cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6826
Views
0
Helpful
5
Replies

Cisco CSR 1000v Anyconnect SSL VPN setup issues

Hi all,

I'm looking for help on getting Anyconnect SSL VPN setup on a CSR 1000v running IOS XE v3.13.01S. There is an abundance of info on the webvpn style SSL VPN setup but very little on the "crypto ssl" XE SSL VPN style setups.

I have been working mostly from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have configured the router with the commands in the attached file config.txt, when I connect using Anyconnect I see the user authenticate however the user is denied access to the tunnel :

csr1000v_3-13-3#debug crypto ssl aaa 
csr1000v_3-13-3#debug crypto ssl tunnel 
Crypto SSL Tunnel debugging is on
csr1000v_3-13-3#                        
csr1000v_3-13-3#
csr1000v_3-13-3#
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: Nas Port ID set to 192.168.100.10.
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test_user"
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Nov  9 20:15:03.693: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn-profile vw_gw: sslvpn-policy remote_ip: 192.168.100.10 user_name: test_user, Authentication successful, user logged in
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: User "test_user" has logged in from "192.168.100.10" to gateway "sslvpn-policy" 
             context "sslvpn-profile"
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-EVT]:[7FD0806E48E0] CSTP Version recd , using 1
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] Full Tunnel CONNECT request failed, Sending error
*Nov  9 20:15:04.029: HTTP/1.1 401 Unauthorized
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] User test_user not authorized to access Full tunnel
*Nov  9 20:15:06.089: HTTP/1.1 200 OK
*Nov  9 20:15:06.089: Content-Type: text/html
*Nov  9 20:15:06.089: Content-Length: 0
*Nov  9 20:15:06.089: Cache-Control: no-cache
*Nov  9 20:15:06.090: Connection: Keep-Alive
*Nov  9 20:15:06.090: Date: Sun, 09 Nov 2014 20:15:06 GMT
*Nov  9 20:15:06.090: X-Aggregate-Auth: 1
*Nov  9 20:15:06.090: 
*Nov  9 20:15:06.090: 

 

Checking the config I notice however I have matched the policy and configured a ssl authorization policy:

csr1000v_3-13-3#sh run | sec crypto ssl profile
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication list AAA_SSLVPN_LIST 
 authentication remote user-credentials 
 virtual-template 1
 !Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
csr1000v_3-13-3#

Any tips would be must appreciated!

5 Replies 5

mawakade
Level 1
Level 1

I see, you have virtual template configured under ssl profile. Remove it if your device is CSR1000v. Authorization is missing under ssl profile.

 

Ex

aaa authentication login sslvpn local
aaa authorization network sslvpn local

crypto ssl authorization policy DEF_SSL_AUTH_POLICY
 netmask 255.255.255.0
 pool DEF_POOL
 route set access-list SSL_ACL
 timeout idle 2400
 timeout session 6000
 timeout disconnect 6000

 

crypto ssl profile DEF_SSL_PROF
 match policy DEF_SSL_POLICY
 aaa authentication list sslvpn
 aaa authorization group list sslvpn DEF_SSL_AUTH_POLICY
 authentication remote user-credentials

 

Hi!  Thanks for help it's really little helps auth is ok, but can't select need context.

 

*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test1"
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTHOR is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTH is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Jan 28 08:52:11.298: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: profile1 vw_gw: policy1 remote_ip: 83.170.200.42 user_name: test1, Authentication successful, user logged in
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: User "test1" has logged in from "83.170.x.x" to gateway "policy1"
             context "profile1"
*Jan 28 08:52:11.299: AGGR-MSG: complete: Login failed: There is no profile matching the name
 

CSR2#sh run | s crypto ssl
crypto ssl proposal SSL_Proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
crypto ssl authorization policy SSL_AUTHOR_POLICY
 client profile profile1
 netmask 255.255.255.0
 include-local-lan
 pool VPN_POOL
 dns 172.30.99.1
 def-domain xxx.local
 route set access-list SPLIT-ROUTE_ACL
crypto ssl policy policy1
 ssl proposal SSL_Proposal
 pki trustpoint VPN_XXX sign
 ip interface GigabitEthernet1 port 443
crypto ssl profile profile1
 match policy policy1
 match url vpn.xxx
 aaa authentication list LOCAL_AUTH
 aaa authorization user list LOCAL_AUTH SSL_AUTHOR_POLICY
 aaa authorization group list LOCAL_AUTHOR SSL_AUTHOR_POLICY
 authentication remote user-credentials

 

CSR2#sh crypto ssl profile

 

SSL Profile: profile1
 Status: ACTIVE
 Match Criteria:
   URL:
     vpn.xxx
   Policy: policy1
 AAA accounting List      : local
 AAA Authentication List  : LOCAL_AUTH
 AAA Authorization User List   : LOCAL_AUTH
   User : SSL_AUTHOR_POLICY
   Cached : False
 AAA Authorization Group List  : LOCAL_AUTHOR
   Group List: SSL_AUTHOR_POLICY
   Override: False
 Authentication Mode      : user credentials
 Interface                : SSLVPN-VIF0
   Status: DISABLE
 Max Users                : 10000
 

Seems like "no client profile profile1"  in "crypto ssl authorization policy SSL_AUTHOR_POLICY" helps.

Hello,

Why is virtual-template not available for CSR1000v ? How does it work with virtual-template/virtual-access cloning ?

Thanks

Lorand
Cisco Employee
Cisco Employee

No sure if you finally managed to fix this? I just ran into this same problem, I tried many different combinations, but I just can't get this to work...