cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8193
Views
20
Helpful
25
Replies

SSL WebVPN 404 error

DOUGLAS DRURY
Level 1
Level 1

I'm a bit stuck with my WebVPN weekend project.  I've configured a WebVPN on my Cisco 1841 router using the command line but for some reason when I try to access the web portal i keep getting the 404 error. I tried reconfiguring it with Cisco CP but still no luck.  Could someone point me in the right direction as to where the failure is in my configuration.  I have useed the CCNA Security book as a guide. 

Vauxhall_Cross#sh run

Building configuration...

Current configuration : 3674 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Vauxhall_Cross

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ZIm.$daY/Jq7JsIZrjcyYSyxiK0

!

aaa new-model

!

!

aaa authentication login sslvpn local

!

!

aaa session-id common

dot11 syslog

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4132939895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4132939895

revocation-check none

rsakeypair TP-self-signed-4132939895

!

!

crypto pki certificate chain TP-self-signed-4132939895

certificate self-signed 01

  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313332 39333938 3935301E 170D3132 31323032 31373434

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333239

  33393839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C6EA DF3C371A 659BC5D1 E2A7B3F2 2693FB25 EBADF417 555236DB 20C240E1

  DE224E66 4F30415A 3DD3563F 5A60FF5C C3131B0E BC8B86B1 FA1FE1DE 99529F90

  513364C9 51B6F697 631B5EAE 43C4AD67 13F49CCA B50D18D0 73940511 34996859

  D11B754A D067CA3C 6E1B7B50 8CC2D9F2 D4102475 16116A46 95A71D23 39D15496

  D7230203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

  551D1104 12301082 0E566175 7868616C 6C5F4372 6F737330 1F060355 1D230418

  30168014 666F8AD0 FBBD97C5 9C65DD53 10BEF801 63211495 301D0603 551D0E04

  16041466 6F8AD0FB BD97C59C 65DD5310 BEF80163 21149530 0D06092A 864886F7

  0D010104 05000381 8100ABAF 3D5779D1 FC2CBD57 3D15BA0D 1D9D3683 52BB0B93

  2B92E049 0FBAE538 4E3919CA A47B5749 76D87BAB 065459A4 FC7AE507 8C3C00D1

  066CE7B9 3F6532A5 F35785C6 0513FB4D 327B01E6 BC83E47F 4D72F871 84C83551

  3C23EC82 8488344E 1815D2BF 0BB6F08A 7FCFCE65 FF392894 4175C296 64F0B6CA

  B7DA9976 DC78EA58 8A40

        quit

!

!

username drury secret 5 $1$Egaq$sjGRXhPMNduHUkuMXaXjC/

username webtest secret 5 $1$IEAw$HD7BkLEPnv4qVdUwJeML8/

archive

log config

  hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

description $OUTSIDE$

ip address 192.168.99.2 255.255.255.0

speed 100

full-duplex

!

interface FastEthernet0/1

description $INSIDE$

ip address 192.168.2.1 255.255.255.0

speed 100

full-duplex

!

router rip

network 192.168.2.0

network 192.168.99.0

!

ip local pool webvpn-pool 192.168.99.10 192.168.99.15

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.99.1

!

!

ip http server

ip http secure-server

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 130.88.203.12 source FastEthernet0/0

!

webvpn gateway Cisco-WebVPN-Gateway

ip address <removed> port 443

ssl encryption rc4-md5

ssl trustpoint my-trustpoint

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context Cisco-WebVPN

title "idrury WebVPN - Powered By Cisco"

ssl authenticate verify all

!

url-list "rewrite"

!

acl "ssl-acl"

   permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0

!

login-message "Cisco Secure WebVPN"

!

policy group webvpnpolicy

   functions svc-enabled

   filter tunnel ssl-acl

   svc address-pool "webvpn-pool"

   svc rekey method new-tunnel

   svc split include 192.168.99.0 255.255.255.0

default-group-policy webvpnpolicy

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

max-users 2

inservice

!

end

25 Replies 25

Yes it lets me login when I enter my username and password through IE or Chrome i get the 404 error so i can login of a sort.  It should be the web portal where i log in but i seems to be getting login boxes

https://supportforums.cisco.com/thread/2083698

Please check this thread.

I think you need to update IOS.

Regards,
Gurpreet S Puri

*******************************
Keep Smiling, Peace
*******************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Do you know where on cisco.com i can get the update from, I guess i'll have to pay for it?

Thanks

Douglas

Please follow the link:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_bulletin0900aecd806571a6.html

Regards,
Gurpreet S Puri

********************
Keep Smiling, Peace
********************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Hi Douglas,

Please mark the correct answer and close the thread if you got what you are looking for.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Hi Gurpreet

I'm going to re configure the WebVPN from scratch and see what happens if it still doesn't work I’ll have to give up as I don't have a service contract with Cisco and can't afford to pay for it to get the latest IOS. 

Thankyou very much for your help.

You are welcome Douglas.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

HWIC-3G-HSPA-G supported with 15.1(1)T or later

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/ps7272/product_data_sheet0900aecd80600f41.html

Its seems to be IOS Issue. You need to update it.

Regards,
Gurpreet S Puri

********************
Keep Smiling, Peace
********************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

sashkan16
Level 1
Level 1

Hi,

Try to generate RSA keys, trustpoint and certificate wich includes IP address of GW and CN is FQDN (or IP address if you are accessing portal by IP), instead of using automatically generated certificate.

Example for certificates:

crypto pki trustpoint SSL

enrollment selfsigned

ip-address x.x.x.x

subject-name CN=x.x.x.x

revocation-check none

rsakeypair SSL

BR

hy there i have the same issue here too but for me it works on the inside interface but on the outside interface it doesnt work, it loads the webpage and appears 404 error.

intranet# sh run

: Saved

:

ASA Version 8.4(5)

!

hostname intranet

domain-name sincronet.es

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan2

nameif outside

security-level 0

ip address 172.30.1.2 255.255.255.0

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.128.50 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.128.1

name-server 192.168.128.5

name-server 192.168.128.6

domain-name sincronet.es

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access extended permit tcp any any

access-list inside_access_in remark snmp leo

access-list inside_access_in extended permit ip any any log notifications

access-list inside_access_in remark snmp leo

access-list AccesoExt standard permit any

access-list outside_access_in extended permit ip any any log notifications

pager lines 24

logging enable

logging trap notifications

logging asdm informational

logging host inside 192.168.128.6

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 172.30.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 444

http 192.168.128.0 255.255.255.0 inside

snmp-server host inside 192.168.128.106 community ***** version 2c

snmp-server host inside 192.168.128.6 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

no sysopt connection permit-vpn

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

telnet timeout 5

ssh 192.168.128.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.128.1 source inside

webvpn

enable outside

enable inside

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]

group-policy Grp_Clientes internal

group-policy Grp_Clientes attributes

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

webvpn

  customization value Portal_Cliente

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol ssl-clientless

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol l2tp-ipsec

username sincronet password JkNymEFJ8fxnTI8W encrypted privilege 15

vpn-group-policy Grp_Clientes

service-type remote-access

tunnel-group Tunnel_Clientes type remote-access

tunnel-group Tunnel_Clientes general-attributes

default-group-policy Grp_Clientes

webvpn_db.c:webvpn_get_server_db_first[161]

tunnel-group Tunnel_Clientes webvpn-attributes

customization Portal_Cliente

nbns-server 192.168.128.1 master timeout 2 retry 2

group-alias intranet enable

group-url https://192.168.128.50/intranet enable

group-url https://81.43.96.53/intranet enable

group-url https://intranet.sincronet.es/intranet/ enable

tunnel-group Tunnel_Sincronet type remote-access

tunnel-group Tunnel_Sincronet webvpn-attributes

group-alias sincronet enable

group-url https://172.30.1.2/sincronet enable

group-url https://intranet.sincronet.es/sincronet enable

!

!

webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]

webvpn_db.c:webvpn_get_port_forward_db_first[817]

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d1626b68067c0800ccbbdea24a247a0f

: end

intranet#

someone to help¿?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: