Solved: aaa authentication anyconnect-eap is not recognised

tanyatamir53355 · ‎05-12-2021

For some reason the router does not recognise “AnyConnect-eap” command at all?

it’s a 2921 15.2 iOS and has securityk9 and base?

I can only use “eap query-identity”?

does this only work on IOS-XE?

I’m in process of setting up flexVPN remote access.

Rob Ingram · ‎05-13-2021

No, but the stronger the better

View solution in original post

Rob Ingram · ‎05-12-2021

@tanyatamir53355

Certainly on my ISR G2 (1921) running 15.7 that command is available. Therefore I imagine it's more than likely available on your ISR G2 2921, so you'll probably need to upgrade the IOS.

tanyatamir53355 · ‎05-12-2021

just double check its 15.2 and its definitly not there

I tried to download 15.7 to upgrade do I need services account?

Rob Ingram · ‎05-12-2021

yes, or get your cisco partner to get it for you.

tanyatamir53355 · ‎05-13-2021

@Rob Ingram

Upgraded to 15.7 all commands now available.

a quick question does cryptography used in the profile of tunnel policy (e.g mine is aes-cbc 256 and uses sha256 for hash)

does the certificate crypto and hash has to be the same as the profile?

Rob Ingram · ‎05-13-2021

No, but the stronger the better

tanyatamir53355 · ‎05-13-2021

Getting a crypto mismatch error on client side anyconnect when I attempt to connect

using self signed RSA 256 certificate created in OpenSSL AND converted to pk12 file. Uploaded to flash

will attempt troubleshoot further tonight.

tanyatamir53355 · ‎05-16-2021

@Rob Ingram

hi quick question please

I obviously needed to portfoward 4500 and 500 for my isp router.

Do I also need ACL on my outside interface of the Cisco router permitting those ports? Or is that not necessary?

traffic is being blocked because it keeps retransmitting.

tanyatamir53355 · ‎05-14-2021

@Rob Ingram

I am now getting the exact same error msg on both anyconnect mobile and anyconnect(vet 4.9)windows client

crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 10.0.1.1
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 15
!
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
!
!
!
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
!
!
!
!
interface Loopback100
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.10.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool ACPOOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1

tanyatamir53355 · ‎05-14-2021

here is the crypto debug:

*May 14 14:57:34.251: IKEv2:Received Packet [From 192.168.0.1:51114/To 192.168.0.254:500/VRF i0:f0]
Initiator SPI : DB9FDDC626B324BF - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)

*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
*May 14 14:57:34.251: IKEv2:Searching Policy with fvrf 0, local address 192.168.0.254
*May 14 14:57:34.251: IKEv2:Using the Default Policy for Proposal
*May 14 14:57:34.251: IKEv2:Found Policy 'default'
*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
*May 14 14:57:34.255: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-GCM-256 AES-GCM-192 AES-GCM-128 SHA384 SHA512 SHA256 SHA1 None DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20 DH_GROUP_521_ECP/Group 21 DH_GROUP_3072_MODP/Group 15 DH_GROUP_4096_MODP/Group 16
*May 14 14:57:34.263:
*May 14 14:57:34.263: Proposal 2: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA384 SHA512 SHA256 SHA1 SHA256 SHA384 SHA96 SHA512 DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20 DH_GROUP_521_ECP/Group 21 DH_GROUP_3072_MODP/Group 15 DH_GROUP_4096_MODP/Group 16
*May 14 14:57:34.271:
*May 14 14:57:34.271:
*May 14 14:57:34.271: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
*May 14 14:57:34.279:
*May 14 14:57:34.279:
*May 14 14:57:34.283: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):: Failed to find a matching policy
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Sending no proposal chosen notify

*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 192.168.0.1:51114/From 192.168.0.254:500/VRF i0:f0]
Initiator SPI : DB9FDDC626B324BF - Responder SPI : 8CCAD671C557673E Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)

*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Failed SA init exchange
*May 14 14:57:34.283: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Initial exchange failed: Initial exchange failed
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Abort exchange
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Deleting SA

tanyatamir53355 · ‎05-14-2021

I managed to resolve the policy mismatch!

quick question what does the following mean?

SA KE N NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Verify SA init message
*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Insert SA
*May 14 15:17:05.067: IKEv2:Searching Policy with fvrf 0, local address 192.168.0.254
*May 14 15:17:05.067: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 192.168.0.254
*May 14 15:17:05.067: IKEv2-ERROR:(SESSION ID = 42,SA ID = 1):: Failed to locate an item in the database
*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Failed SA init exchange
*May 14 15:17:05.067: IKEv2-ERROR:(SESSION ID = 42,SA ID = 1):Initial exchange failed: Initial exchange failed
*May 14 15:17:05.071: IKEv2:(SESSION ID = 42,SA ID = 1):Abort exchange
*May 14 15:17:05.071: IKEv2:(SESSION ID = 42,SA ID = 1):Deleting SA

is this NAT issue?