cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2167
Views
10
Helpful
11
Replies

anyconnect vpn uc560

tkavithas87
Level 1
Level 1

I have configured sslvpn on uc560.and when i connect anyconnect vpn on iphone its asking the username and password.after i giving the correct username and password it saying  " error processing data recieved from secure gateway".what i wrong with the configuration ?

webvpn gateway GWa

ip address 203.169.115.179 port 443

ssl trustpoint TP-self-signed-1454133144

inservice

!

webvpn context WAterlier

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "new" netmask 255.255.255.0

default-group-policy policy_1

gateway GWa

max-users 100

inservice

!

thanks

kavi

11 Replies 11

tkavithas87
Level 1
Level 1

The following is the cirtificate created on the router.Is there any wrong with this?

crypto pki trustpoint TP-self-signed-1454133144

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1454133144

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-1454133144

certificate self-signed 01

  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343534 31333331 3434301E 170D3132 31313034 30383535

  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353431

  33333134 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A129 7D0B1AFD 27F76715 FD67C326 3793ED4A 0F020474 A5569920 E23D5763

  9053FF84 874F18F6 36CD0E4D DE089D85 FD96BC3B FDD05852 525FD07A 4AF0EB08

  691B6F06 68DF9331 8AA08133 14291DF4 A9BF487A C79BA2EB 10198984 F1EB94A5

  6D8D8935 CF5B75A2 2E50E5C0 68360623 698C5CA5 122416CD C50B2938 63175225

  14710203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

  551D1104 12301082 0E496E68 77612D48 512D5543 35363030 1F060355 1D230418

  30168014 AF16B750 9579CA17 8B3D63F7 F102E39E 2288D1AD 301D0603 551D0E04

  160414AF 16B75095 79CA178B 3D63F7F1 02E39E22 88D1AD30 0D06092A 864886F7

  0D010104 05000381 810033CC CD94A6F7 205A3D6B 06F4197A E86DC593 388510A1

  E6F80544 2071F6F0 09C50A1C 7F8F4187 EEF3800A B49BB6A0 107D6F4F 3943FFAC

  56EEFE67 D94B7E6C A89281C0 F637E398 B664C82F 6F57B587 91F22AE4 E2BC5F69

  328FD547 64ED419C EE90FF20 A34EE95F BDD432AD 84F7BA47 8B889B0C 52F4CEFE

  512DCBA2 652E858D 72D5

        quit

The following is the cirtificate created on another uc560 and here the anyconnect vpn is working.and i can see there is a different between these two cirtificate.one command is missing on the uc560 whish is not working for anyconnect vpn.

( "rsakeypair TP-self-signed-560388261"). i couldnt add this command manually.

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-560388261

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-560388261

revocation-check none

rsakeypair TP-self-signed-560388261

!

!

crypto pki certificate chain TP-self-signed-560388261

certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 35363033 38383236 31301E17 0D313230 39303832 32343133

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 30333838

  32363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  A729A166 CEAB6F28 1A7A9EBA 1F9895BF 95C0549D 00553EA4 AB7B3407 608B9971

  943E641C 7A3A23EE 49521D97 292F2A9E DB4157D0 00AF2CBB 63B2AFD5 00DAD135

  7AD3BBE3 91D655BA BC7F5A26 F666A773 819ED2A3 9BB5B5F3 40DD8125 49E2443D

  C1072E30 5425A994 47A90E03 89215139 C28EF2A2 6EFD9AEE E6B30B14 245A2A37

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  23041830 16801433 2A317577 81BD9A7C 00CA4025 8DE8DF9A CC278230 1D060355

  1D0E0416 0414332A 31757781 BD9A7C00 CA40258D E8DF9ACC 2782300D 06092A86

  4886F70D 01010505 00038181 00A0BFF4 87DC8608 4707DCA3 BAAD8FA5 C8C1E88B

  EFB6BB44 5A0DB98E 4547EE8C DC36EEB5 4021F2B1 746A19A7 C9350ED7 BE38115E

  C2DCF2CD 03722455 39148A8E 7CE86E48 D96672D3 336FDF3F 8CF52754 FD64427E

  95E2C88B E25DD9B4 CA88F41E F9066B07 B810050B 53D2B49D B2FAAB6B 137AB78C

  0069E66D B85F8488 3D7AD176 A6

        quit

Hi Kavithas,

You need to zeroize the rsa keypair and recreate it - use lenght 1024. then recreate the certificate and add

rsakeypair with the new rsa key with lenght 1024.

HTH,

Alex

*Please rate helpful posts

Hi Alexander,

I havent create the certificate manualy.when i enter the command " ip http secure-server",the certificate,trustpoint are created automatically.when i enter the command no ip http secure-server",the certificate,trustpoint are not romved.so i manualy removed and then enterd the commands

1.crypto key zerosize rsa

2.crypto key generate rsa(key length 1024)

then entered the command " ip http secure-server"

but rsakeypair is not added to the  crypto pki trustpoint.

could you explain it how to create this?

thanks

kavi

Hi Kavi,

You may follow the following procedure from "Delete and Rebuild Trustpoint" part:

https://supportforums.cisco.com/docs/DOC-18980

On step 5 add the lenght 1024 at the end of "rsakeypair" command.

Remember to change the rsa key name and the certificate name with the ones you have in your system.

Thank you for the rating!

Please ask if you have further questions.

HTH,

Alex

I have solved the issue of key but now also couldnt connect.now when i use this command "debug ssl openssl errors"

the following error occurs.

193705: Dec 18 06:46:39.214: 0:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:1062:SSL alert number 46

193706: Dec 18 06:46:39.214: 0:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:847:

following is the ssl vpn configuration

webvpn gateway GWa

ip address 203.169.115.179 port 443

http-redirect port 80

ssl trustpoint TP-Self-Signed-9999999999

inservice

!

webvpn context WAterlier

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "new1" netmask 255.255.255.0

default-group-policy policy_1

gateway GWa

max-users 10

inservice

I can able to  connect using browser.but  cannot connect using anyconnect on the iphone and also couldnt start

Tunnel connection (Anyconnect) on the browser.

Hi Kavi,

Are you able to connect with the AnyConnect client (or Tunnel connection) on a Windows PC?  The reason I ask is I don't see the AnyConnect package installed in your webvpn configuration.  You should see something like this:

  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1

Can you confirm you have that in your configuration?

Also, AnyConnect on iPhone is not currently supported on IOS.  It is currently on the roadmap, but is not there yet.  Please see the following:

  CSCtx24822 - ENH: IOS SSL support for Anyconnet on  mobile platforms

Thanks,

Brandon

   Hi  Brandon,

I havent have the following configuration.

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1.

I can able to connect using browser.but not through the anyconnect client.To connect through the anyconnect client need to configure this

"webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1" command as you mentioned.but my purpose is anyconnect on iphone.

For anyconnect on iphone , without this configuration i have configured some other UC560(Version 15.1(4)M4b).its working fine

Now i am using Version 15.1(2)T4.I am wondering that Doesnt this version supported.

thanks

kavi

Hi Kavi,

Clientless webvpn will work without an AnyConnect package, but to have full client connectivity (AnyConnect client), a package needs to be installed.

That's interesting that you have been able to get AnyConnect on iphone to work, especially if you didn't have an AnyConnect package installed.  I just wanted to point out that AnyConnect on iphone is currently not  officially supported in IOS.  My understanding is some people have been able to get it to work, but it's inconsistent and I'm not sure what package they used. 

If you have been able to get it to work in 15.1(4)M4b, then you may want to upgrade the other box to that or 15.1(4)M5 and see if it works. 

Thanks,

Brandon

Thanks Bradon.

Let me try with the 15.1(4)M5 version

kavi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: