Anyconnect on Cisco 886 not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 01:04 AM
Hello team,
We are experiencing a really odd problem and I would like your help if it is possible.
I configured a Cisco 886VA router as a anyconnect server with anyconnect version 4.7.04056.
The router iOS is 157-3.M4a.
The configuration I used is the bellow:
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.7.04056-webdeploy-k9.pkg sequence 1
crypto key generate rsa label MY-KEYS modulus 2048
!
ip http server
ip http secure-server
!
!
crypto pki trustpoint SSL_CERT
enrollment selfsigned
serial-number
subject-name CN=vpn.trinity.gr
revocation-check crl
rsakeypair MY-KEYS
!
!
crypto pki enroll SSL_CERT
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
!
aaa authentication login sslvpn local
!
ip access-list extended NAT_LIST
15 deny 10.5.0.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
ip local pool SSL_POOL 192.168.100.1 192.168.100.50
webvpn gateway SSLVPN-GATEWAY
ip address xx.xx.xx.xx port 8443
ssl encryption aes256-sha1
ssl trustpoint SSL_CERT
logging enable
inservice
!
webvpn context SSLVPN-CONTEXT
title "TESORO SSL VPN"
!
acl "SSL_SPLIT-ACL"
permit ip 10.5.0.0 0.0.0.255 any
aaa authentication list sslvpn
gateway SSLVPN-GATEWAY
logging enable
!
ssl authenticate verify all
!
url-list "rewite"
inservice
!
policy group WEB-VPN-POLICY
functions svc-enabled
svc address-pool "SSL_POOL" netmask 255.255.255.0
svc keep-client-installed
svc rekey method new-tunnel
svc split include 10.5.0.0 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy WEB-VPN-POLICY
!
I try to connect to the device and I have the debug of webvpn enabled but I can see no log on the specific debug, although in the stats I can see connections starting and closing imediately.
When I opened debug on SSL I get the below entries.
*Feb 6 08:46:48.946: CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0
*Feb 6 08:46:48.966: opssl_SetPKIInfo entry
*Feb 6 08:46:48.966: CRYPTO_OPSSL: Can't find router cert.
I configured the below with no help
ip http tls-version tlsv1.2
Could anyone help?
- Labels:
-
Other Network Security Topics
