SSL VPN Login failure issue

Hello,
I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
Function: ConnectMgr::setPromptAttributes
File: .\ConnectMgr.cpp
Line: 2657
Invoked Function: setPromptAttributes
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Error text:
Login failed.
If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
Regards.
After a little more testing, seems somehow related to users being in to many groups in AD.      
Message was edited by: Rich Viola

Hello,
If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
Solution (workaround):
You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
You can implement it as follow:
Add a Bookmark
Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
For further information you can find it here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
Let me know how tit works out!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,

Similar Messages

  • SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

    Hi,
    Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
    some relevant config
    webvpn
    enable wan
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    group-policy vpnpolicy1 internal
    group-policy vpnpolicy1 attributes
    vpn-tunnel-protocol svc
    tunnel-group admins type remote-access
    tunnel-group admins general-attributes
    address-pool sslpool2
    default-group-policy vpnpolicy1
    username myuser password 1234567890 encrypted privilege 15
    username myuser  attributes
    vpn-group-policy vpnpolicy1
    Debug:
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
    webvpn_add_auth_handle: auth_handle = 17
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    webvpn_session.c:http_webvpn_create_session[184]
    WebVPN: error creating WebVPN session!
    webvpn_remove_auth_handle: auth_handle = 17
    webvpn_free_auth_struct: net_handle = CD5734D0
    webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_free_auth_struct: net_handle = CD5734D0

    AnyConnect says:
    "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
    The following message was received from the secure gateway: Host or network is 0"
    Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
    ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# debug http 255
    debug http enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
    webvpn_add_auth_handle: auth_handle = 22
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    HTTP: net_handle->standalone_client [0]
    webvpn_session.c:http_webvpn_create_session[184]
    webvpn_session.c:http_webvpn_find_session[159]
    WebVPN session created!
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_remove_auth_handle: auth_handle = 22
    webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CC894AA8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    Close 1043041832
    webvpn_free_auth_struct: net_handle = CC894AA8

  • SSL VPN Connection Issue

    Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
    *************Equipment/Software
    Cisco 2851 Router Version 15.4(M9) Software
    anyconnect-win-3.1.07021-k9.pkg
    *************Configuration
    ip local pool webvpn1 172.16.100.80 172.16.100.90
    ip forward-protocol nd
    no ip http server
    ip http secure-server
    ip access-list extended webvpn-acl
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
    webvpn gateway CCIELAB
     hostname Porshe_GT3
     ip interface GigabitEthernet0/0 port 443
     http-redirect port 80
     ssl trustpoint my-sslvpn-ca
     inservice
    webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
    webvpn context CCIELab
     title "Networking Lab"
     ssl authenticate verify all
     login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
     policy group Labrats
       functions svc-enabled
       banner "Success, You Made It"
       filter tunnel webvpn-acl
       svc address-pool "webvpn1" netmask 255.255.255.0
       svc keep-client-installed
       svc rekey method new-tunnel
       svc split include 172.16.100.0 255.255.255.0
     default-group-policy Labrats
     aaa authentication list webvpn
     gateway CCIELAB
     inservice
    *********************Debugs
    *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
    *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
    *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
    *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
    *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
    *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
    *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *********************Verification
    Porshe_GT3#show webvpn policy group Labrats context all
    WEBVPN: group policy = Labrats ; context = CCIELab
          banner = "Success, You Made It"
          idle timeout = 2100 sec
          session timeout = Disabled
          functions = 
                    svc-enabled 
          citrix disabled
          address pool name = "webvpn1"
          netmask = 255.255.255.0
          tunnel-mode filter = "webvpn-acl"
          dpd client timeout = 300 sec
          dpd gateway timeout = 300 sec
          keepalive interval = 30 sec
          SSLVPN Full Tunnel mtu size = 1406 bytes
          keep sslvpn client installed = enabled
          rekey interval = 3600 sec
          rekey method = new-tunnel 
          lease duration = 43200 sec
          split include = 172.16.100.0 255.255.255.0

    The problem is related to either of these issues:
    Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
    Fragmentation policy during encryption
    Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

  • SSL VPN (WebVPN) issues with IOS 15.0(1)M1

    Hello everyone... I need your help!
    I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
    Symptoms:
    - AnyConnect Client prompts users with the following error:
    "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
    Debug:
    Mar  5 13:09:45:
    Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
    Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
    Mar  5 13:09:45: WV-TUNL: Allocating stc_config
    Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
    Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
    Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
    Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
    Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
    Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
    Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
    WV-TUNL:      Severity ERROR Type USER_LOGOUT
    WV-TUNL:      Text: HTTP response contained an HTTP error code.
    Mar  5 13:09:45: WV-TUNL: Call user logout function
    Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
    When the error occurs, the "SVCIP install TCP failed" counter increments:
    VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
    [snip]
    Tunnel Statistics:
        Active connections       : 1       
        Peak connections         : 3          Peak time                : 19:09:04
        Connect succeed          : 9          Connect failed           : 5       
        Reconnect succeed        : 0          Reconnect failed         : 0       
        SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
        SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
        SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
        DPD timeout              : 0        
    [snip]
    IOS Version Details:
    Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
    System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
    The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
    Config:
    webvpn context CUSTOMER-VPN
    title "SSL VPN for Customer"
    ssl authenticate verify all
    login-message "Enter username and passcode"
    policy group CUSTOMER-VPN
       functions svc-required
       svc keep-client-installed
       svc split include 10.1.16.0 255.255.240.0
       svc split include 10.1.2.0 255.255.254.0
    vrf-name CUSTOMER-VPN
    default-group-policy CUSTOMER-VPN
    aaa authentication list AAA-LIST
    aaa authentication auto
    aaa accounting list AAA-LIST
    gateway vpn virtual-host customer.xx.com
    logging enable
    inservice
    The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

    Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
    At that point in time we were running with local pool definition.
    As the http 401 rc happens very sporadically we still gathering incident reports internally.
    Will open a case if you did not yet.
    cheers, Andy

  • ASA Clientless SSL VPN can't access login pages on websites

    When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
    show run
    : Saved
    ASA Version 8.4(4)1
    hostname PatG
    domain-name resolver4.opendns.com
    enable password aDvdtQE/ih5t061i encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    boot system disk0:/asa844-1-k8.bin
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group Comcast
    name-server 75.75.75.75
    domain-name cdns01.comcast.net
    dns server-group DefaultDNS
    name-server 208.67.220.222
    name-server 208.67.220.220
    domain-name resolver4.opendns.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp timeout 14400
    object network obj_any
    nat (inside,outside) dynamic interface
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Remote1 protocol radius
    aaa-server Remote1 (inside) host 192.168.1.8
    key *****
    radius-common-pw *****
    user-identity default-domain LOCAL
    aaa authentication ssh console Remote1
    aaa authentication http console Remote1 LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd domain redtube.com
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.1.15 192.168.1.5
    dhcpd address 192.168.1.5-192.168.1.36 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    tunnel-group-list enable
    group-policy Eng internal
    group-policy Eng attributes
    vpn-tunnel-protocol ssl-clientless
    webvpn
      url-list value EngineerMarks
    group-policy RemoteHTTP internal
    group-policy RemoteHTTP attributes
    vpn-tunnel-protocol ssl-clientless
    webvpn
      url-list value Test
      customization value Extra
    username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
    tunnel-group Browser type remote-access
    tunnel-group Browser general-attributes
    authentication-server-group Remote1
    default-group-policy RemoteHTTP
    tunnel-group TEST type remote-access
    tunnel-group TEST general-attributes
    authentication-server-group Remote1
    default-group-policy RemoteHTTP
    tunnel-group TEST webvpn-attributes
    group-alias testing enable
    group-url https://24.19.162.53/testing enable
    tunnel-group Engineering type remote-access
    tunnel-group Engineering general-attributes
    authentication-server-group Remote1 LOCAL
    default-group-policy Eng
    tunnel-group Engineering webvpn-attributes
    group-alias engineering enable
    group-url https://209.165.200.2/engineering enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
    policy-map map
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                                                             CEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    password encryption aes
    Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
    : end
    Can anyone please help me? Thanks

    In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
    Example:
    ASA public IP: 2.2.2.2
    Remote network: 192.168.1.0/24
    access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
    Mirror the above acl on the remote end router.
    PS. If you found this post helpful, please rate it.

  • SSL VPN on C2821 Radius auth issues

    I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
    I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
    This is what the config looks like
    Building configuration...
    Current configuration : 24735 bytes
    ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname N****
    aaa new-model
    aaa group server radius IAS_AUTH
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa group server radius Global ***made for testing. Redundant
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa session-id common
    clock timezone Arizona -7
    dot11 syslog
    ip source-route
    ip cef
    password encryption aes
    crypto pki trustpoint TP-self-signed-2464190257
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2464190257
    revocation-check none
    rsakeypair TP-self-signed-2464190257
    crypto pki certificate chain TP-self-signed-2464190257
    certificate self-signed 01
    REMOVED
    interface GigabitEthernet0/0
    INTERFACES REMOVED
    ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip flow-cache timeout inactive 10
    ip flow-cache timeout active 5
    ip flow-export source GigabitEthernet0/0
    ip flow-export version 5 peer-as
    ip flow-export destination 10.12.1.17 2048
    ROUTES REMOVED
    ACLS REMOVED SSL IS ALLOWED
    route-map STAT_NAT permit 10
    match ip address 109
    route-map DYN_NAT permit 10
    match ip address 108
    snmp-server community $DCI$ RO
    control-plane
    banner login ^C
    line con 0
    password 7 01100F175804
    login authentication local
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address **outside ip*** port 443
    http-redirect port 80
    ssl trustpoint TP-self-signed-2464190257
    no inservice
    webvpn context webvpn
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    port-forward "portforward_list_1"
       local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
    policy group policy_1
       port-forward "portforward_list_1"
    default-group-policy policy_1
    aaa authentication list SSL_Global
    aaa authentication domain @n****
    gateway gateway_1 domain N****
    max-users 10
    no inservice
    end
    Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

    OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?    

  • IP phone SSL VPN configuration issue

    Hello,
    I am trying to configure the SSL VPN for the IP phone.
    I am using the CM8.0.2 and 7975.
    - I configured ASA and tested with my PC. PC can ping the CM.
    - I uploaded the ASA cert as a Phone-VPN-trust
    - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
    - I created a VPN gateway and typed URL and selected the cert
    - I created the VPN group and added the VPN gateway to it.
    - I created the VPN profile and added the VPN group to it.
    - I disabled the Host ID check
    - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
    When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
    What is missing? What am I doing wrong?

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • IP Phone Over SSL VPN Registering Issue

    I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

    Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
    Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
    If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

  • SSL VPN with machine certificate authentication

    Hi All,
    I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
    Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
    The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
    btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
    Thanks in advance for your help
    Hardware is ASA5540, software version 8.2(5).
    Some pieces of the configuration below:
    group-policy VPN4TEST-Policy internal
    group-policy VPN4TEST-Policy attributes
      wins-server value xx.xx.xx.xx
    dns-server value xx.xx.xx.xx
    vpn-simultaneous-logins 1
    vpn-idle-timeout 60
    vpn-filter value VPN4TEST_allow_access
    vpn-tunnel-protocol IPSec svc webvpn
    group-lock none
    ipsec-udp enable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    default-domain value cs.ad.klmcorp.net
    vlan 44
    nac-settings none
    address-pools value VPN4TEST-xxx
    webvpn
      svc modules value vpngina
      svc profiles value KLM-SSL-VPN-VPN4TEST
    tunnel-group VPN4TEST-VPN type remote-access
    tunnel-group VPN4TEST-VPN general-attributes
    address-pool VPN4TEST-xxx
    authentication-server-group RSA-7-Authent
    default-group-policy VPN4TEST-Policy
    tunnel-group VPN4TEST-VPN webvpn-attributes
    authentication aaa certificate
    group-alias VPN4TEST-ANYCONNECT enable

    Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

  • SSL VPN Connection error with SA520

    Hi there,
    I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
    I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
    Thanks

    Hihi,
    we have the same problem, running on Vista 32 bit, and IE9.
    On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
    It works also on Win 7 64 bit, although only with the 64 bit version of IE.
    Coming back to our Vista issue, we did not find any way to make it work properly.
    Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
    We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
    Anyone has any suggestion ??
    Tks

  • Cisco IOS SSL VPN Not Working - Internet Explorer

    Hi All,
    I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
    Below is the config snippet:
    username vpntest password XXXXX
    aaa authentication login default local
    crypto pki trustpoint TP-self-signed-1873082433
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1873082433
    revocation-check none
    rsakeypair TP-self-signed-1873082433
    crypto pki certificate chain TP-self-signed-1873082433
    certificate self-signed 01
    --- omitted ---
            quit
    webvpn gateway SSLVPN
    hostname Router
    ip address X.X.X.X port 443 
    ssl encryption aes-sha1
    ssl trustpoint TP-self-signed-1873082433
    inservice
    webvpn context SSLVPN
    title "Blah Blah"
    ssl authenticate verify all
    login-message "Enter the magic words..."
    port-forward "PortForwardList"
       local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
    policy group SSL-Policy
       port-forward "PortForwardList" auto-download
    default-group-policy SSL-Policy
    gateway SSLVPN
    max-users 3
    inservice
    I've tried:
    *Enabling SSL 2.0 in IE
    *Adding the site to the Trusted Sites in IE
    *Adding it to the list of sites allowed to use Cookies
    At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
    Thanks

    Hi,
    I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
    Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

  • Anyconnect SSL VPN Authentication Feilure

    Dear All,
    I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.
    All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
    So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
    Then I have change the provile XML file of my anyconnect in this way:
    <HostEntry>
                <HostName>myasa</HostName>
                <HostAddress>xxx.xxx.xxx.xxx</HostAddress>
            <PrimaryProtocol>SSL</PrimaryProtocol>       
    Then I installed the certificate on my Win7 Pc in the Trusted Root Certification Authority.
    The result of all my changes is that now the login fail! Someone could help me pls?
    webvpn_allocate_auth_struct: net_handle = DA0C3608
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from group list
    webvpn_login_resolve_tunnel_group: TG_BUFFER = VPNSSL
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-636397680) and nh (-636733944)!
    webvpn_add_auth_handle: auth_handle = 95
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5163]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: ([email protected]) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2939]
    WARNING: CSD is disabled by AnyConnect Essentials license.
    webvpn_session.c:http_webvpn_create_session[184]
    webvpn_session.c:http_webvpn_find_session[159]
    WebVPN session created!
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_destroy_session[1386]
    webvpn_remove_auth_handle: auth_handle = 95
    WARNING: CSD is disabled by AnyConnect Essentials license.
    WARNING: CSD is disabled by AnyConnect Essentials license.
    webvpn_portal.c:webvpn_determine_primary_username[5689]
    webvpn_portal.c:webvpn_determine_secondary_username[5758]
    webvpn_portal.c:ewaFormServe_webvpn_login[1974]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    APP_BUFFER: <option value="VPNSSL" noaaa="0" >dntsbewvpn</option>
    webvpn_free_auth_struct: net_handle = DA0C3608
    webvpn_allocate_auth_struct: net_handle = DA0C3608
    webvpn_free_auth_struct: net_handle = DA0C3608

    Dear All,
    I have found why the authentication was stop to work.
    I have lost in the config the command:
    svc image disk0:/anyconnect-win-xxxxxk9.pkg 1
    Now it works.
    Best regards,
    Igor.

  • Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M

    Dear Community,
    I have a strange issue that I am hoping some of you will be able to assist with.
    I am running an environment with the following specifications
    Cisco ISR G2 2901 with IOS 15.3.3M
    Security Licence enabled
    Data Licence enabled
    VPN Licence enabled
    Cisco ISR G2 2951 with IOS 15.3.3M
    Security Licence enabled
    Data Licence enabled
    SM with ESX server.
    Desktop Environment
    Windows XP SP3
    Internet Explorer 8
    Desktop Environment 2
    Windows 8
    Internet Explorer 10
    I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
    This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
    PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
    If anyone can assit me here it would really make my day.
    Thanks,
    Will

    Can anyone help with this ?

  • SSL VPN message "This (client) machine does not have the web access privilege."

    Hello!
    I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R1
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    no logging buffered
    enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
    enable password xxxxxxxx
    aaa new-model
    aaa authentication login userAuthen local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization network groupauthor local
    aaa session-id common
    crypto pki trustpoint TP-self-signed-1279712955
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1279712955
    revocation-check none
    rsakeypair TP-self-signed-1279712955
    crypto pki certificate chain TP-self-signed-1279712955
    certificate self-signed 01
      3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
      33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
      31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
      A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
      649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
      9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
      B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
      551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
      11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
      ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
      48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
      265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
      7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
      495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
       quit
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    ip dhcp pool myPOOL
       network 192.168.0.0 255.255.255.0
       default-router 192.168.0.1
       dns-server 87.216.1.65 87.216.1.66
    ip cef
    ip name-server 87.216.1.65
    ip name-server 87.216.1.66
    ip ddns update method mydyndnsupdate
    HTTP
      add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
    interval maximum 1 0 0 0
    no ipv6 cef
    multilink bundle-name authenticated
    vpdn enable
    vpdn-group pppoe
    request-dialin
      protocol pppoe
    username cisco privilege 15 password 0 xxxxxxxx
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp fragmentation
    crypto isakmp client configuration group vpnclient
    key cisco123
    domain selfip.net
    pool ippool
    acl 110
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    reverse-route
    crypto map clientmap client authentication list userAuthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    archive
    log config
      hidekeys
    interface Loopback0
    ip address 10.11.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Loopback2
    description SSL VPN Website IP address
    ip address 10.10.10.1 255.255.255.0
    interface Loopback1
    description SSL DHCP Pool Gateway Address
    ip address 192.168.250.1 255.255.255.0
    interface FastEthernet0
    description $ES_LAN$
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    interface FastEthernet1
    interface FastEthernet2
    switchport access vlan 2
    interface FastEthernet3
    interface FastEthernet4
    interface FastEthernet5
    interface FastEthernet6
    interface FastEthernet7
    interface FastEthernet8
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 8/35
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
    bundle-enable
    dsl operating-mode auto
    interface Vlan1
    no ip address
    interface Dialer1
    ip ddns update hostname myserver.selfip.net
    ip ddns update mydyndnsupdate host members.dyndns.org
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip policy route-map VPN-Client
    dialer pool 1
    ppp chap hostname xxx
    ppp chap password 0 xxxx
    ppp pap sent-username xxx password 0 xxxx
    crypto map clientmap
    ip local pool ippool 192.168.50.100 192.168.50.200
    ip local pool sslvpnpool 192.168.250.2 192.168.250.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
    ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
    ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
    access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
    access-list 144 permit ip 192.168.50.0 0.0.0.255 any
    route-map VPN-Client permit 10
    match ip address 144
    set ip next-hop 10.11.0.2
    control-plane
    banner motd ^C
    ================================================================
                    UNAUTHORISED ACCESS IS PROHIBITED!!!
    =================================================================
    ^C
    line con 0
    line aux 0
    line vty 0 4
    password mypassword
    transport input telnet ssh
    webvpn gateway MyGateway
    ip address 10.10.10.1 port 443 
    http-redirect port 80
    ssl trustpoint TP-self-signed-1279712955
    inservice
    webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
    webvpn install csd flash:/webvpn/sdesktop.pkg
    webvpn context SecureMeContext
    title "My SSL VPN Service"
    secondary-color #C0C0C0
    title-color #808080
    ssl authenticate verify all
    url-list "MyServers"
       heading "My Intranet"
       url-text "Cisco" url-value "http://192.168.0.2"
       url-text "NetGear" url-value "http://192.168.0.3"
    login-message "Welcome to My VPN"
    policy group MyDefaultPolicy
       url-list "MyServers"
       functions svc-enabled
       svc address-pool "sslvpnpool"
       svc keep-client-installed
    default-group-policy MyDefaultPolicy
    aaa authentication list userAuthen
    gateway MyGateway domain testvpn
    max-users 100
    csd enable
    inservice
    end
    Thank you!

    Hi,
    Please check SAP note:
    2004579 - You cannot create a FR company from a Package
    Thanks & Regards,
    Nagarajan

  • SSL VPN Full Tunnel - Not Reliable

    We have been trying to deploy SSL VPN on a 3825 router running 12.4.20T2 with Anyconnect V2.2.0140. It works normally for a few days, then begins to fail in different ways. First, the users do not get the login screen from the Web access. This can be reset by stopping and starting the service. However, now I get fully connected and in a single session, sometimes I can access network resources and sometimes I can't (comes and goes to various parts of the network). I know if I reboot the router, everything will be fine for a few days. I also run Client VPN on this same router and it is very stable. Whenever I call TAC, the first question I get is "Do you have an ASA that you can run SSL VPN on?", and everytime I ask if they know something about the reliability of SSL VPN on IOS. They always say "it should work".
    I guess what I am asking is, are there known reliability issues with full tunnel SSL VPN on IOS? Or, if anyone else has seen these kinds of problems and found solutions? Thanks!

    Please enable the following command and then try to connect:
    ip inspect log drop-pkt
    If I am not overlooking at the configuration, it seems to be ok, so I would like to check ZBF.
    Please check the logs generated by the Router and let me know if you see anything related to your connection.
    Thanks.
    Portu.

Maybe you are looking for

  • How do I use a quadrature encoder as an external clock (PCI 6229)

    Hello, ( a similar post has been placed on DAQ forum apologies as I did not know best place) I have a PCI 6229 M Series data acquisition card. I want to use a quadrature encoder to be the external clock driving the acquisition of a number of signals.

  • Oracle taking too much memory in Linux

    Hi.. I am using Oralce on linux 7.5 No any active session is running on server for oracle .. But oracle taking too much memory in linux when I check with TOP command .. 16:08:29 up 19 days, 20:14, 2 users, load average: 5.32, 4.63, 3.78 227 processes

  • Recommened wireless router for IMAC

    Just purchased an IMAC 21.5 computer and need a better wireless router for the IMAC and IPAD AIR. Used for surfing the net, email and wireless printing. What should I look at?

  • Sensor Data in BPEL

    Hi I have BAM Sensrs in BPEL process at various activities. The data is published to BAM DO. How to check the logs, payload any details related . The sensor tabl in the BPEL COnsole...Does that show any details....bcoz I dont see anything there.... G

  • Data transfer from 4.6C to ECC6 using bcp

    Hi experts,   Is there any risk to use bcp transfer customized tables(Z*) beucase I find using R3trans is too slow and I have data volume about 65GB(compressed). I think it takes me about 3-5 days to import. And I use bcp -n, would this cause any dat