UC560 ssl vpn with spa525g failed
Dear all,
I configured spa52g phone as remote phone when it is connected to uc560 vpn is showing on display. but when i disconnect and try to connect from other network it giving error failed to obtain webvpn cookie.
The public ip is natted through firewall on wan interface of uc560 .
Hello,
Please refer to the following post for the fix regarding this issue: https://supportforums.cisco.com/docs/DOC-18980
Thanks,
-john
Similar Messages
-
SSL VPN with client, anyconnect.
I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
functions svc-required
svc default-domain "test.org"
svc keep-client-installed
svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
endUsing the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH> -
SSL VPN with machine certificate authentication
Hi All,
I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
Thanks in advance for your help
Hardware is ASA5540, software version 8.2(5).
Some pieces of the configuration below:
group-policy VPN4TEST-Policy internal
group-policy VPN4TEST-Policy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-filter value VPN4TEST_allow_access
vpn-tunnel-protocol IPSec svc webvpn
group-lock none
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
default-domain value cs.ad.klmcorp.net
vlan 44
nac-settings none
address-pools value VPN4TEST-xxx
webvpn
svc modules value vpngina
svc profiles value KLM-SSL-VPN-VPN4TEST
tunnel-group VPN4TEST-VPN type remote-access
tunnel-group VPN4TEST-VPN general-attributes
address-pool VPN4TEST-xxx
authentication-server-group RSA-7-Authent
default-group-policy VPN4TEST-Policy
tunnel-group VPN4TEST-VPN webvpn-attributes
authentication aaa certificate
group-alias VPN4TEST-ANYCONNECT enableForgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.
-
IOS SSL VPN WITH RADIUS Authorization
Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name [1] 16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password [2] 18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address [4] 6 150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 28
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 29
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 50
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 35
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 31
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 6 22:40:21.669: RADIUS: Class [25] 36
*Jun 6 22:40:21.669: RADIUS: 43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS: 31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS: 50 4E [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa -
Clientless SSL VPN Portal Customizaiton fails on 5510
I am trying to customize a web VPN portal on my 5510 but I get errors whenever I try to add a customization object. Running ADSM 6.1(5)51 on ASA 8.0(5). The error I get when I try to apply a newly created customization object is:
[ERROR] export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426
export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426 ^
% Invalid input detected at '^' marker.
[ERROR] import webvpn customization test disk0:/tmpAsdmImportFile2090698426
% copying 'disk0:/tmpAsdmImportFile2090698426' to a temporary ramfs file failed
[ERROR] delete /noconfirm disk0:/tmpAsdmImportFile2090698426
%Error deleting disk0:/tmpAsdmImportFile2090698426 (No such file or directory)
Tried revert webvpn all but I get error on that as well:
Result of the command: "revert webvpn all"
%ERROR: ifs_rm_dir_rec: unknown type of file `disk0:/csco_config/97/customization/86D3828A0A0EB0FFA3B55870AAA43E4F'
Any ideas?
JoeHi,
As mentioned by Guru, the recommended action is to format the flash: memory.
Sometimes some webvpn files get corrupted resulting in missing DfltCustomization objects or import errors.
Once you format it, it should work fine.
Thanks.
Portu. -
I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
The error on the router is:
Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
Jun 5 16:07:55.755: WV: server side not ready to send.
The following is the configuration:
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context vpn1
ssl authenticate verify all
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
policy group vpn1
url-list "eng"
default-group-policy vpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context vpn2
ssl authenticate verify all
policy group vpn2tunnel
functions svc-enabled
svc address-pool "WEBVPN"
svc split include 10.0.0.2 255.255.255.255
default-group-policy vpn2tunnel
gateway ISR2801-RM domain tunnel
inserviceThanks for the reply !!!!
the configation is the following:
interface Ethernet 0
ip address 10.0.0.128 255.255.255.0
ip http secure-server
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
ssl encryption aes-sha1
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context context-sslvpn1
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn1/
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
nbns-list cifs-servers
nbns-server 172.16.1.1 master
nbns-server 172.16.2.2 timeout 10 retries 5
nbns-server 172.16.3.3 timeout 10 retries 5
login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
this device are logged and violations of this policy may result in disciplinary action."
port-forward "portlist"
local-port 30019 remote-server ssh-server remote-port 22 description SSH
local-port 30020 remote-server mailserver remote-port 143 description IMAP
local-port 30021 remote-server mailserver remote-port 110 description POP3
local-port 30022 remote-server mailserver remote-port 25 description SMTP
policy group policy-sslvpn1
url-list "eng"
port-forward "portlist"
nbns-list "cifs-servers"
functions file-access
functions file-browse
functions file-entry
citrix enabled
default-group-policy policy-sslvpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context context-sslvpn2
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn2/
policy group policy-sslvpn2
functions svc-enabled
svc address-pool "WEBVPN"
svc keep-client-installed
svc dpd-interval gateway 30
svc dpd-interval client 300
svc rekey method new-tunnel
svc rekey time 3600
svc split include 10.0.0.0 255.255.255.0
svc default-domain cisco.com
svc dns-server primary 192.168.3.1
svc dns-server secondary 192.168.4.1
default-group-policy policy-sslvpn2
gateway ISR2801-RM domain tunnel
inservice
ISR2801-RM#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+
2,2,0133
Mon 05/19/2008 12:58:52.34 v
ISR2801-RM#
WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
https://1.2.3.4/tunnel
* the ssl client installed on the pc tell me can't connect.
* on the router the log:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
offset: 0, domain: 0)
Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
Jun 6 10:28:08.287: X-CSTP-Version: 1
Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
Jun 6 10:28:08.287: X-CSTP-MTU: 1406
Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
Jun 6 10:28:08.287:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
Jun 6 10:28:08.291: WV: server side not ready to send.
SSLVPN sock pid 182 sid 161: closing -
I setup a Cisco ASA 5510 SSL VPN with the folowing;
IOS 7.2
SSL VPN CLient sslclient-win-1.1.1.164.pkg
Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
IBM Thinkpad T40
Windows XP SP 2
Internet Explorer 7
All patches up-to-date
All drivers up-to-date
SSL VPN Client connection process;
- User login with valid account and password
- The SSL VPN Client package will automatically download and installed.
- User will then be connected to SSL VPN
The ERRORS;
1. GUI (Cisco SSL VPN Client installation process)
"The SSL VPN Client driver has Encountered an Error"
2. Event Viewer
The only error in this user event viewer that differs from other users who successfully connected are;
a)
Function: EnableVA
Return code: 0
File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
Line: 310
Description: unknown
b)
Function: EnableVA
Return code: 0xFE080007
File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
Line: 1145
Description: VAMGR_ERROR_ENABLE_VA_FAILED
Anyone know what thus the error means?
BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
ThanksThe Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm -
Any idea on F5 SSL VPN plug in?
I'd like to run F5 SSL VPN with Ubuntu 14.04. any suggeston on this plug in? It is suggested that this plug in is compatiable with 32 bit firefox, not 64bit firefox.. Any suggestion is much appreciated.
You may get some better answers from the linux mailing group: [https://lists.mozilla.org/listinfo/community-linux]
* Add on search[https://addons.mozilla.org/en-US/firefox/search/?q=F5+SSL+VPN&platform=linux&appver=any] -
SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"
Hi,
Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
some relevant config
webvpn
enable wan
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy vpnpolicy1 internal
group-policy vpnpolicy1 attributes
vpn-tunnel-protocol svc
tunnel-group admins type remote-access
tunnel-group admins general-attributes
address-pool sslpool2
default-group-policy vpnpolicy1
username myuser password 1234567890 encrypted privilege 15
username myuser attributes
vpn-group-policy vpnpolicy1
Debug:
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
webvpn_add_auth_handle: auth_handle = 17
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
webvpn_session.c:http_webvpn_create_session[184]
WebVPN: error creating WebVPN session!
webvpn_remove_auth_handle: auth_handle = 17
webvpn_free_auth_struct: net_handle = CD5734D0
webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_free_auth_struct: net_handle = CD5734D0AnyConnect says:
"The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the secure gateway: Host or network is 0"
Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# debug http 255
debug http enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
webvpn_add_auth_handle: auth_handle = 22
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
HTTP: net_handle->standalone_client [0]
webvpn_session.c:http_webvpn_create_session[184]
webvpn_session.c:http_webvpn_find_session[159]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[159]
webvpn_remove_auth_handle: auth_handle = 22
webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CC894AA8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
Close 1043041832
webvpn_free_auth_struct: net_handle = CC894AA8 -
SSL VPN Connection error with SA520
Hi there,
I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
ThanksHihi,
we have the same problem, running on Vista 32 bit, and IE9.
On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
It works also on Win 7 64 bit, although only with the 64 bit version of IE.
Coming back to our Vista issue, we did not find any way to make it work properly.
Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
Anyone has any suggestion ??
Tks -
SSL VPN Failed to validate server certificate (cannot access https)
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank youHi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much -
SSL VPN (WebVPN) issues with IOS 15.0(1)M1
Hello everyone... I need your help!
I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
Symptoms:
- AnyConnect Client prompts users with the following error:
"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
Debug:
Mar 5 13:09:45:
Mar 5 13:09:45: WV-TUNL: Tunnel CSTP Version recv use 1
Mar 5 13:09:45: WV-TUNL: Allocating tunl_info
Mar 5 13:09:45: WV-TUNL: Allocating stc_config
Mar 5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
Mar 5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
Mar 5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
Mar 5 13:09:45: HTTP/1.1 401 Unauthorized
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
Mar 5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
Mar 5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
Mar 5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
WV-TUNL: Severity ERROR Type USER_LOGOUT
WV-TUNL: Text: HTTP response contained an HTTP error code.
Mar 5 13:09:45: WV-TUNL: Call user logout function
Mar 5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
When the error occurs, the "SVCIP install TCP failed" counter increments:
VPN-Router1# show webvpn stats detail context CUSTOMER-VPN
[snip]
Tunnel Statistics:
Active connections : 1
Peak connections : 3 Peak time : 19:09:04
Connect succeed : 9 Connect failed : 5
Reconnect succeed : 0 Reconnect failed : 0
SVCIP install IOS succeed: 14 SVCIP install IOS failed : 0
SVCIP clear IOS succeed : 18 SVCIP clear IOS failed : 0
SVCIP install TCP succeed: 9 SVCIP install TCP failed : 5
DPD timeout : 0
[snip]
IOS Version Details:
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
Config:
webvpn context CUSTOMER-VPN
title "SSL VPN for Customer"
ssl authenticate verify all
login-message "Enter username and passcode"
policy group CUSTOMER-VPN
functions svc-required
svc keep-client-installed
svc split include 10.1.16.0 255.255.240.0
svc split include 10.1.2.0 255.255.254.0
vrf-name CUSTOMER-VPN
default-group-policy CUSTOMER-VPN
aaa authentication list AAA-LIST
aaa authentication auto
aaa accounting list AAA-LIST
gateway vpn virtual-host customer.xx.com
logging enable
inservice
The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
At that point in time we were running with local pool definition.
As the http 401 rc happens very sporadically we still gathering incident reports internally.
Will open a case if you did not yet.
cheers, Andy -
SSL-VPN Anyconnect fails after rebooting 2811
Hello all,
I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails. I think it has something to do with the SSL Cert being ereased. Here is my configuration, please let me know if you need anything else:
! Last configuration change at 02:03:27 CDT Thu Sep 27 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa session-id common
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-XXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX
revocation-check none
crypto pki certificate chain TP-self-signed-XXXXXXXXXX
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534
34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48
E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC
5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875
7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E
BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06
03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609
2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A
A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43
9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416
10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8
23191E2E E4BF390B D62DAA2B 351C09
quit
username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.
ip local pool SSL-VPN 192.168.11.5 192.168.11.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
bvpn gateway gateway_1
ip interface Dialer1 port 443
ssl trustpoint SSL-VPN
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
webvpn context SSL-VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "SSL-VPN"
svc default-domain "DOMAIN"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary DNS-SERVER
default-group-policy policy_1
gateway gateway_1
inserviceHere is the bug description that matches your explaination of the issue:
MF: HTTPS generates a new self-signed cert on reboot even if one exists
Symptom:
With Secure HTTP server enabled, IOS device generates a new self-signed certificate when it reloads even if a valid self-signed certificate already exists.
Conditions:
When there is no CA(Certificate Authority) provided certificate on the device
Workaround:
Use CA provided certificate.
The resolution is to upgrade it to version 15.2(1)T or higher.
Unfortunately you would need to have SmartNet contract to be able to download the software from CCO. -
Hi there, I am trying to connect to my server at work from home using a vpn connection. It connects fine and the time ticks along, but when i click go - connect to server, it comes up with connection failed. Please help!
... when i click go - connect to server, it comes up with connection failed.
If you're trying to connect to a Bonjour server on the remote network, that won't work over a layer 3 VPN. Use something like Hamachi or one of the SSH-tunnelling Bonjour proxy apps for that. -
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
Red error what is the reason? Only appears in the window 2003 server.ciscoasa# show activation-key
Serial Number: JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
The flash activation key is the SAME as the running key.
ciscoasa#
Sure ?it was licence question?
Maybe you are looking for
-
How can i set the size of the task windows and text to something more suitable?
When i bought my HP Touchsmart 600 pc the text size and window size on the desktop were tiny as Default, i manage to change it where it wasnt to big or small it was just right. but recently i had to restore my whole computer back to factory settings
-
Concerns about DVI-VGA Adaptor
My TV only get DVI outlet, so i got a VGA-DVI adaptor the other day to work with the original DVI-VGA adaptor. What i've done was simply to connect the two VGA outlet and plug-in DVI outlet to its repective terminals. However,although my Pro was able
-
How do I scroll illustrations that exceed the page height?
I have Digital Editions 4.? (It says 4.0 but it may be later,, I'm not sure). I'm using it to read an ePub book. Some illustrations exceed the page height and get truncated. I can't figure out how to scroll the illustration so I can see the entire th
-
Hey so after reseting my Computer completly and installing windows again, i was trying to download the test version of after effects, everything worked until i was trying to open After Effects its says something likes this, btw this is not 100% perfe
-
hi all , can you please see my senario i have test server that's colne of production server now i need to restore datafile 1 to test server RMAN> list backup summary; using target database control file instead of recovery catalog List of Backups ====