Hi Krishnan,

the name of URL is correct

i have attached the pics of acl and i am not using any WLC config here just trying wired client only

did you enabled the http and http secure-server on the switch?

Those are required on the switch for a working redirect

Yes, those are enabled and i did follow setup guide and other references

i am thinking may be firewall is blocking the packets.

the client is connected to Access switch and access switch connected to core layer 3 switch which has svi created then it is connected to Firewall which has gateway for that management svi. so not sure how i can check if firewall issue or not?

when i copy that url and paste it to client browser, it opened the page and install the anyconnect client without any issues.

this could be your problem.

If for example you open http://google.com in your browser the switch spoofes the answer from google.com from his managemnt svi to redirect you, which will in most cases be blocked by your firewall due to anti-spoofing rules.

If im correct on iOS-XE was a change in the past to enable redirect without a L3 SVI

AFAIK the L3 SVI needs to be on the switch the client is connected to. Not an upstream switch.

svi is on access switch but vlan is created on l3 switch and it is on asa management vlan

Is there a firewall between that vlan and the client’s vlan? One quick test is to put an SVI on the switch in the same subnet as the client you are testing with. If that works, then it’s most likely a firewall. Check your firewall logs for blocks. As mentioned previously, the switch will spoof the IP address of the server the client is initiating its communication with. Most firewalls will block this. You will probably have to explicitly permit this traffic and bypass state checking for this traffic as well if there’s a firewall involved. The fir-acewall will never see the client’s syn but it will see the server’s syn-ack.

The Switch SVI for redirects has to be in the same vlan in your Scenario to avoid the firewall from blocking the requests but it didn‘t has to be in the same Subnet, you can assign any dummy IP to the SVI since the switch is spoofing the server‘s IP.

there is a firewall between client vlan and switch management vlan and i have allow all traffic between this two vlan but it is still not able to work so please let me know if you guys have any sample configuration for firewall to bypass the traffic or any reference document ?

Can the mgmt ip ping (reach) the clients? If not then redirect won’t work

yes, managment ip can ping the client. i can ping client ip from switch and it worked fine

Pinging is not enough to validate functionality because the packets will have a spoofed source while ping has the true ip address of the switch. Additionally, the firewall will see only half the traffic when the client is being redirected.

I will repeat my recommendation that you create an SVI on the access switch in the vlan with the endpoint to validate redirect functionality. Then troubleshoot the firewall if that test is successful.

Is your firewall an ASA or FTD appliance?

Thanks

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.