom
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
url-list "WEB"
heading "Welcome"
url-text "OWA" url-value "http://192.168.0.10/exchange"
policy group policy_1
url-list "WEB"
functions svc-enabled
svc address-pool "TEST"
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
svc split include 192.168.20.0 255.255.255.0
svc split include 10.10.10.0 255.255.255.0
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_3
gateway gateway_1
inservice -
SSL VPN (WebVPN) issues with IOS 15.0(1)M1
Hello everyone... I need your help!
I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
Symptoms:
- AnyConnect Client prompts users with the following error:
"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
Debug:
Mar 5 13:09:45:
Mar 5 13:09:45: WV-TUNL: Tunnel CSTP Version recv use 1
Mar 5 13:09:45: WV-TUNL: Allocating tunl_info
Mar 5 13:09:45: WV-TUNL: Allocating stc_config
Mar 5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
Mar 5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
Mar 5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
Mar 5 13:09:45: HTTP/1.1 401 Unauthorized
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
Mar 5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
Mar 5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
Mar 5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
WV-TUNL: Severity ERROR Type USER_LOGOUT
WV-TUNL: Text: HTTP response contained an HTTP error code.
Mar 5 13:09:45: WV-TUNL: Call user logout function
Mar 5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
When the error occurs, the "SVCIP install TCP failed" counter increments:
VPN-Router1# show webvpn stats detail context CUSTOMER-VPN
[snip]
Tunnel Statistics:
Active connections : 1
Peak connections : 3 Peak time : 19:09:04
Connect succeed : 9 Connect failed : 5
Reconnect succeed : 0 Reconnect failed : 0
SVCIP install IOS succeed: 14 SVCIP install IOS failed : 0
SVCIP clear IOS succeed : 18 SVCIP clear IOS failed : 0
SVCIP install TCP succeed: 9 SVCIP install TCP failed : 5
DPD timeout : 0
[snip]
IOS Version Details:
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
Config:
webvpn context CUSTOMER-VPN
title "SSL VPN for Customer"
ssl authenticate verify all
login-message "Enter username and passcode"
policy group CUSTOMER-VPN
functions svc-required
svc keep-client-installed
svc split include 10.1.16.0 255.255.240.0
svc split include 10.1.2.0 255.255.254.0
vrf-name CUSTOMER-VPN
default-group-policy CUSTOMER-VPN
aaa authentication list AAA-LIST
aaa authentication auto
aaa accounting list AAA-LIST
gateway vpn virtual-host customer.xx.com
logging enable
inservice
The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
At that point in time we were running with local pool definition.
As the http 401 rc happens very sporadically we still gathering incident reports internally.
Will open a case if you did not yet.
cheers, Andy -
No SSL VPN tunnel from AnyConnect to IOS
Dear all
Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
But I simply cannot make it work.
I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
Here is my configuration on the router:
crypto pki trustpoint TP-self-signed-595019360
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-595019360
revocation-check none
rsakeypair TP-self-signed-595019360
crypto pki certificate chain TP-self-signed-595019360
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
[......skipped....]
interface Loopback123
ip address 192.168.123.254 255.255.255.0
ip local pool GS-POOL 192.168.123.1 192.168.123.10
webvpn gateway GS-GW
hostname GS-VPN-test
ip address x.x.x.x port 443
ssl trustpoint TP-self-signed-595019360
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context GS-CONTEXT
ssl authenticate verify all
policy group GS-POLICY
functions svc-required
svc address-pool "GS-POOL"
default-group-policy GS-POLICY
gateway GS-GW
inservice
These are my debug settings:
#sh debug
WebVPN Subsystem:
WebVPN (verbose) debugging is on
debug webvpn entry GS-CONTEXT
WebVPN HTTP (verbose) debugging is on
WebVPN AAA debugging is on
WebVPN tunnel (verbose) debugging is on
WebVPN Single Sign On debugging is on
And these are all debug messages I get upon incoming connection:
Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
At this point the Anyconnect client says "Connection attempt failed" and that's all.
So please, any advice how to solve this?
And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
Thanks a lot for any suggestions,
GrischaSome more restrictions:
12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
CSCtb73337 AnyConnect does not work with IOS if cert not trusted/name mismatch
In short, if it's possible to upgrade, go to 15.0(1)M7 (or latest 12.4(24)Tx if 15.0 is out of the question)
If you're stuck with 12.4(15)T, only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
hth
Herbert -
AnyConnect (SSL VPN on IoS) - Connection stuck on Android
Hiya,
I have an Any Connect WebVpn (ssl vpn?) set up on an IOS 15.2(4)M4. My current WebVPN is set up for Cisco Phones to use SSL VPN to connect to a Cisco Call Manager (CUCM 9.x). I also tried connecting with an Any Connect client from a PC and it seems to work fine.
The issue is when I try to connect through an Android device, I get the following output from 'debug webvpn':
Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
Jan 10 16:04:17.220: WV: sslvpn process rcvd context queue event
Jan 10 16:04:17.224: WV: sslvpn process rcvd context queue event
Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
Data buffer(buffer: 0x242F2930, data: 0xD9E7658, len: 0,
offset: 0, domain: 0)
Jan 10 16:04:17.224: WV: Fragmented App data - buffered
Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
Data buffer(buffer: 0x242F2470, data: 0xEA4D858, len: 884,
offset: 0, domain: 0)
tbr-edi-2901#
Jan 10 16:04:17.224: WV: http request: / with no cookie
Jan 10 16:04:17.224: WV: validated_tp : cert_username : matched_ctx :
Jan 10 16:04:17.224: WV: failed to get sslvpn appinfo from opssl
Jan 10 16:04:17.224: WV: Error: Failed to get vw_ctx
Jan 10 16:04:17.224: WV: Appl. processing Failed : 2
Jan 10 16:04:18.344: WV: sslvpn process rcvd context queue event
Jan 10 16:04:18.348: WV: sslvpn process rcvd context queue event
Jan 10 16:04:18.376: WV: sslvpn process rcvd context queue event
and then the messages in italics above keep on appearing in an endless loop.
Any ideas what could be the issue.
Any help is highly appreciated.
Thanks,
DavidHi,
I'm having the same issue please let me know if yo found the solution. Thanks in advance -
Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M
Dear Community,
I have a strange issue that I am hoping some of you will be able to assist with.
I am running an environment with the following specifications
Cisco ISR G2 2901 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
VPN Licence enabled
Cisco ISR G2 2951 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
SM with ESX server.
Desktop Environment
Windows XP SP3
Internet Explorer 8
Desktop Environment 2
Windows 8
Internet Explorer 10
I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
If anyone can assit me here it would really make my day.
Thanks,
WillCan anyone help with this ?
-
Configuration of SSL VPN in IOS-XE (Version 03.13.01.S)
Hi,
I am looking for some advice in regard to the configuration of SSL VPN in IOS-XE (Version 03.13.01.S).
I have been following the Cisco Guide (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html#topic_D5CE388EB64446E0897B4741801C84A5) but I am not really having any luck.
I am testing my config in my lab using a CSR1000V before putting it into the production box.
When I try to fire up a https connection from a Windows client to the listening IP address in the router all what I get is a blank page (after clicking OK in the certficate error). In the virtual router though, I can see that the CRYPTO-SSL-WEBSERVICE is running, but I am not getting prompted with the page for me to enter the username and password.
I am using a self signed certificate and AAA is using local authentication to authenticate my users.
The version of the Anyconnect I am using is 3.1 for Windows, but I have not been to the point where the router pushes the Anyconnect software to the client.
The Windows host is running the latest version of Java (Version 8 Update 31).
I have to be honest and admit that this is not my area of expertise. Therefore, I am afraid I have some very silly questions such as what sort of webpage I should be getting when starting a https section to the router. Is it a default one?
I have not been able to find any real examples on the web and that's why I decided to reach out to you guys for help. Could you please have a look at my config and shed some light about why this is not working?
I created the annyconect.xml profile file using the Anyconnect Profile Editor.
CSR_1000V_VPN#sh debugging
IOSXE Conditional Debug Configs:
Conditional Debug Global State: Stop
IOSXE Packet Tracing Configs:
Crypto SSL Subsystem:
Crypto SSL (verbose) debugging is on
Crypto SSL Web Service debugging is on
Crypto SSL AAA debugging is on
Crypto SSL Tunnel debugging is on
Crypto SSL Tunnel Events debugging is on
Crypto SSL Tunnel Errors debugging is on
Crypto SSL Tunnel Packets debugging is on
Crypto SSL Client Package debugging is on
This is what happens when I browse to the listening IP address (1.1.1.1) from the client:
CSR_1000V_VPN#
*Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.217: CRYPTO-SSL: Fragmented App data - buffered
*Feb 12 05:38:23.217: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
*Feb 12 05:38:23.217: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
*Feb 12 05:38:23.217: CRYPTO-SSL: Chunk data written..
buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
*Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.278: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.278: CRYPTO-SSL: Fragmented App data - buffered
*Feb 12 05:38:23.278: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
CSR_1000V_VPN#
*Feb 12 05:38:23.278: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
*Feb 12 05:38:23.278: CRYPTO-SSL: Chunk data written..
buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
*Feb 12 05:38:23.279: CRYPTO-SSL: sslvpn process rcvd context queue event
Thanks in advance,
AlejandroHi Alejandro,
Weblaunch for SSL VPN is not supported on CSR 1000v. Here's the enhancement request: https://tools.cisco.com/bugsearch/bug/CSCus02767/?reffering_site=dumpcr
Please save this bug so that you get notified if any changes are made to the bug's status.
Regards,
Anu -
SSL VPN and Dynamic DNS - ddns on IOS
Hello,
I'm trying to configure a SSL VPN tunnel via SDM on a 877 Router. The router gets the public IP address dynamically from the ISP, so I have configured the DDNS to access remotely to the router. I would like to know if it's possible to configure the SSL VPN to support the dynamic IP via SDM o CLI.
Regards
GerardSeems like i have fixed the problem using:
webvpn gateway gateway_1
ip interface Dialer0 port 443
ssl trustpoint local
inservice
However when the router is rebooted, it results in this error:
Invalid ip address First configure an IP address for the gateway
Any idea how to delay the webvpn commands at startup until dialer0 gets a dynamic IP ? -
I setup a Cisco ASA 5510 SSL VPN with the folowing;
IOS 7.2
SSL VPN CLient sslclient-win-1.1.1.164.pkg
Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
IBM Thinkpad T40
Windows XP SP 2
Internet Explorer 7
All patches up-to-date
All drivers up-to-date
SSL VPN Client connection process;
- User login with valid account and password
- The SSL VPN Client package will automatically download and installed.
- User will then be connected to SSL VPN
The ERRORS;
1. GUI (Cisco SSL VPN Client installation process)
"The SSL VPN Client driver has Encountered an Error"
2. Event Viewer
The only error in this user event viewer that differs from other users who successfully connected are;
a)
Function: EnableVA
Return code: 0
File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
Line: 310
Description: unknown
b)
Function: EnableVA
Return code: 0xFE080007
File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
Line: 1145
Description: VAMGR_ERROR_ENABLE_VA_FAILED
Anyone know what thus the error means?
BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
ThanksThe Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm -
SSL VPN with client, anyconnect.
I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
functions svc-required
svc default-domain "test.org"
svc keep-client-installed
svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
endUsing the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH> -
SSL-VPN Anyconnect fails after rebooting 2811
Hello all,
I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails. I think it has something to do with the SSL Cert being ereased. Here is my configuration, please let me know if you need anything else:
! Last configuration change at 02:03:27 CDT Thu Sep 27 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa session-id common
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-XXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX
revocation-check none
crypto pki certificate chain TP-self-signed-XXXXXXXXXX
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534
34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48
E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC
5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875
7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E
BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06
03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609
2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A
A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43
9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416
10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8
23191E2E E4BF390B D62DAA2B 351C09
quit
username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.
ip local pool SSL-VPN 192.168.11.5 192.168.11.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
bvpn gateway gateway_1
ip interface Dialer1 port 443
ssl trustpoint SSL-VPN
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
webvpn context SSL-VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "SSL-VPN"
svc default-domain "DOMAIN"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary DNS-SERVER
default-group-policy policy_1
gateway gateway_1
inserviceHere is the bug description that matches your explaination of the issue:
MF: HTTPS generates a new self-signed cert on reboot even if one exists
Symptom:
With Secure HTTP server enabled, IOS device generates a new self-signed certificate when it reloads even if a valid self-signed certificate already exists.
Conditions:
When there is no CA(Certificate Authority) provided certificate on the device
Workaround:
Use CA provided certificate.
The resolution is to upgrade it to version 15.2(1)T or higher.
Unfortunately you would need to have SmartNet contract to be able to download the software from CCO. -
SSL VPN on C2821 Radius auth issues
I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
This is what the config looks like
Building configuration...
Current configuration : 24735 bytes
! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname N****
aaa new-model
aaa group server radius IAS_AUTH
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa group server radius Global ***made for testing. Redundant
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa session-id common
clock timezone Arizona -7
dot11 syslog
ip source-route
ip cef
password encryption aes
crypto pki trustpoint TP-self-signed-2464190257
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2464190257
revocation-check none
rsakeypair TP-self-signed-2464190257
crypto pki certificate chain TP-self-signed-2464190257
certificate self-signed 01
REMOVED
interface GigabitEthernet0/0
INTERFACES REMOVED
ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/0
ip flow-export version 5 peer-as
ip flow-export destination 10.12.1.17 2048
ROUTES REMOVED
ACLS REMOVED SSL IS ALLOWED
route-map STAT_NAT permit 10
match ip address 109
route-map DYN_NAT permit 10
match ip address 108
snmp-server community $DCI$ RO
control-plane
banner login ^C
line con 0
password 7 01100F175804
login authentication local
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address **outside ip*** port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2464190257
no inservice
webvpn context webvpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
port-forward "portforward_list_1"
local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
policy group policy_1
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list SSL_Global
aaa authentication domain @n****
gateway gateway_1 domain N****
max-users 10
no inservice
end
Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?
Maybe you are looking for
-
Read-only filesystem after reinstallation,chmod failure
I decided to switch to a pure systemd init yesterday. Despite strictly followed wiki my system failed to init with switch to systemd emergency mode with no way to cure the problem. So I followed with reinstallation of my system (32bit on 64bit HW as
-
well where to start, after hours of thought i decided it would be a good idea to format/erase my harddrive so i could do a fresh install of os x, after reading up briefly i was lead to believe the best way to do this would be through disk utilities,
-
Directory listing : Codepage problem ???
Hi there, i want to fetch a list of files from a specific directory (the directory would be in the application server and not in the presentation server) during a background execution of a report. I have tried the function modules 'SUBST_GET_FILE_LIS
-
Is there a way to find out which transactions are called by first transacti
I'm trying to find out if there is a way to find out for ex: You go to PFCG and put in transaction CO15 What other transactions is CO15 going to need or call. Thanks Joe
-
i got a problem installing the adobe CC illustrator this is the error message: ----------- Payload: AdobeColorCommonSetCMYK CC 5.0.0.0 {C4196275-B11A-40A1-8727-3C145C8F7D95} ----------- ERROR: DF024: Unable to preserve original file at "/Library/Colo