SSL VPN on C2821 Radius auth issues

Similar Messages

• SSL VPN Connection Issue

  Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
  *************Equipment/Software
  Cisco 2851 Router Version 15.4(M9) Software
  anyconnect-win-3.1.07021-k9.pkg
  *************Configuration
  ip local pool webvpn1 172.16.100.80 172.16.100.90
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip access-list extended webvpn-acl
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
  webvpn gateway CCIELAB
   hostname Porshe_GT3
   ip interface GigabitEthernet0/0 port 443
   http-redirect port 80
   ssl trustpoint my-sslvpn-ca
   inservice
  webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
  webvpn context CCIELab
   title "Networking Lab"
   ssl authenticate verify all
   login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
   policy group Labrats
     functions svc-enabled
     banner "Success, You Made It"
     filter tunnel webvpn-acl
     svc address-pool "webvpn1" netmask 255.255.255.0
     svc keep-client-installed
     svc rekey method new-tunnel
     svc split include 172.16.100.0 255.255.255.0
   default-group-policy Labrats
   aaa authentication list webvpn
   gateway CCIELAB
   inservice
  *********************Debugs
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
  *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
  *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *********************Verification
  Porshe_GT3#show webvpn policy group Labrats context all
  WEBVPN: group policy = Labrats ; context = CCIELab
        banner = "Success, You Made It"
        idle timeout = 2100 sec
        session timeout = Disabled
        functions = 
                  svc-enabled 
        citrix disabled
        address pool name = "webvpn1"
        netmask = 255.255.255.0
        tunnel-mode filter = "webvpn-acl"
        dpd client timeout = 300 sec
        dpd gateway timeout = 300 sec
        keepalive interval = 30 sec
        SSLVPN Full Tunnel mtu size = 1406 bytes
        keep sslvpn client installed = enabled
        rekey interval = 3600 sec
        rekey method = new-tunnel 
        lease duration = 43200 sec
        split include = 172.16.100.0 255.255.255.0

  The problem is related to either of these issues:
  Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  Fragmentation policy during encryption
  Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• SSL VPN Login failure issue

  Hello,
  I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
  Function: ConnectMgr::setPromptAttributes
  File: .\ConnectMgr.cpp
  Line: 2657
  Invoked Function: setPromptAttributes
  Return Code: -33554423 (0xFE000009)
  Description: GLOBAL_ERROR_UNEXPECTED
  Error text:
  Login failed.
  If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
  This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
  Regards.
  After a little more testing, seems somehow related to users being in to many groups in AD.      
  Message was edited by: Rich Viola

  Hello,
  If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
  Solution (workaround):
  You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
  You can implement it as follow:
  Add a Bookmark
  Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
  For further information you can find it here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
  Let me know how tit works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• SSL VPN IP Address Assignment from IAS radius server

  Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

  Hi,
  I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
  If you have any question do not hesitate to contact me.

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone Over SSL VPN Registering Issue

  I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

  Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
  Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
  If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

• Anyconnect SSL VPN Authentication Feilure

  Dear All,
  I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.
  All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
  So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
  Then I have change the provile XML file of my anyconnect in this way:
  <HostEntry>
              <HostName>myasa</HostName>
              <HostAddress>xxx.xxx.xxx.xxx</HostAddress>
          <PrimaryProtocol>SSL</PrimaryProtocol>       
  Then I installed the certificate on my Win7 Pc in the Trusted Root Certification Authority.
  The result of all my changes is that now the login fail! Someone could help me pls?
  webvpn_allocate_auth_struct: net_handle = DA0C3608
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from group list
  webvpn_login_resolve_tunnel_group: TG_BUFFER = VPNSSL
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-636397680) and nh (-636733944)!
  webvpn_add_auth_handle: auth_handle = 95
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5163]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: ([email protected]) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2939]
  WARNING: CSD is disabled by AnyConnect Essentials license.
  webvpn_session.c:http_webvpn_create_session[184]
  webvpn_session.c:http_webvpn_find_session[159]
  WebVPN session created!
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_destroy_session[1386]
  webvpn_remove_auth_handle: auth_handle = 95
  WARNING: CSD is disabled by AnyConnect Essentials license.
  WARNING: CSD is disabled by AnyConnect Essentials license.
  webvpn_portal.c:webvpn_determine_primary_username[5689]
  webvpn_portal.c:webvpn_determine_secondary_username[5758]
  webvpn_portal.c:ewaFormServe_webvpn_login[1974]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  APP_BUFFER: <option value="VPNSSL" noaaa="0" >dntsbewvpn</option>
  webvpn_free_auth_struct: net_handle = DA0C3608
  webvpn_allocate_auth_struct: net_handle = DA0C3608
  webvpn_free_auth_struct: net_handle = DA0C3608

  Dear All,
  I have found why the authentication was stop to work.
  I have lost in the config the command:
  svc image disk0:/anyconnect-win-xxxxxk9.pkg 1
  Now it works.
  Best regards,
  Igor.

• SSL VPN - Bypass DefaultWEBVPNGroup

  Hi All,
  I'm using the default tunnel-group and group-policy for my general user community. I want to apply a filter for that group, and have a special use case for another group that bypasses the filter. My goal: for people hitting the "RAS_Engineering" group policy, I want to bypass the filter applied to "DfltGrpPolicy"
  Is there a way for me to configure the group-policy so that it doesn't pick up the default settings? Here's what I have (some output omitted to reduce lines):
  #  sh vpn-session detail svc filter name amy.eryilmaz
  Session Type: SVC Detailed
  Username     : amy.eryilmaz           Index        : 13568
  Assigned IP  : my.vpn.assigned.ip          Public IP    : my.pub.lic.ip
  Group Policy : RAS_Engineering        Tunnel Group : DefaultWEBVPNGroup
  Clientless Tunnels: 1
  SSL-Tunnel Tunnels: 1
  Clientless:
    Tunnel ID    : 13568.1
    Public IP    : my.pub.lic.ip
    Auth Mode    : userPassword
    Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
    Client Type  : Web Browser
    Client Ver   : AnyConnect Windows 2.5.3046
    Bytes Tx     : 11456                  Bytes Rx     : 3986
  SSL-Tunnel:
    Tunnel ID    : 13568.2
    Assigned IP  : my.vpn.assigned.ip          Public IP    : my.pub.lic.ip
    Client Type  : SSL VPN Client
    Client Ver   : Cisco AnyConnect VPN Agent for Windows 2.5.3046
    Filter Name  : default-vpn-filter
  group-policy DfltGrpPolicy attributes
  wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  dhcp-network-scope xx.xx.xx.xx
  vpn-filter value default-vpn-filter
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  default-domain value mydomain.com
  webvpn
    svc ask none default svc
  group-policy RAS_Engineering internal
  group-policy RAS_Engineering attributes
  wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  dhcp-network-scope xx.xx.xx.xx
  vpn-tunnel-protocol l2tp-ipsec svc
  webvpn
    svc ask none default svc
  # sh run all tunnel-group DefaultWEBVPNGroup
  tunnel-group DefaultWEBVPNGroup type remote-access
  tunnel-group DefaultWEBVPNGroup general-attributes
  no address-pool
  no ipv6-address-pool
  authentication-server-group my_radius
  secondary-authentication-server-group none
  no accounting-server-group
  default-group-policy DfltGrpPolicy
  dhcp-server xx.xx.xx.xx
  no strip-realm
  no password-management
  no override-account-disable
  no strip-group
  no authorization-required
  username-from-certificate CN OU
  secondary-username-from-certificate CN OU
  authentication-attr-from-server primary
  authenticated-session-username primary
  tunnel-group DefaultWEBVPNGroup webvpn-attributes
  customization myCustom
  authentication aaa
  no override-svc-download
  no radius-reject-message
  no proxy-auth sdi
  no pre-fill-username ssl-client
  no pre-fill-username clientless
  no secondary-pre-fill-username ssl-client
  no secondary-pre-fill-username clientless
  dns-group DefaultDNS
  no without-csd
  tunnel-group DefaultWEBVPNGroup ipsec-attributes
  no pre-shared-key
  peer-id-validate req
  no chain
  no trust-point
  isakmp keepalive threshold 300 retry 2
  no radius-sdi-xauth
  isakmp ikev1-user-authentication xauth

  Hi,
  By default you will inherit any implicit values from the default group policy.
  To stop inheriting the "vpn-filter" please do:
  group-policy RAS_Engineering attributes
       vpn-filter none
  The same applies for any other feature within the group-policy, make sure you explicitly define every parameter according to the specific requirements.
  Thanks.
  Portu.
  Please rate any helpful posts.

• SSL VPN Problem - ACL Parse Error

  Hi there.
  Testing some features in Cisco ASA SSL VPN(Clientless).
  But when i connect to the portal, trying to login i get the following error, anybody seen this before?
  It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
  It also works if i remove my "check" in "ssl-client" box in the global_policy  (Group Policy).
  6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
  4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
  6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
  6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
  6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
  6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server =  X.X.X.X : user = [email protected]

  If you have implemented SSLVPN i18n then I think you are hitting bug.

• SSL VPN Connection error with SA520

  Hi there,
  I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
  I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
  Thanks

  Hihi,
  we have the same problem, running on Vista 32 bit, and IE9.
  On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
  It works also on Win 7 64 bit, although only with the 64 bit version of IE.
  Coming back to our Vista issue, we did not find any way to make it work properly.
  Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
  We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
  Anyone has any suggestion ??
  Tks

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Cisco IOS SSL VPN Not Working - Internet Explorer

  Hi All,
  I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
  Below is the config snippet:
  username vpntest password XXXXX
  aaa authentication login default local
  crypto pki trustpoint TP-self-signed-1873082433
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1873082433
  revocation-check none
  rsakeypair TP-self-signed-1873082433
  crypto pki certificate chain TP-self-signed-1873082433
  certificate self-signed 01
  --- omitted ---
          quit
  webvpn gateway SSLVPN
  hostname Router
  ip address X.X.X.X port 443 
  ssl encryption aes-sha1
  ssl trustpoint TP-self-signed-1873082433
  inservice
  webvpn context SSLVPN
  title "Blah Blah"
  ssl authenticate verify all
  login-message "Enter the magic words..."
  port-forward "PortForwardList"
     local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
  policy group SSL-Policy
     port-forward "PortForwardList" auto-download
  default-group-policy SSL-Policy
  gateway SSLVPN
  max-users 3
  inservice
  I've tried:
  *Enabling SSL 2.0 in IE
  *Adding the site to the Trusted Sites in IE
  *Adding it to the list of sites allowed to use Cookies
  At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
  Thanks

  Hi,
  I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
  Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

• No SSL VPN tunnel from AnyConnect to IOS

  Dear all
  Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
  But I simply cannot make it work.
  I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
  Here is my configuration on the router:
  crypto pki trustpoint TP-self-signed-595019360
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-595019360
  revocation-check none
  rsakeypair TP-self-signed-595019360
  crypto pki certificate chain TP-self-signed-595019360
  certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  [......skipped....]
  interface Loopback123
  ip address 192.168.123.254 255.255.255.0
  ip local pool GS-POOL 192.168.123.1 192.168.123.10
  webvpn gateway GS-GW
  hostname GS-VPN-test
  ip address x.x.x.x port 443
  ssl trustpoint TP-self-signed-595019360
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context GS-CONTEXT
  ssl authenticate verify all
  policy group GS-POLICY
     functions svc-required
     svc address-pool "GS-POOL"
  default-group-policy GS-POLICY
  gateway GS-GW
  inservice
  These are my debug settings:
  #sh debug
  WebVPN Subsystem:
    WebVPN (verbose) debugging is on
    debug webvpn entry GS-CONTEXT
    WebVPN HTTP (verbose) debugging is on
    WebVPN AAA debugging is on
    WebVPN tunnel (verbose) debugging is on
    WebVPN Single Sign On debugging is on
  And these are all debug messages I get upon incoming connection:
  Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
  At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
  Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
  buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
  Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
  buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
  At this point the Anyconnect client says "Connection attempt failed" and that's all.
  So please, any advice how to solve this?
  And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
  Thanks a lot for any suggestions,
  Grischa

  Some more restrictions:
  12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
  In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
  CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
  In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
  If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
  hth
  Herbert

• AnyConnect (SSL VPN on IoS) - Connection stuck on Android

  Hiya,
  I have an Any Connect WebVpn (ssl vpn?) set up on an IOS 15.2(4)M4. My current WebVPN is set up for Cisco Phones to use SSL VPN to connect to a Cisco Call Manager (CUCM 9.x). I also tried connecting with an Any Connect client from a PC and it seems to work fine.
  The issue is when I try to connect through an Android device, I get the following output from 'debug webvpn':
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.192: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.220: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2930, data: 0xD9E7658, len: 0,
        offset: 0, domain: 0)
  Jan 10 16:04:17.224: WV: Fragmented App data - buffered
  Jan 10 16:04:17.224: WV: Entering APPL with Context: 0x242D9C30,
        Data buffer(buffer: 0x242F2470, data: 0xEA4D858, len: 884,
        offset: 0, domain: 0)
  tbr-edi-2901#
  Jan 10 16:04:17.224: WV: http request: / with no cookie
  Jan 10 16:04:17.224: WV: validated_tp :  cert_username :  matched_ctx :
  Jan 10 16:04:17.224: WV: failed to get sslvpn appinfo from opssl
  Jan 10 16:04:17.224: WV: Error: Failed to get vw_ctx
  Jan 10 16:04:17.224: WV: Appl. processing Failed : 2
  Jan 10 16:04:18.344: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.348: WV: sslvpn process rcvd context queue event
  Jan 10 16:04:18.376: WV: sslvpn process rcvd context queue event
  and then the messages in italics above keep on appearing in an endless loop.
  Any ideas what could be the issue.
  Any help is highly appreciated.
  Thanks,
  David

  Hi,
  I'm having the same issue please let me know if yo found the solution. Thanks in advance