Yes sir i did option 2 on that link this morning.

I put it together and got it closer to working....

Now i can connect behind my other 2921 going over web browser it gets me to and into the webvpn.html portal. However I cannot connect to the 10.0.10.0 network at other location... not sure why yet.

Also anyconnect app on my android cannot connect. Says "anyconnect cannot confirm it is connected to your secure gateway. the local network may not be trustworthy. please try another network." and thats all it does.

Here is my running conf

Router#show run
Building configuration...

Current configuration : 8162 bytes
!
! Last configuration change at 18:18:02 UTC Sun Apr 19 2020
! NVRAM config last updated at 16:56:49 UTC Sun Apr 19 2020
!
version 15.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login webvpn local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
ip name-server 1.0.0.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint local
enrollment url http://172.xx.xxx.99:80
serial-number
revocation-check none
rsakeypair my_key 1024 1024
!
!
crypto pki certificate chain IOS-CA
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363232
30305A17 0D323330 34313931 36323230 305A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A2DA C2CC9F3C DEDCA0A1 84C0C99B 58EE3459 1FE758B6 FFE32BCD 9CD0B0C8
DEE1967D 545A5C73 AA66BDE8 7982D561 17F81CF3 C441***********D0
quit
crypto pki certificate chain local
certificate 03
30820201 3082016A A0030201 02020103 300D0609 2A864886 F70D0101 05050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363332
33305A17 0D323130 34313931 36333233 305A302B 31293012 06035504 05130B46
4A43*********** C3
quit
certificate 02
30820201 3082016A A0030201 02020102 300D0609 2A864886 F70D0101 05050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363332
31335A17 0D323130 34313931 36333231 335A302B 31293012 06035504 05130B46
4A433230 32334132 30303013 06092A86 4886F70D 01090216 06526F75 74657230
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 AAB2E184
41D5164E 6675AA8A 7FC18E86 7AA21231 C83FCB20 FBF42878 79B3639E EAEB4F96
C603CBF1 05EA1791 E28514FF 53EC081C AE25B7D9 8F42E574 8017039D 1E64E4E6
FC3D04F4 5B522962 C2363782 04237FC0 CE1A76F9 511B4377 F8B1E57D 4AB64902
******************88
quit
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363232
30305A17 0D323330 34313931 36323230 305A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A2DA C2CC9F3C DEDCA0A1 84C0C99B 58EE3459 1FE758B6 FFE32BCD 9CD0B0C8
DEE1967D 545A5C73 AA66BDE8 7982D561 17F81CF3 C441CCCA C9FD0168 80BA3957
41358373 A********
quit
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2921/K9 sn FJC****U*200
license boot suite FoundationSuiteK9
license boot suite AdvUCSuiteK9
!
!
username Tony privilege 15 secret 5 $1$qS9g$7********
redundancy
!
!
!
!
!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
!
!
!
!
!
!
!
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.xx.xxx.99 255.255.254.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip local pool webvpn1 192.168.2.5 192.168.2.10
ip default-gateway 172.xx.xxx.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.xx.xxx.1
ip route 10.0.10.0 255.255.255.0 172.xx.xxx.1
!
ip access-list extended webvpn-acl
permit tcp 192.168.2.0 0.0.0.255 10.0.10.0 0.0.0.255
!
ipv6 ioam timestamp
!
!
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
!
webvpn gateway soho
hostname home
ip address 172.xx.xxx.99 port 4443
http-redirect port 80
ssl trustpoint local
inservice
!
webvpn context a*****
title "A******"
login-message "Enter Player credentials"
aaa authentication list webvpn
gateway soho
!
ssl authenticate verify all
inservice
!
policy group a*******
functions svc-enabled
banner "Access Granted"
filter tunnel webvpn-acl
svc address-pool "webvpn1" netmask 255.255.255.0
svc default-domain "a*****.com"
svc keep-client-installed
svc homepage "https://www.a******.com"
svc rekey method new-tunnel
svc split include 10.0.10.0 255.255.255.0
!
end

Router#

I am glad that you are making progress with AnyConnect on your router. I wonder if the issue with Android is related to using a self signed certificate?

I am not clear what is the issue with access to 10.0.10.0. Can you clarify where this network is? Is it connected to your gateway 172.x.x.1? Or is it beyond the gateway somewhere? Can you ping to an address in 10.0.10.0 specifying the source of the ping as your loopback interface?

Not sure on android, i think last week i got further on my android than today. I have built and torn this config down a few times.

No i cannot ping 10.0.10.0 sub with loopback2. please advise.(I can with g0/0 which is 172.xx.xxx.99)

So I have (2) 2921 routers the main one is running my house. I didnt want to mess with that one too much because it is set up with a vpn to my shop network a couple towns over which is 10.0.10.0 sub. 

So i was trying to port forward to the second 2921 router running on my house network 172.xx.xxx.x. I am running the second 2921 just for the anyconnect application. Ideally i was going to have myself and my one other user able to use anyconnect to go through my house anyconnect/vpn to get to the shop network... I just really wanted to try anyconnect.

Thanks!

Thank you for the additional information. It is significant that you can not ping 10.0.10.0 using the loopback as source but can ping using the Ethernet. I believe that if we solve the issue with access to 10.0.10.0 from the loopback that will also solve the problem of access for AnyConnect. So if your other 2921 has a vpn to the shop where 10.0.10.0 is, has that vpn been configured to carry the traffic from your 192.168.2.0 network to 10.0.10.0? And has the router at the shop been configured to accept vpn traffic from 192.168.2.0 and to send traffic from 10.0.10.0 to 192.168.2.0 using the vpn?

I havent configured the shop router....

Now I tried that last night but i botched that and reloaded to my last saved...

I'm thinking now I would like to set up the anyconnect to get on to the (anyconnect2921 router) and then somehow hop onto the outside interface network on g0/0 which is 172.xx.xxx.99. then everything should already be set up to work correctly? since i can ping the shop network from 172.xx.xxx.99. -- I know i really don't need to hide that address:)

Then I will just need to configure on the other router to not allow 172.xx.xxx.99 access to anywhere else on the 172.xx.xxx.0 network other than the gateway to the real OUTSIDE which is 172.xx.xxx.1 g0/0 on router connected to ISP.

Thats doable right, easiest so then i dont need to modify much else on the other networks routers.

Just need help pointing me to do that

Thanks!

There are some things in your additional information that I am not clear about. I think you are suggesting that you would like the AnyConnect vpn to establish a session and then to change the IP address for the client to a different subnet. I dont think that is possible. Perhaps one option might be to establish the AnyConnect session and then RDP to a device in the 172.x.x.0 and from there access the 10.0.10.0 network?

But trying to look at this from a different perspective, am I correct in assuming these things:

- you have a working implementation of AnyConnect, and when you use AnyConnect you establish a session and you get an IP address in 192.168.2.0

- you have a working site to site vpn from your house to the shop that allows 192.168.1.0 (your house) to communicate with 10.0.10.0 (the shop)

If those assumptions are correct it should not be difficult to modify the existing site to site vpn to add communication between 192.168.2.0 and 10.0.10.0. To help guide you through the changes would you post the access lists from both site to site vpn routers used to identify traffic to be encrypted (the acl used in the match statement in the crypto maps)? It might also be helpful if you would post and static routes configured on both of the site to site vpn routers.

I have a couple of other questions:

Does your other home router have a route to the 192.168.2.0 network? If you try to ping from the AnyConnect router to 192.168.1.1 specifying the source as loopback2, does the ping succeed?

I am also wondering about the loopback2 interface on your router. Is there a reason for configuring this loopback interface? Is it used for something? I have seen some issue when the address pool for remote access vpn overlapped the subnet used by the lan interface of the router. What would happen if you remove loopback2?

I can do anyconnect test on lan yes?

Ok im trying over 1network now.

I have two 2921 routers. Router A is 172.25.252.1 255.255.254.0

Router B is connected to Router A. Router B is using static 172.25.252.99 from router A.

Anyconnect is on router B. 

I am trying to connect to Anyconnect on my laptop windows 10.

I get after jumping through a couple are you sure you want to do this hoops and entering correct credentials a window that says "The Certificate on the secure gateway is invalid. A VPN connection will not be established".

I get another window behind that that says "Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again".

I CAN however, do web brower way in with my specified port of 4443. So if i go 172.25.252.99 it gets me to the cisco anyconnect window to type in user and password, then on into the web app. That part has some connectivity issues on the inside but it gets me much closer is the point im trying to make.

Here is Running-Config and the response from webvpn debug when i try to get in using windows anyconnect client.

show run
Building configuration...

Current configuration : 8036 bytes
!
! Last configuration change at 18:49:29 UTC Fri Apr 24 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login webvpn local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
ip name-server 1.0.0.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint local
enrollment url http://172.25.252.99:80
serial-number
revocation-check none
rsakeypair my_key 1024 1024
!
!
crypto pki certificate chain IOS-CA
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363232
30305A17 0D323330 34313931 36323230 305A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
A7134B03 8390348E 5178A0EE 5FCEEA14 6ED8BDC6 83F62E98 AC9C88F9 70F89659
7E59AFF4 D8A1E45C 9F31FC3C A1F6D117 15CC7D86 5123B0D9 DBFA8058 3765A778
C6C38D31 37667AC7 BC3B7DD6 8DA1DFBC AF8944B5 06CC0308 F8535F2D 2146D0
quit
crypto pki certificate chain local
certificate 03
30820201 3082016A A0030201 02020103 300D0609 2A864886 F70D0101 05050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363332
33305A17 0D323130 34313931 36333233 305A302B 31293012 06035504 05130B46
4A433230 32334132 30303013 06092A86 4886F70D 01090216 06526F75 74657230
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B8351F72
A2ACABFD 992BB970 85088618 6CD12CA6 0B43F1F0 7953B7DB 71568B34 78501F9F
F0967062 6EF62E3D D6AD2BE6 12C741DE ED3BB08F 6E60E771 7BF78DAF A373C8DE
433446AF C6C422D7 78E85EF7 40FA3E5A 49A849FE D1D7181C E4DABCBB 35F7E41F
D94610BF 10CCFFB5 F91B7072 016DB6ED A4668345 DF5E1C33 72D0B3C3 F8BCF50F
1E104665 C3
quit
certificate 02
30820201 3082016A A0030201 02020102 300D0609 2A864886 F70D0101 05050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363332
31335A17 0D323130 34313931 36333231 335A302B 31293012 06035504 05130B46
4A433230 32334132 30303013 06092A86 4886F70D 01090216 06526F75 74657230
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 AAB2E184
41D5164E 6675AA8A 7FC18E86 7AA21231 C83FCB20 FBF42878 79B3639E EAEB4F96
C603CBF1 05EA1791 E28514FF 53EC081C AE25B7D9 8F42E574 8017039D 1E64E4E6
FC3D04F4 5B522962 C2363782 04237FC0 CE1A76F9 511B4377 F8B1E57D 4AB64902
00038181 0063C817 0452246D 4158CF26 B984F34C DC7E7A40 706477D1 0FCD3A20
C6E7C659 8C0EDE7B 0C45595E 6836F967 3D2ED167 4DD00D94 D57B1152 7B33C3AD
2CEBFA58 F3D503E4 87285835 3770E9EF FB413438 D8CBDF30 29E79CF2 A7D7DFEE
A43F3D25 7765A3B2 8EFED876 AFF7F8FD 765D5B21 505D1FAE 13109FA5 C1D87930
85F26904 88
quit
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343139 31363232
30305A17 0D323330 34313931 36323230 305A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A2DA C2CC9F3C DEDCA0A1 84C0C99B 58EE3459 1FE758B6 FFE32BCD 9CD0B0C8
DEE1967D 545A5C73 AA66BDE8 7982D561 17F81CF3 C441CCCA C9FD0168 80BA3957
41358373 A8EB98E0 26223B59 F5499C1C 0FBC6C91 05BC0DEB 2CA36B91 C351061B
00477CA6 5901F7BA D970DC9A 6BADB6A2 1692CD8B 903815DB 4CB81629 1D9BEA55
7E17827E 1D50E707 C7176146 18301D06 03551D0E 04160414 832E1C8D 1296137E
17827E1D 50E707C7 17614618 300D0609 2A864886 F70D0101 04050003 8181001D
5C650F88 DDA12DEC E6E4D764 5695E8C0 08030878 D488F100 B7B5F235 585A5DEB
A7134B03 8390348E 5178A0EE 5FCEEA14 6ED8BDC6 83F62E98 AC9C88F9 70F89659
7E59AFF4 D8A1E45C 9F31FC3C A1F6D117 15CC7D86 5123B0D9 DBFA8058 3765A778
C6C38D31 37667AC7 BC3B7DD6 8DA1DFBC AF8944B5 06CC0308 F8535F2D 2146D0
quit
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2921/K9 sn FJC2023A200
license boot suite FoundationSuiteK9
license boot suite AdvUCSuiteK9
!
!
username Tony privilege 15 secret 5 $1$sx83$.6yTdltZ5b4w1fBANlVdK.
!
redundancy
!
!
!
!
!
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
!
!
!
!
!
!
!
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.25.252.99 255.255.254.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
!
!
ip local pool webvpn1 192.168.2.5 192.168.2.10
ip default-gateway 172.25.252.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.25.252.1
!
ip access-list extended webvpn-acl
permit tcp 192.168.2.0 0.0.0.255 10.0.10.0 0.0.0.255
!
ipv6 ioam timestamp
!
!
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
!
webvpn gateway soho
hostname home
ip address 172.25.252.99 port 4443
http-redirect port 80
ssl trustpoint local
inservice
!
webvpn context TEST
title "TEST Intranet"
login-message "Enter Player credentials"
aaa authentication list webvpn
gateway soho
!
ssl authenticate verify all
inservice
!
policy group TEST
functions svc-enabled
banner "Access Granted"
filter tunnel webvpn-acl
svc address-pool "webvpn1" netmask 255.255.255.0
svc default-domain "TEST"
svc keep-client-installed
svc homepage "TEST"
svc rekey method new-tunnel
svc split include 10.0.10.0 255.255.255.0
!
end

>>>debug response:

Apr 24 19:04:30.121: WV: sslvpn process rcvd context queue event
Apr 24 19:04:57.225: WV: sslvpn process rcvd context queue event
Apr 24 19:04:57.225: WV: Entering APPL with Context: 0x22FBF360,
Data buffer(buffer: 0x22FCA668, data: 0xA122258, len: 1,
offset: 0, domain: 0)
Apr 24 19:04:57.225: WV: Fragmented App data - buffered
Apr 24 19:04:57.225: WV: Entering APPL with Context: 0x22FBF360,
Data buffer(buffer: 0x22FCA308, data: 0xA248458, len: 771,
offset: 0, domain: 0)
Apr 24 19:04:57.229: WV: http request: /test.html with cookie: Cookie: webvpnlang=1; stStarted=0; webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:39019C5EE167D10B424B822EAD2F9B43206E03B8&; tree_bkmkTree_state=1; webvpn=00@2887384187@00012@3796743166@3843909172@TEST
Apr 24 19:04:57.229: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:04:57.229: WV: [Q]Client side Chunk data written..
buffer=0x22FCA788 total_len=1016 bytes=1016 tcb=0x403D090C
Apr 24 19:04:57.229: WV: Client side Chunk data written..
buffer=0x22FCA6A8 total_len=127 bytes=127 tcb=0x403D090C
Apr 24 19:05:05.305: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.313: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.313: WV: Entering APPL with Context: 0x22FBF0D8,
Data buffer(buffer: 0x22FCA308, data: 0xA1340D8, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:05.313: WV: Fragmented App data - buffered
Apr 24 19:05:05.313: WV: Entering APPL with Context: 0x22FBF0D8,
Data buffer(buffer: 0x22FCA668, data: 0xA134258, len: 242,
offset: 0, domain: 0)
Apr 24 19:05:05.313: WV: Fragmented App data - buffered
Apr 24 19:05:05.313: WV: server side not ready to send.

Apr 24 19:05:05.313: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.313: WV: Entering APPL with Context: 0x22FBF0D8,
Data buffer(buffer: 0x22FCA6A8, data: 0xA11A7D8, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:05.313: WV: Fragmented App data - buffered
Apr 24 19:05:05.313: WV: Entering APPL with Context: 0x22FBF0D8,
Data buffer(buffer: 0x22FCA788, data: 0xA12E258, len: 214,
offset: 0, domain: 0)
Apr 24 19:05:05.313: WV: http request: / with no cookie
Apr 24 19:05:05.313: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:05.313: WV: failed to get sslvpn appinfo from opssl

Apr 24 19:05:05.313: WV: Client side Chunk data written..
buffer=0x22FCA9A8 total_len=190 bytes=190 tcb=0xC233CB24
Apr 24 19:05:05.317: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.385: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.389: WV: sslvpn process rcvd context queue event
Apr 24 19:05:05.393: WV: Entering APPL with Context: 0x22FC0008,
Data buffer(buffer: 0x22FCA788, data: 0xA1260D8, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:05.393: WV: Fragmented App data - buffered
Apr 24 19:05:05.393: WV: Entering APPL with Context: 0x22FC0008,
Data buffer(buffer: 0x22FCA6A8, data: 0x91EEBD8, len: 263,
offset: 0, domain: 0)
Apr 24 19:05:05.393: WV: http request: /webvpn.html with domain cookie
Apr 24 19:05:05.393: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:05.393: WV: failed to get sslvpn appinfo from opssl

Apr 24 19:05:05.393: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=734 bytes=734 tcb=0x21227110
Apr 24 19:05:05.397: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.493: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.501: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.501: WV: Entering APPL with Context: 0x22FBE430,
Data buffer(buffer: 0x22FCA6A8, data: 0x91EA458, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:17.501: WV: Fragmented App data - buffered
Apr 24 19:05:17.501: WV: Entering APPL with Context: 0x22FBE430,
Data buffer(buffer: 0x22FCA788, data: 0x91EEBD8, len: 284,
offset: 0, domain: 0)
Apr 24 19:05:17.501: WV: Fragmented App data - buffered
Apr 24 19:05:17.501: WV: server side not ready to send.

Apr 24 19:05:17.501: WV: server side not ready to send.

Apr 24 19:05:17.501: WV: server side not ready to send.

Apr 24 19:05:17.501: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.501: WV: Entering APPL with Context: 0x22FBE430,
Data buffer(buffer: 0x22FCA668, data: 0x91EBC58, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:17.501: WV: Fragmented App data - buffered
Apr 24 19:05:17.501: WV: Entering APPL with Context: 0x22FBE430,
Data buffer(buffer: 0x22FCA308, data: 0x91EC558, len: 34,
offset: 0, domain: 0)
Apr 24 19:05:17.501: WV: http request: /webvpn.html with domain cookie
Apr 24 19:05:17.501: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:17.501: WV: ASYNC req sent
Apr 24 19:05:17.505: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=544 bytes=544 tcb=0x211E0A7C
Apr 24 19:05:17.509: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.585: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.593: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.593: SSLVPN-SOCK: Mark the TCB: 0x4200E400 and CTXT: 0x22FBD788 to point to
SSLVPN_SOCKET APP SOCKET: 0xC2326E60
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=1016 bytes=1016 tcb=0x4200E400
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=1016 bytes=1016 tcb=0x4200E400
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=1016 bytes=1016 tcb=0x4200E400
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=1016 bytes=1016 tcb=0x4200E400
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=1016 bytes=1016 tcb=0x4200E400
Apr 24 19:05:17.593: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=598 bytes=598 tcb=0x4200E400
Apr 24 19:05:17.601: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.669: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.677: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.677: SSLVPN-SOCK: Mark the TCB: 0x3A42148C and CTXT: 0x22FC11C0 to point to
SSLVPN_SOCKET APP SOCKET: 0x41FFBD18
Apr 24 19:05:17.677: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=102 bytes=102 tcb=0x3A42148C
Apr 24 19:05:17.677: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.745: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.749: WV: sslvpn process rcvd context queue event
Apr 24 19:05:17.749: SSLVPN-SOCK: Mark the TCB: 0x3FAB5E2C and CTXT: 0x22FBFD80 to point to
SSLVPN_SOCKET APP SOCKET: 0xC06420B8
Apr 24 19:05:17.749: WV: Client side Chunk data written..
buffer=0x22FCA668 total_len=140 bytes=140 tcb=0x3FAB5E2C
Apr 24 19:05:17.753: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.349: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.357: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.357: SSLVPN-SOCK: Mark the TCB: 0x3A333640 and CTXT: 0x22FC0290 to point to
SSLVPN_SOCKET APP SOCKET: 0x403B02A8
Apr 24 19:05:25.357: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=1016 bytes=1016 tcb=0x3A333640
Apr 24 19:05:25.357: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=821 bytes=821 tcb=0x3A333640
Apr 24 19:05:25.365: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.365: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA308, data: 0xA1320D8, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:25.365: WV: Fragmented App data - buffered
Apr 24 19:05:25.365: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA668, data: 0x91EEF58, len: 284,
offset: 0, domain: 0)
Apr 24 19:05:25.365: WV: http request: /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect with cookie: Cookie: webvpn=00@2887384187@00014@3796743917@1900884351@TEST;
Apr 24 19:05:25.365: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:25.365: WV: Client side Chunk data written..
buffer=0x22FCA788 total_len=135 bytes=135 tcb=0x3A333640
Apr 24 19:05:25.373: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.373: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA668, data: 0x91EB1D8, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:25.373: WV: Fragmented App data - buffered
Apr 24 19:05:25.373: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA308, data: 0x91EF2D8, len: 279,
offset: 0, domain: 0)
Apr 24 19:05:25.373: WV: http request: /+CSCOT+/translation-table?type=mst-manifest&textdomain=AnyConnect with cookie: Cookie: webvpn=00@2887384187@00014@3796743917@1900884351@TEST;
Apr 24 19:05:25.373: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:25.373: WV: Client side Chunk data written..
buffer=0x22FCA788 total_len=135 bytes=135 tcb=0x3A333640
Apr 24 19:05:25.377: WV: sslvpn process rcvd context queue event
Apr 24 19:05:25.377: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA308, data: 0x91EB658, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:25.377: WV: Fragmented App data - buffered
Apr 24 19:05:25.377: WV: Entering APPL with Context: 0x22FC0290,
Data buffer(buffer: 0x22FCA668, data: 0x91ED358, len: 281,
offset: 0, domain: 0)
Apr 24 19:05:25.377: WV: http request: /+CSCOT+/oem-customization?app=AnyConnect&type=manifest&platform=win with cookie: Cookie: webvpn=00@2887384187@00014@3796743917@1900884351@TEST;
Apr 24 19:05:25.377: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:25.377: WV: Client side Chunk data written..
buffer=0x22FCA788 total_len=135 bytes=135 tcb=0x3A333640
Apr 24 19:05:30.145: WV: sslvpn process rcvd context queue event
Apr 24 19:05:30.149: WV: sslvpn process rcvd context queue event
Apr 24 19:05:30.149: WV: Entering APPL with Context: 0x22FC0CB0,
Data buffer(buffer: 0x22FCA668, data: 0xA136258, len: 203,
offset: 0, domain: 0)
Apr 24 19:05:30.149: WV: http request: / with no cookie
Apr 24 19:05:30.149: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:30.149: WV: failed to get sslvpn appinfo from opssl

Apr 24 19:05:30.149: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=190 bytes=190 tcb=0xC057B87C
Apr 24 19:05:34.669: WV: sslvpn process rcvd context queue event
Apr 24 19:05:34.681: WV: sslvpn process rcvd context queue event
Apr 24 19:05:34.681: SSLVPN-SOCK: Mark the TCB: 0x403FF3D4 and CTXT: 0x22FC0290 to point to
SSLVPN_SOCKET APP SOCKET: 0x3F9CBAE4
Apr 24 19:05:34.681: WV: Client side Chunk data written..
buffer=0x22FCA308 total_len=79 bytes=79 tcb=0x403FF3D4
Apr 24 19:05:57.269: WV: sslvpn process rcvd context queue event
Apr 24 19:05:57.269: WV: Entering APPL with Context: 0x22FBF360,
Data buffer(buffer: 0x22FCA308, data: 0xA11A958, len: 1,
offset: 0, domain: 0)
Apr 24 19:05:57.269: WV: Fragmented App data - buffered
Apr 24 19:05:57.269: WV: Entering APPL with Context: 0x22FBF360,
Data buffer(buffer: 0x22FCA668, data: 0xA19E858, len: 771,
offset: 0, domain: 0)
Apr 24 19:05:57.269: WV: http request: /test.html with cookie: Cookie: webvpnlang=1; stStarted=0; webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:39019C5EE167D10B424B822EAD2F9B43206E03B8&; tree_bkmkTree_state=1; webvpn=00@2887384187@00012@3796743166@3843909172@TEST
Apr 24 19:05:57.269: WV: validated_tp : cert_username : matched_ctx :
Apr 24 19:05:57.269: WV: [Q]Client side Chunk data written..
buffer=0x22FCA788 total_len=1016 bytes=1016 tcb=0x403D090C
Apr 24 19:05:57.269: WV: Client side Chunk data written..
buffer=0x22FCA6A8 total_len=127 bytes=127 tcb=0x403D090C

Any thoughts?

Thanks!

I  am guessing that the error message when you attempt AnyConnect from Windows indicates some issue with the certificate. Would you post the output of this command

show crypto pki server IOS-CA Certificates

Also in a previous post I asked some questions which you have not yet answered. Please provide answers.

Here is the 
Router#show crypto pki server IOS-CA certificates
Serial Issued date Expire date Subject Name
1 16:22:00 UTC Apr 19 2020 16:22:00 UTC Apr 19 2023 cn=IOS-CA
2 16:32:13 UTC Apr 19 2020 16:32:13 UTC Apr 19 2021 serialNumber=FJC2023A200+hostname=Router
3 16:32:30 UTC Apr 19 2020 16:32:30 UTC Apr 19 2021 serialNumber=FJC2023A200+hostname=Router

Loopback2 i configured because it was used in this example configuration. 

https://www.networkstraining.com/configuring-anyconnect-webvpn-on-cisco-router/

No "working" anyconnect, definitely not from anyconnect apps on windows or android. I can get further in web browser though.

I shut loopback2 and still completely same results.

Thank you

Thank you for the additional information. I have looked at the link you provide and see that their comment about the loopback interface was that it was provided if you wanted to advertise the address. I am not clear that you want to advertise it, but am less concerned about the loopback interface than I was in my previous post. I do not think it is a problem.

I had wondered if the message from android was reflecting invalid certificate. But you output shows that you do have unexpired certificates at this point. I am not sure if android wants a public certificate rather than self signed or if it is something else. I suggest that we not worry about android until we have AnyConnect working at least for your PC.

One of the steps was to copy an AnyConnect file to flash on your router. Can you do a dir of flash and compare the file name found in flash to the name used in your configuration?

Apparently you posted your update while I was typing my response. Glad to know that you now have android connecting with AnyConnect to the LAN.. Good luck with connecting to Outside. Keep us posted on your progress.

ok couple things,

I have attached current config and interface brief..

I can connect over https in web browser to sslvpn/anyconnect portal and login with user and password.

When I click on Tunnel Connection (AnyConnect) button, anyconnect begins to download but when i try to open in my downloads it says something like file is corrupt so i need to look into that later.

I can use the anyconnect app on my android and I can connect to the "inside" of the anyconnect configed router , I can ping 172.25.252.98 and the loopback 172.16.1.1 and whatever the android ip from the vpn pool is like 192.168.10.10.

I need to get the connection to let me get out to the outside..out towards the other routerA which has a gateway address 172.25.252.1 and then use its vpn to the shop router 10.0.10.0 network.

How is this possible, what do i tweak? I have been trying to find the right document. I'm reading about 3 things : Nat-on-a-stick,u-turn, hairpinning.  Need a little help on how to adjust my config and with what topic i should look to.

28#show run
Building configuration...

Current configuration : 6049 bytes
!
! Last configuration change at 00:31:21 UTC Mon Apr 27 2020 by tony
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 28
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
enable secret 4 qvTXvcZa7TkfIgL
aaa new-model
!
!
aaa authentication login TEST_AAA local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip name-server 1.0.0.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki server IOS-CA
database level complete
grant auto
crypto pki token default removal timeout 0
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://172.25.252.98:80
serial-number
subject-name CN=TEST
revocation-check none
rsakeypair TEST
!
!
crypto pki certificate chain IOS-CA
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 D4300CC1 9DD43A4B A3BABB8B 1C8FD61A
FFAB3220 B192206D 8ED69D3E 85844B6D AA78DBB4 B88AB86A 63056493 81069E6D
A6BD0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14AE344B BBD6636D
096ED455 D0818B45 99E9C49C 25301D06 03551D0E 04160414 AE344BBB D6636D09
6ED455D0 818B4599 E9C49C25 300D0609 2A864886 F70D0101 04050003 81810034
E214F019 7E35F6F5 03209D3C E654E736 567F51E9 CC17CC02 931C8369 319E231E
F8E74D53 FE0DFA59 4686B942 414CF485 D4C1809E EA90600E 8AD94DB3 74641838
5EB81E94 C2053639 A83011F9 C047F5E3 ABA44159 044EB6FB 42D113D4 B923085F
9C2CC097 EF8D0709 969B303F 2C56C810 4F5071FD 1BC1E210 3A8FF9BE 7B9852
quit
crypto pki certificate chain TEST
certificate 02
308201CC 30820135 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343235 30323033
31325A17 0D323130 34323530 32303331 325A303A 310D300B 06035504 03130454
A3 7A1FCC7D 86E1C545 962D5F4C
D1BB8A3C CB01AF2C 8D0DB471 FB3FB942 CDC53105 966CC5A3 BB3CF45A 977E7B91
24B8A8F3 8DDE9198 F85DEE0F 9768A54F 8369E82D EC79A17B E1030FC1 8E006F62
5A6CBC7E C60354FC AC96DE2D 450AECE4 B0F2F229 AE4B2FA2 F38E3512 11231B5A
0DE50110 95170C74 9F27090E 687ACC89
quit
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30343235 30313134
AA78DBB4 B88AB86A 63056493 81069E6D
A6BD0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14AE344B BBD6636D
096ED455 D0818B45 99E9C49C 25301D06 03551D0E 04160414 AE344BBB D6636D09
6ED455D0 818B4599 E9C49C25 300D0609 2A864886 F70D0101 04050003 81810034
E214F019 7E35F6F5 03209D3C E654E736 567F51E9 CC17CC02 931C8369 319E231E
F8E74D53 FE0DFA59 4686B942 414CF485 D4C1809E EA90600E 8AD94DB3 74641838
5EB81E94 C2053639 A83011F9 C047F5E3 ABA44159 044EB6FB 42D113D4 B923085F
9C2CC097 EF8D0709 969B303F 2C56C810 4F5071FD 1BC1E210 3A8FF9BE 7B9852
quit
!
!
license udi pid CISCO2801 sn FTX0930W2A1
license accept end user agreement
username Tony privilege 15 secret 4 qvTXvcZa7TkUHrjiz0IbTKI
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 172.25.252.98 255.255.254.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
!
interface Serial0/3/0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
!
ip local pool TEST_POOL 192.168.10.1 192.168.10.10
ip default-gateway 172.25.252.1
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.25.252.1
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway TEST_GATEWAY
ip address 172.25.252.98 port 4443
ssl trustpoint TEST
logging enable
inservice
!
webvpn install svc usbflash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
webvpn context TEST_Context
ssl authenticate verify all
!
!
policy group TEST_Policy
functions svc-enabled
svc address-pool "TEST_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
virtual-template 1
default-group-policy TEST_Policy
aaa authentication list TEST_AAA
gateway TEST_GATEWAY
inservice
!
end

28#conf t
Enter configuration commands, one per line. End with CNTL/Z.

28(config)#do show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.25.252.98 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Serial0/3/0 unassigned YES unset administratively down down
Loopback0 172.16.1.1 YES manual up up
NVI0 172.25.252.98 YES unset up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 172.16.1.1 YES unset up up
Virtual-Template1 172.16.1.1 YES unset down down