cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
1
Helpful
33
Replies

one user is able to connect to anyconnect vpn

MSD1001
Level 1
Level 1

one user is able to connect to anyconnect vpn but others are getting "Could not connect to server. Please verify internet connectivity and server address" Is there any change that has to be made on the cisco router's configuration ?

33 Replies 33

Hello,

If one user is able to connect this can be a good signal. The configuration is not totally wrong.  I would ask you to see licensing just to make sure you can add more than one user on the VPN and then, if possible, share the  router config here so that we can take a look. Maybe somewhere there´s a parameter preventing others users to connect

Thank you so much for your response.

I'll share the config in a short while. Before that, could you check the licensing part? What command do i have to use on the cisco 891 iOS router?

cryptø key generate rsa label caremotevpn exportable modulus 2048
!
cryptø pki server caremotevpn
database level complete
database archive pkcs12 password cisco123
grant auto
auto-rollover 90
no shutdown
!
cryptØ pki export SSLVPNCERT pem terminal
!
cryptø pki trustpoint SSLVPNCERT
enrollment url http://13.1.1.254:80
subject-name CN=customerdomain.com
revocation-check none
rsakeypair caremotevpn
exit

 

conf t
cryptø pki auth SSLVPNCERT
!
cryptø pki enroll SSLVPNCERT
!

Hi

 Can you run the command :

show version

show license

Please check the attached file. It has the full configuration details

Host-891#sh ver
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 21-Mar-12 01:40 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB3, RELEASE SOFTWARE (fc1)

Host-891 uptime is 1 year, 5 weeks, 23 hours, 35 minutes
System returned to ROM by power-on
System restarted at 08:37:04 Summer Tue Apr 5 2022
System image file is "flash:c890-universalk9-mz.151-4.M4.bin"
Last reload type: Normal Reload

Cisco 891 (MPC8300) processor (revision 1.0) with 498688K/25600K bytes of memory.
Processor board ID FTX1704841K

9 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
247464K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO891-K9 FTX1704841K

 

License Information for 'c890'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices


Configuration register is 0x2102

Host-891#sh lice
Host-891#sh license
Index 1 Feature: advipservices
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: ios-ips-update
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 3 Feature: SSL_VPN
Period left: Life time
License Type: RightToUse
License State: Active, In Use
License Count: 25/0 (In-use/Violation)
License Priority: Low
Index 4 Feature: WAAS_Express
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None

Are you using Anyconnect client?  You have 25 license for SSL VPN. But I see you have two kind of Client Vpn on the router as per the DHCP config:

ip local pool vpnclient 172.16.1.1 172.16.1.40
ip local pool anyconnect 172.16.3.1 172.16.3.40

 

 Index 3 Feature: SSL_VPN
Period left: Life time
License Type: RightToUse
License State: Active, In Use
License Count: 25/0 (In-use/Violation)

I wondering if you have license for the other VPN client. 

We have asked the client not to use cisco vpn client which was configured earlier. Should I remove  it from the config?

 But which client they should use? 

anyconnect

Anyconnect should work up to 25 users.  

When the second user try to associate, can you see any log on the router?  

By any change you dont have users connected and not in use? 

can you run  show webvpn session


Host-891#sh webvpn session context all
WebVPN context name: SSLVPN_Context
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used

Right. Well, you can enable a debug and ask to 2 clients connect and lets see if something come up. 

debug webvpn aaa, debug wevpn tunnel

MSD1001
Level 1
Level 1

Sure. I'll do that and share the results. 

Thank you, Flavio.

 

One question, can the self-signed certificate be the cause of the issue ?