Re: Cisco Anyconnect with IPhone, Ipad

faxudu · ‎04-16-2019

Hi all,

I configure my router the same way FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP.

I have two problems.

1. I cannot access internal web by browser when i use iphone ipad, ( i try to another ios version 11 to 12). But i can access internal web by ip address. I try with android and it's okie.

2. With some wifi network, Cisco anyconnect was connected, but i cannot access internal network with any device. I check ip address it.s not duplicate.

Someone see this problems?

Hope you help me this case.

Thanks

Phan

Rob Ingram · ‎04-16-2019

Hi,
Please provide your full configuration of the router for review
Also please provide the output of the following command:-
- show crypto ikev2 sa detail

faxudu · ‎04-16-2019

Here is my configuration in the attach file and the command

vpn#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.254.1/4500 192.168.1.50/63621 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:20, Auth sign: RSA, Auth verify: AnyConnect-EAP
Life/Active Time: 86400/33 sec
CE id: 1502, Session-id: 320
Status Description: Negotiation done
Local spi: 9B29687F83E1DA89 Remote spi: C00225B75E37F290
Local id: 192.168.254.1
Remote id: *$AnyConnectClient$*
Remote EAP id: test
Local req msg id: 0 Remote req msg id: 7
Local next msg id: 0 Remote next msg id: 7
Local req queued: 0 Remote req queued: 7
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 172.31.254.97
Initiator of SA : No

IPv6 Crypto IKEv2 SA

Thanks

Phan

Rob Ingram · ‎04-17-2019

Hi,

Is the configuration you uploaded the latest and accurate?

In your IKEv2 Profile configuration, you have defined vanphong as the authorization profile, which does not exist. The name of your authorization policy is ikev2-auth-policy, you should change this IKEv2 Profile then you should receive the DNS configuration, the remote route etc as defined.

crypto ikev2 profile vanphong
aaa authorization group anyconnect-eap list a-eap-author-grp vanphong

crypto ikev2 authorization policy ikev2-auth-policy
pool quantri
dns 192.168.254.1
netmask 255.255.255.224
aaa attribute list AAA-attr
route set remote ipv4 192.168.253.0 255.255.255.0

HTH

faxudu · ‎04-17-2019

Thanks RJI,

I delete some profile and keep profile for mobile in my configuration, so it has already this profile, i upload my configuration again.

crypto ikev2 profile vanphong
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author-grp vanphong
aaa accounting anyconnect-eap a-eap-acc
virtual-template 300

crypto ikev2 authorization policy vanphong
pool vanphong
dns 192.168.254.1
netmask 255.255.255.224
aaa attribute list AAA-attr
route set remote ipv4 192.168.253.0 255.255.255.0

ip local pool vanphong 172.31.254.65 172.31.254.127

Note: VPN connected and assigned ip address the same command i show above: show crypto ikev2 sa detail

Thanks

Phan

faxudu · ‎04-23-2019

Hi RJI,

Do you have any comment?

Thanks,

Phan