recently setup anyconnect on CSR1000v and it worked with local credentials .
All of sudden, Anyconnect VPN is no longer working.
CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0
CRYPTO_OPSSL: Set cipher specs to mask 0x00002080 for version 16
CRYPTO_OPSSL: Common Criteria is disabled on this session.Disabling Common Criteria mode functionality in CiscoSSL on SSL CTX 0x7F6C7DDB9850
Those kind of logs I noticed when I did debug for ssl . I do see logs that user credentials are validated and success. but, session got closed automatically.
Cisco IOS XE Software, Version 16.12.01a
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.1a, RELEASE SOFTWARE (fc2)
Could someone how can this be fixed . Thank you
Hi Marvin,Thank you
Anyconnect version is 4.7.04056
I had configured everything as stated in the link :- https://community.cisco.com/t5/security-documents/configure-sslvpn-on-cisco-cloud-services-router-1000v-csr1000v/ta-p/3156679
It worked good with local credentials. It all started after I executed following changes:-
Working good with the following :-
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network anyconnectvpn local
crypto ssl profile anyconnect-profile
match policy anyconnect-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list anyconnectvpn anyconnect-auth-policy
authentication remote user-pass
ldap attribute-map ldap-username-map
map type sAMAccountName username
ldap server <Server1>
attribute map ldap-username-map
bind authenticate root-dn CN=Username,OU=XXX,DC=XXX,DC=XXX password
aaa group server ldap <servergroup>
aaa authentication login sslvpn group <servergroup> local --> added group servergroup to authenticate using LDAP
as soon as We did this, authnetication success logs in debug messages. But, above reported logs and No valid certification authentication error at times on ANyconnect client.
I don't see why those command would have had that effect. Unless somebody else can offer more insight, you might be best advised to open a TAC case.
Sure , I will see if they can support Lab router as it's testing purpose before we go with BYOL.
I did factory-reset and reconfigured it. AnyconnectwAnyconnect with local credentials and same error recurred after we modified authentication method list to use LDAP group first .