Solved: Re: Do I need HTTPS secure gateway for IPsec tunnel?

Konstantin Raven · ‎09-17-2018

Hi. I have ISR 4331 and trying to set up IPsec IKEv2 tunnel using AnyConnect.

On Android and IPhone clients it works, but my desktop-version AnyConnect fails to establish a tunnel.

In logs on my ISR I see that after fully set IPsec tunnel the router gets a message with unexpected error from windows AnyConnect client.

I`ve compared the router logs during the succesfull connection from android anyconnect and windows anyconnect. They are absolutely identical, but after the last successful event in logs

    Sep 11 11:32:58: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Sep 11 11:32:58: IKEv2-INTERNAL:Config request was received. Ignoring to send config set.
Sep 11 11:32:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
...

for windows anyconnect I get an error:

Sep 11 11:32:58: IKEv2:(SESSION ID = 133,SA ID = 2):Received Packet [From client_IP_here:50802/To server_IP_here:4500/VRF i0:f0]
Initiator SPI : E8F7A447590A6252 - Responder SPI : 2136071B84B8265B Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Sep 11 11:32:58: IKEv2-PAK:(SESSION ID = 133,SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 6, length: 112
Payload contents:

Sep 11 11:32:58: crypto_engine: Generate IKEv2 hash
Sep 11 11:32:58: crypto_engine: Decrypt IKEv2 packet  DELETE  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Sep 11 11:32:58: IKEv2-INTERNAL:Parse Notify Payload: DELETE_REASON
Sep 11 11:32:58: IKEv2-INTERNAL:Delete Reason received with error code:IKEV2_DELETE_GENERAL_ERROR severity:ERROR
 NOTIFY(DELETE_REASON)  Next payload: NONE, reserved: 0x0, length: 16
    Security protocol id: IKE, spi size: 0, type: DELETE_REASON

So from ISR 4331`s poin of view it looks like the client sends the "delete tunnel" message.

While looking through DART logs on the client I see that after message:

Function: ikev2_log
File: ikev2_anyconnect_osal.cpp
Line: 2886
The IPsec connection has been established.

It goes further and does smth else, trying to establish some kind of HTTPS connection and I got this in the client`s log:

Function: ConnectMgr::processAuthCompleteRequest
File: ConnectMgr.cpp
Line: 13463
Invoked Function: ConnectMgr::getProfileConfiguredOnSG
Return Code: -29556727 (0xFE3D0009)
Description: CONNECTMGR_ERROR_UNEXPECTED

...

Message type information sent to the user:
Establishing VPN session...

...

Function: ConnectIfc::TranslateStatusCode
File: ConnectIfc.cpp
Line: 3157
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015459 (0xFE36001D)
Description: CONNECTIFC_ERROR_HTTPS_NOT_ALLOWED:HTTPS access to the gateway is not allowed due to gateway policy.
HTTPS access to the gateway is not permitted due to gateway policy.

...

Function: CIPsecTunnelStateMgr::OnTunnelInitiateComplete
File: IPsecTunnelStateMgr.cpp
Line: 1033
Invoked Function: Initiate tunnel callback status
Return Code: -29556721 (0xFE3D000F)
Description: CONNECTMGR_ERROR_HTTPS_NOT_ALLOWED:HTTPS access to the gateway not allowed due to gateway policy
tunnel state AUTHENTICATING

...

Function: CNetEnvironment::logProbeFailure
File: NetEnvironment.cpp
Line: 1437
Invoked Function: CHttpProbeAsync::SendProbe
Return Code: -27000820 (0xFE64000C)
Description: HTTP_PROBE_ASYNC_ERROR_BAD_STATUS
HTTPS (host: server_IP_here; status code: 403)

...

Function: CNetEnvironment::analyzeHttpResponse
File: NetEnvironment.cpp
Line: 1541
HTTP 403 received

...

Termination reason code 16:
Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).

I`ve tried several different versions of AnyConnect, several PCs with different OSes - the same result.

Is there any chance that:

1. Cisco AnyConnect on desktop behaves differently in general whatever options I set on the router?

2. I haven`t installed a trustpoint to enroll the router`s certificate. I did it manually, so my client accepted my certificate. Do I still need some kind of "post-IPSec" HTTPS negotiations?

3. I have problems with licensing, so I can use apps for Android/Iphone but can`t set up the tunnel from Windows client?

a.yershov · ‎09-20-2018

Hi!

I have this problem too

I change AnyConnectLocalPolicy.xml and check "Bypass downloader" (if you change it by text editor, just change false to true)

Best Regards

View solution in original post

a.yershov · ‎09-20-2018

Hi!

I have this problem too

I change AnyConnectLocalPolicy.xml and check "Bypass downloader" (if you change it by text editor, just change false to true)

Best Regards

Konstantin Raven · ‎09-20-2018

Thanks a lot! I tried it couple days ago. It worked. Thanks. THis post should be here for anybody with the same problem :)

a.yershov · ‎09-20-2018

Welcome! =)

Now I try to push AnyConnect profile config to the client by captive portal on my ISR.

M-Square · ‎04-22-2020

Hi KR -

I have been battling the same setup (how I wish the 4K box would just support standard SSL Anyconnect)

I am at the same point you had been in your post (Android connecting but laptop with Anyconnect does not) My xml profile did not have the BypassDownloader line so I added it manually but with the same result :( I get a prompt to enter creds but after that if fails right away

Did you use this CISCO doc as a guide? https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html#anc2

Cheers,

~M