Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
0
Replies

Cisco Anyconnect 3.1/4.3 on IOS - False Web Authentication Required Problem

Jonathan Bekkers
Level 1
Level 1

‎07-31-2016 09:34 PM - edited ‎02-21-2020 08:54 PM

Hi guys,

Something I've been wanting to test for a long time has been Anyconnect on IOS. I've had plenty of joy with Anyconnect on ASAs in the past (configuring/deploying) but for some reason the Anyconnect on IOS is giving me no end of grief. The problems I'm having are that the VPN client is reporting Web Authentication required only when connecting to this Anyconnect VPN peer. If I connect to other VPN endpoints using the same client/workstation... no problems whatsoever (i.e. other Anyconnect VPN peers running on ASAs/etc).

I've tried both Anyconnect 3.1 and 4.3 clients. Issue has been replicated on Windows 7, Windows 10 and Windows XP (3.1 client only) from different public connections (i.e. ADSL/Ethernet/3G connected devices). I've upgraded IOS from 15.0M to 15.1(4)M10. Hardware is a Cisco 2921 router. I've ensured that the router has security and SSLVPN licensing. I think it's safe to say I've isolated this to being something on the head end router.

I've tinkered with the DTLS port and SSL encryption settings to test. There are a few devices between the router and the internet... but there should be no firewalls/etc in between the router and the internet (there may be NAT in play but I doubt it).

Config below:

ip local pool VPN_POOL 10.10.10.200 10.10.10.220
!
webvpn gateway Cisco-WebVPN-Gateway
 ip address x.x.x.x port 443
 ssl encryption rc4-md5
 ssl trustpoint my-trustpoint
 inservice
 dtls port 8443
 !
webvpn install svc flash0:/webvpn/anyconnect-win-3.1.14018-k9.pkg sequence 1
!
webvpn context Cisco-WebVPN
 ssl authenticate verify all
 !
 url-list "rewrite"
 !
 acl "ssl-acl"
  permit ip 10.10.10.0 0.0.0.255 10.255.255.0 0.0.0.255
 !
 login-message "Cisco Secure WebVPN"
 !
 policy group webvpnpolicy
  functions svc-enabled
  filter tunnel ssl-acl
  svc address-pool "VPN_POOL" netmask 255.255.255.0
  svc rekey method new-tunnel
  svc split include 10.255.255.0 255.255.255.0
 default-group-policy webvpnpolicy
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 max-users 20
 logging enable
 svc platform mac seq 2
 inservice

The connection experience is as follows:

  • Chuck in IP and connect
  • Warning untrusted server certificate. Click "Continue Anyway".
  • Credential pop-up. Authenticates ok.
  • Connecting, Checking for product updates... Security warning "Untrusted Server Certificate!". Click "Connect Anyway"
  • The Anyconnect updates have been completed...
  • "Use a browser to gain access. Web authentication required."

The Anyconnect logs report the following:

  • 2:10:28 PM Contacting x.x.x.x
  • 2:12:01 PM User credentials entered.
  • 2:12:01 PM Establishing VPN session...
  • 2:12:01 PM The AnyConnect Downloader is performing update checks...
  • 2:12:01 PM Checking for profile updates...
  • 2:12:01 PM Checking for product updates...
  • 2:12:42 PM Checking for customization updates...
  • 2:12:42 PM Performing any required updates...
  • 2:12:42 PM The AnyConnect Downloader updates have been completed.
  • 2:12:46 PM Establishing VPN session...
  • 2:12:46 PM Establishing VPN - Initiating connection...
  • 2:12:46 PM Disconnect in progress, please wait...
  • 2:12:47 PM The VPN client failed to establish a connection.
  • 2:12:47 PM AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

The issue is driving me crazy. I'm curious whether anyone has had a similar issue in the past and might know how to troubleshoot?

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents