03-07-2013 01:47 PM - edited 02-21-2020 06:45 PM
Hi Guys, I configured AnyConnect SSL VPN on Cisco 2811 router. It works perfectly when I login via web and run secure mobility client. However, when I connect directly from the mobility client connection fails. It does not even ask me for username and password.
----------------------------------------------------------------------------------------------------
Mar 7 21:36:47.613: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: VPN_GATEWAY i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at
Mar 7 21:36:47.617: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.621: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.745: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
Data buffer(buffer: 0x4925DA18, data: 0x3F57ED98, len: 1,
offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Fragmented App data - buffered
Mar 7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
Data buffer(buffer: 0x4925D818, data: 0x3F2033F8, len: 242,
offset: 0, domain: 0)
Mar 7 21:36:47.749: WV: Appl. processing Failed : 2
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.749: WV: server side not ready to send.
Mar 7 21:36:47.753: WV: sslvpn process rcvd context queue event
Mar 7 21:36:47.753: WV: server side not ready to send.
--------------------------------------------------------------------------------------------
====================
Here is the config:
=====================
crypto pki trustpoint VPN_TRUSTPOINT
enrollment selfsigned
serial-number
subject-name CN=academy-certificate
revocation-check crl
rsakeypair RSA_KEY
!
!
crypto pki certificate chain VPN_TRUSTPOINT
!
ip local pool VPN_POOL 192.168.7.100 192.168.7.150
!
webvpn gateway VPN_GATEWAY
ip address <ip>
ssl trustpoint VPN_TRUSTPOINT
logging enable
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.02040-k9.pkg sequence 1
!
webvpn context VPN_CONTEXT
title "<title>"
ssl authenticate verify all
!
login-message "<message>"
!
policy group VPNPOLICY
functions svc-required
svc address-pool "VPN_POOL"
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.1.0 255.255.255.0
default-group-policy VPNPOLICY
aaa authentication list default
gateway VPN_GATEWAY
max-users 10
inservice
--------------------
I have not figured out yet, why mobility client works when launched from the web and why it does not work directly. Any input or hints would be much appreciated
Solved! Go to Solution.
03-14-2013 12:08 PM
Hi Giorgi,
This could be related to CSCti89976.
AnyConnect 3.0 doesn't work with existing IOS. | |
Conditions: Workaround: |
Would it be possible to upgrade the IOS version?
HTH.
Portu.
03-07-2013 07:37 PM
Looks like you might have been affected by bugID: CSCty90942:
Standalone Anyconnect 3.0.4+ fails to connect on IOS 15.x & 12.4T
Workaround: [1]Use web-launch [2]Downgrade it to 3.0.4236 or main release of 2.5.3055 [3]The fix is availble on MR10 and later 3.0, 3.0.1xxxx...upgrade the package and client. NOTE: If upgrading to AC versions of 3.0.10057 or 3.1.01065 or higher does not entirely resolve issue and continue failing the standalone client connection due to same "server returned an invalid or unrecognized response" error message, try upgrading IOS code as well to 15.1(4)M5 or higher for compatibility between the AC client & IOS router versions.
03-14-2013 11:44 AM
I tried downgrading the anyconnect client and server down to 2.5 , but it didn't help. Tried it in GNS on 7200 router, but I see the same results there. It seems that generally Standalone Anyconnect does not work on IOS Routers without web authentication.
03-14-2013 12:08 PM
Hi Giorgi,
This could be related to CSCti89976.
AnyConnect 3.0 doesn't work with existing IOS. | |
Conditions: Workaround: |
Would it be possible to upgrade the IOS version?
HTH.
Portu.
03-23-2013 02:42 PM
I finally managed to upgrade the router to latest IOS version 15.1(4)M6. It resolved the issue with the direct connection from client. NOw everything works like a charm.
Thank you all for your time and support ! I appreiate it.
03-23-2013 08:34 PM
Great job
Please rate any helpful posts just like I did and mark this post as answered.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: