Buy or Renew
Buy or Renew
This forum is no longer in read-only mode. See this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3055
Views
5
Helpful
7
Replies

[Solved] UC560 and SSL WEBVPN Not working

Dmitry Golovenkin
Level 1
Level 1

‎06-29-2012 08:46 AM - edited ‎03-21-2019 05:59 AM

Hi everyone,

I have recently upgraded UC560 to 8.6 software pack and since then I started to have issues with SSL VPN from SPA525G, it does not want to connect.

This is the errors I am getting:

008103: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Forwarding the pak 882CEA48
008104: Jun 29 15:56:38.138: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008105: Jun 29 15:56:38.138: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008106: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Failed to fwd Pak 882CEA48 in interrupt path
008107: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Pak 882CEA48 punted
008108: Jun 29 15:56:38.138: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008109: Jun 29 15:56:38.138: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008110: Jun 29 15:56:38.138: WV: Tunneled data packet was sent
008111: Jun 29 15:56:38.390: WV: Tunneled data packet was copied!
008112: Jun 29 15:56:38.390: [WV-TUNL-PAK]:[8B43B058] RxClient, CSTP Data, recvd from (jmalone, 172.16.1.4)
008113: Jun 29 15:56:38.390: [WV-TUNL-PAK]:CSTP version: 1, Data Len: 36 bytes
1E601C00:                              535446               STF
1E601C10: 01002400 00450000 24000040 00011143  ..$..E..$..@...C
1E601C20: 64AC1001 04E0A8A8 A8D43117 AD0010AC  d,...`(((T1.-..,
1E601C30: 1B3FA2F0 CB000001 00                 .?"pK....       
008114: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Forwarding the pak 86C0C178
008115: Jun 29 15:56:38.398: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008116: Jun 29 15:56:38.398: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008117: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Failed to fwd Pak 86C0C178 in interrupt path
008118: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Pak 86C0C178 punted
008119: Jun 29 15:56:38.398: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008120: Jun 29 15:56:38.398: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008121: Jun 29 15:56:38.398: WV: Tunneled data packet was sent

My config of the VPN:

webvpn gateway SDM_WEBVPN_GATEWAY_1
 ip address 192.168.4.250 port 443  
 ssl trustpoint TP-self-signed-171782247
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.6005-k9.pkg sequence 1
 !
webvpn context SDM_WEBVPN_CONTEXT_1
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 !
 policy group SDM_WEBVPN_POLICY_1
   functions svc-enabled
   svc address-pool "SDM_WEBVPN_POOL_1" netmask 255.255.255.0
   svc dns-server primary 192.168.2.1
   svc dns-server secondary 192.168.2.50
 default-group-policy SDM_WEBVPN_POLICY_1
 aaa authentication list sdm_vpn_xauth_ml_1
 gateway SDM_WEBVPN_GATEWAY_1
 max-users 20
 inservice

Outside IP address is mapped to 192.168.4.250:443. I can browse to that IP and I can connect to VPN fine without any problems, just does not work the phone and it does not give me an error either.

Any ideas?

Thank you

0 Helpful
7 Replies 7

Alexander Maroukian
Level 7
Level 7

‎06-29-2012 11:37 AM

Hello,

You may try to disable dtls from the ssl vpn. From CCA it is under the Configure->security->SSL VPN settings, in CLI - no svc dtls - under webvpn group policy.

HTH,

Alex

*Please rate helpful posts.

0 Helpful

Ivan Prikhodko
Level 1
Level 1
In response to Alexander Maroukian

‎01-16-2014 09:29 AM

Hello Alexander,

first of all I would like to confirm, that disabling DTLS as you proposed is definitely could solve the weird problem with WEBVPN on 2921 IOS 15.3(3)M that I met this week.

Strange, because I found this thread on the forum by googling on phrase I saw in debug webvpn output while pinging internal host from VPN client: "WV: Tunneled data packet was copied!" - because, this message appeared each time I didn't get a reply for icmp echo-request.

So, this is second thing, could you please explain what is the root cause behind the scenes that could be solved using your advice?

And thank you very very much for your help! It's really priceless.

Best regards,

Ivan

0 Helpful

Brandon Turpin
Cisco Employee
Cisco Employee

‎06-29-2012 12:46 PM

Hi,

One thing I noticed is you don't have a virtual-template in your webvpn configuration.  What version of IOS are you using?  The virtual-template will be needed for this to work correctly. 

For example:

interface Virtual-Template1

ip unnumbered Loopback1

ip nat inside

ip virtual-reassembly in

Then your policy group would look like this:

policy group SDM_WEBVPN_POLICY_1

   functions svc-enabled

    svc address-pool "SDM_WEBVPN_POOL_1" netmask 255.255.255.0

   svc  dns-server primary 192.168.2.1

   svc dns-server secondary  192.168.2.50

virtual-template 1

default-group-policy SDM_WEBVPN_POLICY_1

aaa  authentication list sdm_vpn_xauth_ml_1

gateway  SDM_WEBVPN_GATEWAY_1

max-users 20

inservice

Also, you mentioned that your outside address is mapped to 192.168.4.250:443.  I just want to confirm that 192.168.4.250 is the ip address of an actual interface (real or virtual). 

Let me know if adding the virtual-template helps.

Thanks,

Brandon

0 Helpful

Dmitry Golovenkin
Level 1
Level 1
In response to Brandon Turpin

‎07-02-2012 12:48 AM

Hi there,

Thank you but I get this when I try to add Virtual-Template. The 192.168.4.250 is a VLAN 4 IP for the UC560.

%ERROR: Please make context out of service before applying VT.

Also, here is the version number:

Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(4)M4b, CIBU Special

Many thanks

Message was edited by: Dmitry

0 Helpful

Brandon Turpin
Cisco Employee
Cisco Employee
In response to Dmitry Golovenkin

‎07-02-2012 08:00 AM

HI Dmitry,

That means that you need to do 'no inservice' in the context before adding the virtual-template.  Just make sure you put it back in service with 'inservice' after adding the virtual-template.

Example:

conf t

webvpn context SDM_WEBVPN_CONTEXT_1

no inservice

virtual-template 1

inservice

end

Let me know if that helps.

Thanks,

Brandon

Dmitry Golovenkin
Level 1
Level 1

‎07-02-2012 08:27 AM

Hi Brandon,

All sorted now. The problem was just down to the end-user's router, not sure what exactly but when we added Alternative TFTP then it all worked.

Many thanks!

P.S. Please mark this as answered.

0 Helpful

Brandon Turpin
Cisco Employee
Cisco Employee
In response to Dmitry Golovenkin

‎07-02-2012 08:46 AM

Hi,

That's good that it's now working.  Enabling the Alternate TFTP and configuring TFTP Server 1 is needed so the phone knows where to go to get its config.

Regarding marking this as answered, I believe that is something you do.

Thanks,

Brandon

0 Helpful
Customers Also Viewed These Support Documents