Hello,Why is virtual-template

cco@bulletproof.net.au · ‎11-09-2014

Hi all,

I'm looking for help on getting Anyconnect SSL VPN setup on a CSR 1000v running IOS XE v3.13.01S. There is an abundance of info on the webvpn style SSL VPN setup but very little on the "crypto ssl" XE SSL VPN style setups.

I have been working mostly from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have configured the router with the commands in the attached file config.txt, when I connect using Anyconnect I see the user authenticate however the user is denied access to the tunnel :

csr1000v_3-13-3#debug crypto ssl aaa 
csr1000v_3-13-3#debug crypto ssl tunnel 
Crypto SSL Tunnel debugging is on
csr1000v_3-13-3#                        
csr1000v_3-13-3#
csr1000v_3-13-3#
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: Nas Port ID set to 192.168.100.10.
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test_user"
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Nov  9 20:15:03.693: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn-profile vw_gw: sslvpn-policy remote_ip: 192.168.100.10 user_name: test_user, Authentication successful, user logged in
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: User "test_user" has logged in from "192.168.100.10" to gateway "sslvpn-policy" 
             context "sslvpn-profile"
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-EVT]:[7FD0806E48E0] CSTP Version recd , using 1
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] Full Tunnel CONNECT request failed, Sending error
*Nov  9 20:15:04.029: HTTP/1.1 401 Unauthorized
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] User test_user not authorized to access Full tunnel
*Nov  9 20:15:06.089: HTTP/1.1 200 OK
*Nov  9 20:15:06.089: Content-Type: text/html
*Nov  9 20:15:06.089: Content-Length: 0
*Nov  9 20:15:06.089: Cache-Control: no-cache
*Nov  9 20:15:06.090: Connection: Keep-Alive
*Nov  9 20:15:06.090: Date: Sun, 09 Nov 2014 20:15:06 GMT
*Nov  9 20:15:06.090: X-Aggregate-Auth: 1
*Nov  9 20:15:06.090: 
*Nov  9 20:15:06.090:

Checking the config I notice however I have matched the policy and configured a ssl authorization policy:

csr1000v_3-13-3#sh run | sec crypto ssl profile
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication list AAA_SSLVPN_LIST 
 authentication remote user-credentials 
 virtual-template 1
 !Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
csr1000v_3-13-3#

Any tips would be must appreciated!

mawakade · ‎12-10-2014

I see, you have virtual template configured under ssl profile. Remove it if your device is CSR1000v. Authorization is missing under ssl profile.

Ex

aaa authentication login sslvpn local
aaa authorization network sslvpn local

crypto ssl authorization policy DEF_SSL_AUTH_POLICY
netmask 255.255.255.0
pool DEF_POOL
route set access-list SSL_ACL
timeout idle 2400
timeout session 6000
timeout disconnect 6000

crypto ssl profile DEF_SSL_PROF
match policy DEF_SSL_POLICY
aaa authentication list sslvpn
aaa authorization group list sslvpn DEF_SSL_AUTH_POLICY
authentication remote user-credentials

vadim.vedmedenko · ‎01-30-2015

Hi! Thanks for help it's really little helps auth is ok, but can't select need context.

*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test1"
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTHOR is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTH is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Jan 28 08:52:11.298: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: profile1 vw_gw: policy1 remote_ip: 83.170.200.42 user_name: test1, Authentication successful, user logged in
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: User "test1" has logged in from "83.170.x.x" to gateway "policy1"
context "profile1"
*Jan 28 08:52:11.299: AGGR-MSG: complete: Login failed: There is no profile matching the name

CSR2#sh run | s crypto ssl
crypto ssl proposal SSL_Proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
crypto ssl authorization policy SSL_AUTHOR_POLICY
client profile profile1
netmask 255.255.255.0
include-local-lan
pool VPN_POOL
dns 172.30.99.1
def-domain xxx.local
route set access-list SPLIT-ROUTE_ACL
crypto ssl policy policy1
ssl proposal SSL_Proposal
pki trustpoint VPN_XXX sign
ip interface GigabitEthernet1 port 443
crypto ssl profile profile1
match policy policy1
match url vpn.xxx
aaa authentication list LOCAL_AUTH
aaa authorization user list LOCAL_AUTH SSL_AUTHOR_POLICY
aaa authorization group list LOCAL_AUTHOR SSL_AUTHOR_POLICY
authentication remote user-credentials

CSR2#sh crypto ssl profile

SSL Profile: profile1
Status: ACTIVE
Match Criteria:
   URL:
     vpn.xxx
   Policy: policy1
AAA accounting List      : local
AAA Authentication List : LOCAL_AUTH
AAA Authorization User List   : LOCAL_AUTH
   User : SSL_AUTHOR_POLICY
   Cached : False
AAA Authorization Group List : LOCAL_AUTHOR
   Group List: SSL_AUTHOR_POLICY
   Override: False
Authentication Mode      : user credentials
Interface                : SSLVPN-VIF0
   Status: DISABLE
Max Users                : 10000

vadim.vedmedenko · ‎01-30-2015

Seems like "no client profile profile1" in "crypto ssl authorization policy SSL_AUTHOR_POLICY" helps.

dsi-sr001 · ‎05-26-2015

Hello,

Why is virtual-template not available for CSR1000v ? How does it work with virtual-template/virtual-access cloning ?

Thanks

Lorand · ‎03-28-2019

No sure if you finally managed to fix this? I just ran into this same problem, I tried many different combinations, but I just can't get this to work...

Cisco CSR 1000v Anyconnect SSL VPN setup issues