11-10-2011 01:57 AM - edited 03-16-2019 07:58 AM
Hello,
I have a strange problem with the SSL VPN for the phones. It is working but the phone displays " VPN Authentication Failed". To log in I need to press retry button 2-5 times on the phone.
Setup looks as follows :
CUCM version - 8.0.3a
2801 router as a gatway - IOS 151-4.M2
Phone 7945 - firmware 9-2-1S
Gateway config:
crypto pki trustpoint test
fqdn test.com
subject-name cn=test.com
revocation-check none
rsakeypair test
!
crypto pki certificate chain test
certificate self-signed 02
308205BA 308203A2 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
.....
!
ip local pool sslvpn 192.168.50.2 192.168.50.100
!
webvpn gateway sslvpn
ip address 192.168.21.50 port 443
ssl trustpoint test
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2019-k9.pkg sequence 1
!
webvpn context sslvpn
ssl authenticate verify all
!
!
policy group sslvpn
functions svc-enabled
svc address-pool "sslvpn"
svc default-domain "test.local"
svc keep-client-installed
svc dns-server primary 192.168.20.11
svc dns-server secondary 192.168.20.12
svc dtls
default-group-policy sslvpn
aaa authentication list default
gateway sslvpn
inservice
CUCM configuration according to :
https://supportforums.cisco.com/docs/DOC-12173
I have tried different things without any change to the problem :
- different certificates
- IOS version 151-3.T2
- changing timeouts on CUCM (Fail to Connect) and ssl vpn timeouts on the router
- changed aaa to use local database instead of RADIUS
- turned off Host ID Check on CUCM
- moved gateway to a public ip address (no static NAT)
- also tried ip address as an url instead of domain name
What really bothers me is that it is working but users need to retry connection a few times. Annyconnect client on windows is working without any problems.
I have enabled logging for the webvpn.
Unsuccessful connection log (VPN authentication failed on the phone) :
Nov 10 09:49:34.162: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:52944
Nov 10 09:49:34.386: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /
Nov 10 09:49:34.414: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:52944
Nov 10 09:49:39.570: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in
Successful connection :
Nov 10 09:51:08.607: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:53168
Nov 10 09:51:08.831: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /
Nov 10 09:51:08.859: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:53168
Nov 10 09:51:13.815: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in
Logs look excatly the same.
I will appreciate any help or guidance.
Thanks
Lukasz
06-19-2012 03:51 AM
Hi Lukasz,
I am having the same issue, did you ever find a solution to this problem?
06-19-2012 06:10 AM
Yes, I resolved that issue. It is probably related to "svc rekey method new-tunnel". Cisco routers do not support renegotiation(available on ASA) only new-tunnel. Long story short, phone was getting a wrong default gateway for VPN tunnel. Sometimes it did work, sometimes it didn't.
Log from Cisco phone :
8416: NOT 13:11:25.896568 VPNC: vpnc_tun_connect: bringing up i/f -> tun0
8417: NOT 13:11:25.897432 VPNC: vpnc_tun_connect: MTU -> 1200
8418: NOT 13:11:25.898139 VPNC: vpnc_tun_connect: IP addr -> 192.168.50.46
8419: NOT 13:11:25.898797 VPNC: vpnc_tun_connect: netmask -> 255.255.255.255
8420: NOT 13:11:25.899499 VPNC: vpnc_tun_connect: broadcast -> 192.168.50.46
8421: NOT 13:11:25.900398 VPNC: vpnc_set_dflt_route: adding default gw <192.168.50.47> via i/f
8422: ERR 13:11:25.901113 VPNC: vpnc_set_dflt_route: ioctl err 128
8423: ERR 13:11:25.901832 VPNC: vpnc_tun_connect: failed to add default route, cleaning up
8424: NOT 13:11:25.902443 VPNC: vpnc_tun_disconnect: bringing down i/f -> tun0
Clearly gateway should have been 50.46 in that case (with mask 255.255.255.255)
Resolution is to manually configure a mask for SVC address pool.
svc address-pool "sslvpn" netmask 255.255.255.0
It has been working without any problems since then, assigning :
4145: NOT 14:11:10.706340 VPNC: vpnc_tun_connect: bringing up i/f -> tun0
4146: NOT 14:11:10.707189 VPNC: vpnc_tun_connect: MTU -> 1290
4147: NOT 14:11:10.707951 VPNC: vpnc_tun_connect: IP addr -> 192.168.150.5
4148: NOT 14:11:10.708644 VPNC: vpnc_tun_connect: netmask -> 255.255.255.0
4149: NOT 14:11:10.709278 VPNC: vpnc_tun_connect: broadcast -> 192.168.150.255
4150: NOT 14:11:10.710108 VPNC: vpnc_set_dflt_route: adding default gw <192.168.150.1> via i/f
4151: NOT 14:11:10.710990 VPNC: protocol_handler: vpnc_tun_connect ok
4152: NOT 14:11:10.711616 VPNC: set_conn_state: CONN : 1 (TRYING) --> 2 (SUCCESS)
4153: NOT 14:11:10.712272 VPNC: set_conn_state: VPNC : 4 (Connecting) --> 5 (Connected)
Although it is using .1 as a gateway (it does not have to be configured on the router) it does work as expected.
Most likely an IOS problem but I had no time at that time to deal with TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide