IP phone SSL VPN configuration issue

Similar Messages

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone SSL VPN to ASA using AnyConnect

  I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
  I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
  However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
  Lastly,
  I hear about Collaboration Edge in CUCM 10.x
  If CUCM 10.x is deployed then how the ASA concept plays a role here.
  What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
  I cant find any information about the Colaboration Edge on the Internet...
  Message was edited by: Sean Poure

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IP Phone Over SSL VPN Registering Issue

  I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

  Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
  Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
  If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

• SSL VPN Connection Issue

  Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
  *************Equipment/Software
  Cisco 2851 Router Version 15.4(M9) Software
  anyconnect-win-3.1.07021-k9.pkg
  *************Configuration
  ip local pool webvpn1 172.16.100.80 172.16.100.90
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip access-list extended webvpn-acl
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
  webvpn gateway CCIELAB
   hostname Porshe_GT3
   ip interface GigabitEthernet0/0 port 443
   http-redirect port 80
   ssl trustpoint my-sslvpn-ca
   inservice
  webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
  webvpn context CCIELab
   title "Networking Lab"
   ssl authenticate verify all
   login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
   policy group Labrats
     functions svc-enabled
     banner "Success, You Made It"
     filter tunnel webvpn-acl
     svc address-pool "webvpn1" netmask 255.255.255.0
     svc keep-client-installed
     svc rekey method new-tunnel
     svc split include 172.16.100.0 255.255.255.0
   default-group-policy Labrats
   aaa authentication list webvpn
   gateway CCIELAB
   inservice
  *********************Debugs
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
  *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
  *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *********************Verification
  Porshe_GT3#show webvpn policy group Labrats context all
  WEBVPN: group policy = Labrats ; context = CCIELab
        banner = "Success, You Made It"
        idle timeout = 2100 sec
        session timeout = Disabled
        functions = 
                  svc-enabled 
        citrix disabled
        address pool name = "webvpn1"
        netmask = 255.255.255.0
        tunnel-mode filter = "webvpn-acl"
        dpd client timeout = 300 sec
        dpd gateway timeout = 300 sec
        keepalive interval = 30 sec
        SSLVPN Full Tunnel mtu size = 1406 bytes
        keep sslvpn client installed = enabled
        rekey interval = 3600 sec
        rekey method = new-tunnel 
        lease duration = 43200 sec
        split include = 172.16.100.0 255.255.255.0

  The problem is related to either of these issues:
  Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  Fragmentation policy during encryption
  Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• IP Phone SSL VPN - Licenses required.

  Hi,
  Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
  Thanks
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 5000
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5550 VPN Premium license.

  Hi,
  You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
  You can find more details from following link:
  http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
  Regards,
  Varinder
  P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

• IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

  hi all,
  I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
  I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
  thanks for your input!
  Samuel

  Samuel,
  Did you ever find an answer to your question? I have a similar scenario.
  Any input would be appreciated.

• Jabber client and IP Phone SSL VPN to ASA using AnyConnect

  Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
  https://supportforums.cisco.com/docs/DOC-9124

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IOS SSL VPN application issues

  Hi,
  I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.
  Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).
  If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.
  I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.
  Anyone else experienced this?
  Thanks
  Scott

  Farrukh,
  As requested please see related config below:
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authentication login sdm_vpn_xauth_ml_3 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  ip cef
  crypto pki trustpoint TP-self-signed-569873274
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-569873274
  revocation-check none
  rsakeypair TP-self-signed-569873274
  crypto pki certificate chain TP-self-signed-569873274
  certificate self-signed 01
  interface GigabitEthernet1/0
  description $SWDMADDR:192.168.0.2$
  ip address 10.0.0.1 255.255.255.0
  no ip route-cache cef
  interface GigabitEthernet1/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.0.1 255.255.255.0
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly
  no ip route-cache same-interface
  interface GigabitEthernet1/0.20
  encapsulation dot1Q 20
  ip address 192.168.20.1 255.255.255.0
  ip helper-address 10.0.0.1
  no ip route-cache same-interface
  interface Dialer0
  description $FW_OUTSIDE$
  ip address negotiated
  ip access-group 101 in
  ip mtu 1452
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ip local pool TEST 192.168.20.200 192.168.20.240
  ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  access-list 101 remark WEBVPN
  access-list 101 permit tcp any host 203.206.169.63 eq 443
  access-list 101 deny ip any any log
  route-map SDM_RMAP_1 permit 1
  match ip address 102
  webvpn gateway gateway_1
  ip address 203.206.169.63 port 443
  ssl trustpoint TP-self-signed-569873274
  inservice
  webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
  webvpn context Default_context
  ssl authenticate verify all
  no inservice
  webvpn context visicom
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  url-list "WEB"
  heading "Welcome"
  url-text "OWA" url-value "http://192.168.0.10/exchange"
  policy group policy_1
  url-list "WEB"
  functions svc-enabled
  svc address-pool "TEST"
  svc keep-client-installed
  svc rekey method new-tunnel
  svc split include 192.168.0.0 255.255.255.0
  svc split include 192.168.20.0 255.255.255.0
  svc split include 10.10.10.0 255.255.255.0
  default-group-policy policy_1
  aaa authentication list sdm_vpn_xauth_ml_3
  gateway gateway_1
  inservice

• SSL VPN with client, anyconnect.

  I've set up a simple test on SSL VPN with client on a 3800.
  It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
  but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
  The underlying routing is fine.
  Could you tell me where it is configured wrong?
  Config is copied below.
  thanks,
  Han
  =======
  Current configuration : 3340 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password cisco
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  no network-clock-participate slot 1
  crypto pki trustpoint TP-self-signed-3551041125
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3551041125
  revocation-check none
  rsakeypair TP-self-signed-3551041125
  crypto pki certificate chain TP-self-signed-3551041125
  certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
  34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
  29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
  6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
  23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
  53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
  301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
  5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
  300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
  73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
  CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
  B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
  CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
  quit
  dot11 syslog
  ip cef
  multilink bundle-name authenticated
  voice-card 0
  no dspfarm
  username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
  archive
  log config
  hidekeys
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  end
  interface Loopback1
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  ip local pool svc-poll 1.1.1.50 1.1.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip http server
  no ip http secure-server
  control-plane
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface GigabitEthernet0/0 port 443
  ssl trustpoint local
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSLVPN
  ssl authenticate verify all
  policy group default
     functions svc-required
     svc default-domain "test.org"
     svc keep-client-installed
     svc split dns "primary"
  default-group-policy default
  gateway SSLVPN
  inservice
  end

  Using the SDM follow the below config example
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
  The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
  HTH>

• SSL VPN Login failure issue

  Hello,
  I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
  Function: ConnectMgr::setPromptAttributes
  File: .\ConnectMgr.cpp
  Line: 2657
  Invoked Function: setPromptAttributes
  Return Code: -33554423 (0xFE000009)
  Description: GLOBAL_ERROR_UNEXPECTED
  Error text:
  Login failed.
  If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
  This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
  Regards.
  After a little more testing, seems somehow related to users being in to many groups in AD.      
  Message was edited by: Rich Viola

  Hello,
  If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
  Solution (workaround):
  You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
  You can implement it as follow:
  Add a Bookmark
  Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
  For further information you can find it here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
  Let me know how tit works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• SSL VPN on C2821 Radius auth issues

  I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
  I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
  This is what the config looks like
  Building configuration...
  Current configuration : 24735 bytes
  ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname N****
  aaa new-model
  aaa group server radius IAS_AUTH
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa group server radius Global ***made for testing. Redundant
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa session-id common
  clock timezone Arizona -7
  dot11 syslog
  ip source-route
  ip cef
  password encryption aes
  crypto pki trustpoint TP-self-signed-2464190257
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2464190257
  revocation-check none
  rsakeypair TP-self-signed-2464190257
  crypto pki certificate chain TP-self-signed-2464190257
  certificate self-signed 01
  REMOVED
  interface GigabitEthernet0/0
  INTERFACES REMOVED
  ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip flow-cache timeout inactive 10
  ip flow-cache timeout active 5
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5 peer-as
  ip flow-export destination 10.12.1.17 2048
  ROUTES REMOVED
  ACLS REMOVED SSL IS ALLOWED
  route-map STAT_NAT permit 10
  match ip address 109
  route-map DYN_NAT permit 10
  match ip address 108
  snmp-server community $DCI$ RO
  control-plane
  banner login ^C
  line con 0
  password 7 01100F175804
  login authentication local
  line aux 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  webvpn gateway gateway_1
  ip address **outside ip*** port 443
  http-redirect port 80
  ssl trustpoint TP-self-signed-2464190257
  no inservice
  webvpn context webvpn
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  port-forward "portforward_list_1"
     local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
  policy group policy_1
     port-forward "portforward_list_1"
  default-group-policy policy_1
  aaa authentication list SSL_Global
  aaa authentication domain @n****
  gateway gateway_1 domain N****
  max-users 10
  no inservice
  end
  Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

  OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?    

• Ssl vpn and soft phone

  Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
  thank you

  Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml