Showing results for 
Search instead for 
Did you mean: 

Configure SSLVPN on Cisco Cloud Services Router 1000V(CSR1000V)


                                                      Table of Contents

  Components Used
  Network Diagram
  Configuration Settings



This document provides step-by-step instructions on how to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections.



This document requires a basic understanding of SSL protocol. Ensure that you meet these requirements before you attempt this configuration:

    Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
    Cisco AnyConnect Secure Mobility Client 3.x or higher
Components Used:

Cisco Cloud Services Router 1000V running IOS XE 3.12
 Cisco AnyConnect Secure Mobility Client 3.1.05160
 Microsoft Windows 7 PC

Network Diagram:

Anyconnect Configuration:

1. Configure SSL Server Self-Signed Certificate

# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes:
crypto key generate rsa general-keys label anyconnect modulus 2048

# Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair:     
crypto pki trustpoint anyconnectvpn
  enrollment selfsigned
  subject-name CN=
  revocation-check none
  rsakeypair anyconnect

# Once the trustpoint is configured, enroll the self-signed certificate
crypto pki enroll anyconnectvpn
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created


2. Upload and Apply the Anyconnect client software

copy tftp:// flash

Address or name of remote host []?

Source filename [anyconnect-win-3.1.05160-k9.pkg]?

Destination filename [anyconnect-win-3.1.05160-k9.pkg]?

Accessing tftp://!!!!!!!!!!!!!

Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg...
2635734 bytes copied in 4.480 secs (658933 bytes/sec)

# Apply this Anyconnect client image to the configuration
crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1


3. Configure the User Database

aaa new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123


4. Configure the VPN pool

# Define the local pool that is used in order to assign IP addresses to the clients when they connect

ip local pool SSL_Client


5. Define the supported ciphers under SSL Proposal

crypto ssl proposal sslvpn-proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1


6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients

ip access-list standard sslvpn-tunnel


7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.

crypto ssl policy sslvpn-policy
ssl proposal ssl_proposal
pki trustpoint anyconnectvpn sign
ip address local port 443
no shut


8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients

crypto ssl authorization policy sslvpn-auth-policy
pool SSL_Client
route set access-list sslvpn-tunnel


9. Define the configured authentication and authorization lists under an SSL Profile

crypto ssl profile sslvpn-profile
 match policy sslvpn-policy
 aaa authentication list sslvpn
 aaa authorization group list sslvpn sslvpn-auth-policy
 authentication remote user-credentials
 max-users 100


10. Verify your connection
Once a Client connects, you can view the status using:

show crypto ssl session user Anyconnect detail
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 3.1.05160

Username          : Anyconnect           Num Connection : 1
Public IP         :
Profile           : ssl_profile
Policy            : ssl_policy
Last-Used         : 00:00:06                Created        : *10:00:00.928 UTC Mon Apr 6 2014
Session Timeout   : 43200                Idle Timeout   : 1800
DNS primary       :
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : SSL_Client           MTU Size       : 1406
Disconnect Time   : 0
Rekey Time        : 3600
Lease Duration    : 43200                Keepalive      : 30
Tunnel IP         :         Netmask        :
Rx IP Packets     : 533                     Tx IP Packets  : 462
Virtual Access    : 1
CSTP Started      : 00:46:50             Last-Received  : 00:00:06
CSTP DPD-Req sent : 0
Msie-ProxyServer  : None
Msie-PxyOption    : Disabled
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    :
Client Ports      : 49423

Detail Session Statistics for User:: Anyconnect

CSTP Statistics::
Rx CSTP Frames    : 322                Tx CSTP Frames   : 0
Rx CSTP Bytes     : 63453              Tx CSTP Bytes    : 3423
Rx CSTP Data Fr   : 643                 Tx CSTP Data Fr  : 233
Rx CSTP CNTL Fr   : 36                 Tx CSTP CNTL Fr  : 0
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0
Rx Addr Renew Req : 0                  Tx Address Renew : 0
Rx Dropped Frames : 0                  Tx Dropped Frame : 0
Rx IP Packets     : 167                    Tx IP Packets    : 532
Rx IP Bytes       : 8375                   Tx IP Bytes      : 18573

CEF Statistics::
Rx CSTP Data Fr   : 0                   Tx CSTP Data Fr  : 0
Rx CSTP Bytes     : 0                    Tx CSTP Bytes    : 0



Hi Namita, 


Excellent guide, thank you for posting this! I'm trying to set up this exact scenario on a CSR 1000v in a client's AWS environment, but have been unable to get it working. 

I followed your steps exactly (I think) and my result now is; when I attempt a connection via my Anyconnect client, I get prompted to enter my credentials-->"Establishing VPN session"-->then it fails and I get an error for the Anyconnect client saying: 


"Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again" 


I did quite a bit of research on that error and followed every suggestion I found, which seemed to all point the problem towards my client, but still the same result. NOTE: I've tried connecting from multiple laptops and get the same error.  


I've attached a copy of my running-config. I'd GREATLY appreciate it if you could take a look and see if you notice anything incorrect/missing. 


I've also attached a file showing the output of a "debug crypto ssl" when I attempt to connect. You'll see I'm getting authenticated, but when it fails to connect the reason says "user logged out"


I'm new to the CSR and not an SSL VPN expert, so I feel like I'm missing something simple.


Really hope you can help, thanks again! 





Update, I got it working. The Anyconnect client I was using to connect was a different version that the .pkg version I had on the router. I knew it'd be something obvious. 


My next task is getting remote Radius authentication set up for VPN users....

Community Member

Don't forget this command:

aaa authorization exec default local

if you don't enter it, you won't be able to get to enable mode with the default ec2-user.


Now I'm getting an error "The AnyConnect package on the secure gateway could not be located". Although I did upload the corresponding .pkg and configured it. Any suggestions how to attack it? I'm using version 4.0.02052 on Windows 7.


Edit: works fine with 3.1.08009. What am I missing with 4.0?

Dean Brandt

Thanks for posting this but I also have some issues. When I try and connect I get an error stating no valid certificate available for authentication. config attached




I am looking into more complicated deployment. Here are details

  • 1000v as SSL VPN for multiple projects/network
  • 1000v will have VLAN interface on each network
  • Each network VLAN has its own DHCP server
  • User authentication needs to be done against central database via LDAP/AD
  • Logon screen need to provide three entries - username, password and project (VLAN) number
  • After successful authentication user machine is dropped into target VLAN and needs get IP address from the DHCP server at that VLAN
  • 1000v should act as a transparent L2 bridge between the remote client and the local VLAN/network

All above are required. The above setup works fine with F5 APM. My question is if the same can be done with Cisco's SSL VPN

Recognize Your Peers
Content for Community-Ad