Solved: Issue WebVPN AnyConnect client to site

geoffroy2708 · ‎05-06-2019

Hello, as part of my training for a CCNA Security Cert, I'm trying to setup a vpn Client to Site. But I'm failing connecting in remotely. My expurged Conf follow :

version 15.7

aaa new-model
!
!
aaa authentication login local_access local
aaa authentication login SSLVPN local
!
!
!
!
!
!
aaa session-id common
clock timezone LAUSANN 1 0
!
crypto pki trustpoint mytrustpoint
 enrollment selfsigned
 serial-number
 subject-name CN=firewallcx-certificate
 revocation-check crl
 rsakeypair RSAVPN
!
!
crypto pki certificate chain mytrustpoint
 certificate self-signed 01
  3082038C 30820274 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  5F311F30 1D060355 04031316 66697265 77616C6C 63782D63 65727469 66696361 

        quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!

!
!

!         
!
!
!
!

username bob privilege 15 secret 9 $9$m0khQs19TuR2Kk$oByHQdYyNNgXFJJLAwNGCIPwaCb/lE0ABpBVfFJcKoE
username bobvpn secret 9 $9$84m1uDxNJ5IS7n$vG8YPz3N1OC9aZdw//ftPJNyO6pnJ2dfJ8oBcGU7IoM
!
redundancy
!
!
!
!
!
controller VDSL 0
!
!

!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface Ethernet0
 description PrimaryWANDesc_
 ip dhcp client class-id 100008,0001
 ip ddns update OVH
 ip address dhcp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!


!
interface Vlan1
 ip address 10.0.1.1 255.255.255.0
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly in
 ip igmp helper-address 1.1.1.1
!
interface Vlan2
 ip address 10.0.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 no ip address
!

!

ip local pool VPNpool 10.0.10.1 10.0.10.254
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!

ip nat inside source list MAIN interface Ethernet0 overload



ip ssh version 2
!
ip access-list standard MAIN
 permit 10.0.222.2
 permit 10.0.1.0 0.0.0.255
 permit 10.0.2.0 0.0.0.255
!

!         
ipv6 ioam timestamp
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
!
control-plane
!
!
!

!
!
!
 vstack
!

!
!
!
!
!
!

webvpn gateway Cisco-WebVPN-Gateway
 ip interface Ethernet0 port 443
 ssl encryption rc4-md5 rsa-dhe-aes256-sha1
 ssl trustpoint mytrustpoint
 inservice
 !
webvpn context Cisco-WebVPN
 title "La Maison"
 !
 acl "SSLACL"
   permit ip 10.0.10.0 255.255.255.0 any
 login-message "Login VPN"
 aaa authentication list SSLVPN
 gateway Cisco-WebVPN-Gateway
 max-users 2
 !
 ssl authenticate verify all
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   functions svc-required
   filter tunnel SSLACL
   svc address-pool "VPNpool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include acl 1
   svc dns-server primary 8.8.8.8
 default-group-policy webvpnpolicy
!
end

Would you have an idea knowing I can log in but obtain this message :

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

And a show WebVPN give this output :

Cisco#show webvpn session user bobvpn context Cisco-WebVPN detail
Session Type      : Clientless
Client User-Agent : AnyConnect Darwin_i386 4.6.02074                            

Username          : bobvpn             Num Connection : 0                   
Public IP         : 46.14.227.54         VRF Name       : None                
Context           : Cisco-WebVPN         Policy Group   : webvpnpolicy        
Last-Used         : 00:00:41             Created        : 11:56:11.950 LAUSANN Mon May 6 2019
Session Timeout   : Disabled             Idle Timeout   : 2100                
DNS primary serve : 8.8.8.8             
Citrix            : Disabled             Citrix Filter  : None                
Capabilites       : svc-required        
                    svc-enabled

It seems no Ip has been assigned to the vpn user ?

Thanks

Rob Ingram · ‎05-07-2019

Yes you need the AnyConnect client uploaded to the router, only operating systems which have AnyConnect images present on the AnyConnect headend will be permitted to connect.

HTH

View solution in original post

Rob Ingram · ‎05-06-2019

Hi,

Looks like you are missing a VTI (virtual-template interface), reference here. The VTI would be then referenced under the policy group.

HTH

geoffroy2708 · ‎05-07-2019

Thanks !

I can now connect through the iPhone AnyConnect client, but still not with my computer :

Session Type      : Full Tunnel
Client User-Agent : AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.7.02025        

Username          : bob             Num Connection : 1                   
Public IP         : 46.xxx.xxx.53         VRF Name       : None                
Context           : Cisco-WebVPN         Policy Group   : webvpnpolicy        
Last-Used         : 00:00:01             Created        : 09:10:00.264 LAUSANN Tue May 7 2019
Session Timeout   : Disabled             Idle Timeout   : 2100                
DNS primary serve : 8.8.8.8             
DPD GW Timeout    : 300                  DPD CL Timeout : 300                 
Address Pool      : VPNpool              MTU Size       : 1406                
Rekey Time        : 3600                 Rekey Method   : new-tunnel          
Lease Duration    : 43200               
Tunnel IP         : 10.0.10.1            Netmask        : 255.255.255.0       
Tunnel-mode filte : SSLACL              
Rx IP Packets     : 96                   Tx IP Packets  : 177                 
CSTP Started      : 00:00:04             Last-Received  : 00:00:01            
CSTP DPD-Req sent : 0                    Virtual Access : 1                   
Msie-ProxyServer  : None                 Msie-PxyPolicy : Disabled            
Msie-Exception    : 
Split Include     : ACL 1               
Client Ports      : 53639 
Session Type      : Clientless
Client User-Agent : AnyConnect Darwin_i386 4.6.02074                            

Username          : bob             Num Connection : 1                   
Public IP         : 46.xxx.xxx.54         VRF Name       : None                
Context           : Cisco-WebVPN         Policy Group   : webvpnpolicy        
Last-Used         : 00:00:11             Created        : 09:15:35.697 LAUSANN Tue May 7 2019
Session Timeout   : Disabled             Idle Timeout   : 2100                
DNS primary serve : 8.8.8.8             
Citrix            : Disabled             Citrix Filter  : None                
Url List          : rewrite
Capabilites       : svc-required        
                    svc-enabled         
Client Ports      : 62296

Is there anything to setup on the computer itself ? Maybe through an xml file ?

Rob Ingram · ‎05-07-2019

Have you upload the AnyConnect client for Windows? You will need the pkg file for each OS you wish to connect from.

HTH

geoffroy2708 · ‎05-07-2019

Actually, as I already installed the client on the computer, I switched this part, would it be the reason it doesn't work ?

When I try to connect from a computer, the logs states "No valide certificates available for authentication"

Maybe something to change in the profile of the client ?

Rob Ingram · ‎05-07-2019

Yes you need the AnyConnect client uploaded to the router, only operating systems which have AnyConnect images present on the AnyConnect headend will be permitted to connect.

HTH