Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Cisco CSR 1000v Anyconnect SSL VPN setup issues

cco@bulletproof.net.au
Level 1
Level 1

‎11-09-2014 07:38 PM - edited ‎02-21-2020 07:55 PM

Hi all,

I'm looking for help on getting Anyconnect SSL VPN setup on a CSR 1000v running IOS XE v3.13.01S. There is an abundance of info on the webvpn style SSL VPN setup but very little on the "crypto ssl" XE SSL VPN style setups.

I have been working mostly from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have configured the router with the commands in the attached file config.txt, when I connect using Anyconnect I see the user authenticate however the user is denied access to the tunnel :

csr1000v_3-13-3#debug crypto ssl aaa 
csr1000v_3-13-3#debug crypto ssl tunnel 
Crypto SSL Tunnel debugging is on
csr1000v_3-13-3#                        
csr1000v_3-13-3#
csr1000v_3-13-3#
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: Nas Port ID set to 192.168.100.10.
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test_user"
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Nov  9 20:15:03.693: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn-profile vw_gw: sslvpn-policy remote_ip: 192.168.100.10 user_name: test_user, Authentication successful, user logged in
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: User "test_user" has logged in from "192.168.100.10" to gateway "sslvpn-policy" 
             context "sslvpn-profile"
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-EVT]:[7FD0806E48E0] CSTP Version recd , using 1
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] Full Tunnel CONNECT request failed, Sending error
*Nov  9 20:15:04.029: HTTP/1.1 401 Unauthorized
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] User test_user not authorized to access Full tunnel
*Nov  9 20:15:06.089: HTTP/1.1 200 OK
*Nov  9 20:15:06.089: Content-Type: text/html
*Nov  9 20:15:06.089: Content-Length: 0
*Nov  9 20:15:06.089: Cache-Control: no-cache
*Nov  9 20:15:06.090: Connection: Keep-Alive
*Nov  9 20:15:06.090: Date: Sun, 09 Nov 2014 20:15:06 GMT
*Nov  9 20:15:06.090: X-Aggregate-Auth: 1
*Nov  9 20:15:06.090: 
*Nov  9 20:15:06.090:

 

Checking the config I notice however I have matched the policy and configured a ssl authorization policy:

csr1000v_3-13-3#sh run | sec crypto ssl profile
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication list AAA_SSLVPN_LIST 
 authentication remote user-credentials 
 virtual-template 1
 !Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
csr1000v_3-13-3#

Any tips would be must appreciated!

1 person had this problem
Labels:
Preview file
3 KB
0 Helpful
Who Me Too'd this topic