cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6207
Views
20
Helpful
5
Replies

AnyConnect VPN Client on IOS Router

Giorgi Dvali
Level 1
Level 1

Hi Guys, I configured AnyConnect SSL VPN on Cisco 2811 router. It works perfectly when I login via web and run secure mobility client. However, when I connect directly from the mobility client connection fails. It does not even ask me for username and password.

----------------------------------------------------------------------------------------------------

Mar  7 21:36:47.613: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: VPN_GATEWAY i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at

Mar  7 21:36:47.617: WV: sslvpn process rcvd context queue event

Mar  7 21:36:47.621: WV: sslvpn process rcvd context queue event

Mar  7 21:36:47.745: WV: sslvpn process rcvd context queue event

Mar  7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,

      Data buffer(buffer: 0x4925DA18, data: 0x3F57ED98, len: 1,

      offset: 0, domain: 0)

Mar  7 21:36:47.749: WV: Fragmented App data - buffered

Mar  7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,

      Data buffer(buffer: 0x4925D818, data: 0x3F2033F8, len: 242,

      offset: 0, domain: 0)

Mar  7 21:36:47.749: WV: Appl. processing Failed : 2

Mar  7 21:36:47.749: WV: server side not ready to send.

Mar  7 21:36:47.749: WV: server side not ready to send.

Mar  7 21:36:47.749: WV: server side not ready to send.

Mar  7 21:36:47.753: WV: sslvpn process rcvd context queue event

Mar  7 21:36:47.753: WV: server side not ready to send.

--------------------------------------------------------------------------------------------

====================

Here is the config:

=====================

crypto pki trustpoint VPN_TRUSTPOINT

enrollment selfsigned

serial-number

subject-name CN=academy-certificate

revocation-check crl

rsakeypair RSA_KEY

!

!

crypto pki certificate chain VPN_TRUSTPOINT

!

ip local pool VPN_POOL 192.168.7.100 192.168.7.150

!

webvpn gateway VPN_GATEWAY

ip address <ip>

ssl trustpoint VPN_TRUSTPOINT

logging enable

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-3.1.02040-k9.pkg sequence 1

!

webvpn context VPN_CONTEXT

title "<title>"

ssl authenticate verify all

!

login-message "<message>"

!

policy group VPNPOLICY

   functions svc-required

   svc address-pool "VPN_POOL"

   svc keep-client-installed

   svc rekey method new-tunnel

   svc split include 192.168.1.0 255.255.255.0

default-group-policy VPNPOLICY

aaa authentication list default

gateway VPN_GATEWAY

max-users 10

inservice

--------------------

I have not figured out yet, why mobility client works when launched from the web and why it does not work directly. Any input or hints would be much appreciated


1 Accepted Solution

Accepted Solutions

Hi Giorgi,

This could be related to CSCti89976.

AnyConnect 3.0 doesn't work with existing IOS.


Symptoms:
Standalone AnyConnect 3.0 client does not work with an existing IOS headend.

Conditions:
AnyConnect 3.0 with an IOS Router as the headend.

Workaround:
Use AnyConnect 2.5 or use weblaunch.
Upgrade IOS

Would it be possible to upgrade the IOS version?

HTH.

Portu.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Looks like you might have been affected by bugID: CSCty90942:

Standalone Anyconnect 3.0.4+ fails to connect on IOS 15.x & 12.4T

Workaround:
[1]Use web-launch
[2]Downgrade it to 3.0.4236 or main release of 2.5.3055
[3]The fix is availble on MR10 and later 3.0, 3.0.1xxxx...upgrade the package
and client.

NOTE: If upgrading to AC versions of 3.0.10057 or 3.1.01065 or higher does not entirely resolve issue and continue failing the standalone client connection due to same "server returned an invalid or unrecognized response" error message, try upgrading IOS code as well to 15.1(4)M5 or higher for compatibility between the AC client & IOS router versions.

I tried downgrading the anyconnect client and server down to 2.5 , but it didn't help. Tried it in GNS on 7200 router, but I see the same results there. It seems that generally Standalone Anyconnect does not work on IOS Routers without web authentication.

Hi Giorgi,

This could be related to CSCti89976.

AnyConnect 3.0 doesn't work with existing IOS.


Symptoms:
Standalone AnyConnect 3.0 client does not work with an existing IOS headend.

Conditions:
AnyConnect 3.0 with an IOS Router as the headend.

Workaround:
Use AnyConnect 2.5 or use weblaunch.
Upgrade IOS

Would it be possible to upgrade the IOS version?

HTH.

Portu.

I finally managed to upgrade the router to latest IOS version 15.1(4)M6. It resolved the issue with the direct connection from client. NOw everything works like a charm.

Thank you all for your time and support ! I appreiate it.

Great job

Please rate any helpful posts just like I did and mark this post as answered.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: