06-26-2008 03:38 AM - edited 03-09-2019 08:58 PM
I have one 2821 configured as a WebVPN gateway. The router is running IOS release 12.4(15)T5. Then i installed the AnyConnect VPN client release 2.2.0133 on a MAC OSX 10.4 machine. The issue is when i try to establish the connection with the gateway, it does not work. I'm able to see the messages "%SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED" in the router console but i was not able to find the exact meaning of this.
06-27-2008 02:59 AM
Why don't you run a webvpn debug and see whats going on exactly?
Regards
Farrukh
06-27-2008 07:33 AM
Without any debugs enabled, this is what i get in the console:
+++++++++++++++++++++
WebVPN-GW#
*Jun 27 15:53:59.343: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: MY_CONTEXT vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 192.168.252.222:49293
WebVPN-GW#
*Jun 27 15:54:05.639: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 192.168.252.222:49295
*Jun 27 15:54:05.643: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: MY_CONTEXT vw_gw: GW_1 remote_ip: 192.168.252.222 status: HTTP request without login cookie resource: /
WebVPN-GW#
+++++++++++++++++++++
With "debug webvpn" enabled:
+++++++++++++++++++++
WebVPN-GW#
*Jun 27 15:55:11.503: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 192.168.252.222:49297
*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event
*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event
*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event
*Jun 27 15:55:11.511: WV: Entering APPL with Context: 0x481EAD10,
Data buffer(buffer: 0x46D9EAA0, data: 0x3F403D58, len: 149,
offset: 0, domain: 0)
*Jun 27 15:55:11.511: WV: http request: / with no cookie
*Jun 27 15:55:11.511: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: MY_CONTEXT vw_gw: GW_1 remote_ip: 192.168.252.222 status: HTTP request without login cookie resource: /
*Jun 27 15:55:11.511: WV: Client side Chunk data written..
buffer=0x46D9E3E0 total_len=193 bytes=193 tcb=0x487D6E80
*Jun 27 15:55:11.511: WV: sslvpn process rcvd context queue event
*Jun 27 15:55:11.511: WV: sslvpn process
WebVPN-GW# rcvd context queue event
*Jun 27 15:55:11.511: WV: Entering APPL with Context: 0x481EAD10,
Data buffer(buffer: 0x46D9EAA0, data: 0x3F4029D8, len: 197,
offset: 0, domain: 0)
*Jun 27 15:55:11.511: WV: http request: /webvpn.html with domain cookie
*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..
buffer=0x46D9E3E0 total_len=1009 bytes=1009 tcb=0x487D6E80
*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..
buffer=0x46D9EB60 total_len=1009 bytes=1009 tcb=0x487D6E80
*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..
buffer=0x46D9EAE0 total_len=1009 bytes=1009 tcb=0x487D6E80
*Jun 27 15:55:11.515: WV: [Q]Client side Chunk data written..
buffer=0x46D9EAC0 total_len=1009 bytes=1009 tcb=0x487D6E80
*Jun 27 15:55:11.515: WV: Client side Chunk data written..
buffer=0x46D9EA80 total_len=637 bytes=637 tcb=0x487D6E80
*Jun 27 15:55:11.519: WV: sslvpn process rcvd context queue event
WebVPN-GW#
+++++++++++++++++++++
This is my Webvpn config:
+++++++++++++++++++++
!
webvpn gateway GW_1
ip address 192.168.252.218 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint 192.168.252.218
logging enable
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context MY_CONTEXT
ssl authenticate verify all
!
!
policy group MY_POLICY
functions svc-required
svc address-pool "ssl"
default-group-policy MY_POLICY
aaa authentication list WEBVPN
gateway GW_1
logging enable
inservice
!
+++++++++++++++++++++
I noticed that i get the same problem when i use the Windows standalone client. But Weblaunch works fine under Windows.
Thanks.
06-28-2008 12:59 AM
Which MAC version are you running, OS X 10.4.6?
Also what is the browser version?
Regards
Farrukh
06-30-2008 03:09 AM
The MAC OSX version is 10.4.11. In the MAC, i have Firefox 3.0 and Safari 3.0.4. As i said before, i noticed that WebVPN client in standalone mode does not work in Windows. So the problem does not seem to be MAC specific. So right now i have:
Windows: standalone n/ok, weblaunch ok
MAC: standalone n/ok, weblaunch n/ok
Thanks.
06-30-2008 03:42 AM
Is it possible for you to post the complete sanitized configuration here? (SSL pools, AAA lists etc.)
Regards
Farrukh
06-30-2008 03:56 AM
06-30-2008 12:45 PM
I checked your config, they seem to be OK. Can you also post the configuration of the following:
show webvpn context MY_CONTEXT
show webvpn gateway
show webvpn stats detail context MY_CONTEXT
show webvpn install package svc
show webvpn install status svc
Also are you trying to login using a Windows Admin account?
Regards
Farrukh
07-01-2008 07:04 AM
Hello Farrukh,
First of all, thank you for your efforts with this issue. Your help is very appreciated.
I'm attaching the outputs you asked me. I don't understand the question related with the Windows Account. Do i need to do anything about it ? Under Windows, i'm able to connect using the Web interface. I see that the Web page launches the client in the background and it connects without problems. When i use the Anyconnect client directly, i get those errors in the Gateway and i see in the Client's status bar the message "unable to process response from 192.168.252.218". I'm attaching a printscreen for your better understanding.
Thanks.
Regards,
Antonio Soares
07-02-2008 09:11 AM
Hello,
It seems AnyConnect in standalone mode is not supported with IOS:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1053807
This was a big and bad surprise, but it's written so there's nothing to do about it.
I wonder if anybody has a WebVPN IOS gateway serving simultaneously Windows, Linux and Mac clients. I would say it's impossible since IOS only permitts one SVC package installed in the flash.
Thanks.
Regards,
Antonio Soares
07-06-2008 03:43 AM
You can just use a group-policy with 'svc-requried' and make users open a web-page everytime.
Regards
Farrukh
07-07-2008 03:24 AM
Yes, but there is also Bug CSCsq43634 that basically says that WebVPN does not work with Mac OSX Clients.
Thanks.
Regards,
Antonio Soares
07-07-2008 05:32 AM
Why don't you approach your Cisco Account team and ask them when this will be fixed? Maybe they already have a workaround.
Regards
Farrukh
07-09-2008 05:08 PM
Weird, Cisco seems like removed or hidden the bug on the bug tool kit. I was veiwing this bug 2 days ago with no problem.
"The bug ID CSCsq43634 does not exist. Please verify the bug ID and try again. If you feel you reached this message in error, please send us feedback including the bug ID in question. (Click the feedback link in the upper right corner of this page). "
07-09-2008 05:19 PM
Found it. Used search with keywords to view the bug. hope cisco fix this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide