Solved: Re: anyconnect client profile configuration - Page 3

DAK007 · ‎09-25-2018

I All,

i have a problem to configure my any-connect vpn remote access. there is my router when i try it show connection attempt has timed out please verify internet connectivity. I'm able to ping my outside interface from outside

Cisco router 1001-X show run is in the attached file

URGENT please !

Rob Ingram · ‎10-08-2018

Also, send me the output of "show crypto pki certificates" from the router.

DAK007 · ‎10-08-2018

i will send the wireshark output in 5 minutes

CEPICI-ORANGE#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=CEPICICca.local
Subject:
Name: CEPICI-ORANGE.cepici.local
hostname=CEPICI-ORANGE.cepici.local
cn=cepici
ou=cepici
Validity Date:
start date: 23:25:04 UTC Oct 4 2018
end date: 23:25:04 UTC Oct 29 2018
Associated Trustpoints: IKEv2-TP
Storage: nvram:CEPICICcaloc#3.cer

CA Certificate (Rollover)
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=CEPICICca.local
Subject:
Name: CEPICICca.local
cn=CEPICICca.local
Validity Date:
start date: 23:22:56 UTC Nov 3 2018
end date: 23:22:56 UTC Dec 3 2018
Associated Trustpoints: CEPICI-ORANGE-PKI-SERVER
Storage: nvram:CEPICICcaloc#2.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=CEPICICca.local
Subject:
cn=CEPICICca.local
Validity Date:
start date: 23:22:56 UTC Oct 4 2018
end date: 23:22:56 UTC Nov 3 2018
Associated Trustpoints: IKEv2-TP CEPICI-ORANGE-PKI-SERVER
Storage: nvram:CEPICICcaloc#1CA.cer

Certificate
Status: Available
Certificate Serial Number (hex): 022EBEA5
Certificate Usage: General Purpose
Issuer:
cn=ACT2 SUDI CA
o=Cisco
Subject:
Name: ASR1001-X
Serial Number: PID:ASR1001-X SN:JAE220102KX
cn=ASR1001-X
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:ASR1001-X SN:JAE220102KX
Validity Date:
start date: 14:18:43 UTC Jan 6 2018
end date: 20:25:41 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 61096E7D00000000000C
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=ACT2 SUDI CA
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 17:56:57 UTC Jun 30 2011
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 20:17:12 UTC May 14 2004
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2621794648
Subject:
Name: IOS-Self-Signed-Certificate-2621794648
cn=IOS-Self-Signed-Certificate-2621794648
Validity Date:
start date: 13:39:10 UTC Oct 4 2012
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: TP-self-signed-2621794648
Storage: nvram:IOS-Self-Sig#1.cer

DAK007 · ‎10-08-2018

this is the wireshark output

Rob Ingram · ‎10-08-2018

Can you take another capture when plugged into the inside of the network and upload

When you connect to the outside of the network do you connect on the IP or FQDN?
When you connect to the inside of the network (and it works) do you connect using the same IP or FQDN when it doesn't work?
Do you get any certificate errors?

DAK007 · ‎10-08-2018

i connect using the public IP

all screnshot are joined

Rob Ingram · ‎10-08-2018

This capture did not provide anything in regard to the vpn, make sure you selected the correct interface when doing the capture.

DAK007 · ‎10-08-2018

this is the right interface

DAK007 · ‎10-09-2018

Hi Rji,

Any news for the troubleshooting?

Rob Ingram · ‎10-09-2018

Well the last packet capture confirms what I'd expect normally see, the packet SRC port is 500 not 512 (as per the non-working packet capture), I don't know why that is. I think you should raise a TAC call with Cisco..

DAK007 · ‎10-09-2018

I have open a case waiting for them m to reply.
Yoi did the same configuration right? Can I know which anyconnec client you use?
Your profile.xml file is différents from mine?
What should i add to my configuration ?
Compared to yours

DAK007 · ‎10-09-2018

hi RJI,
this is the msg tac sent me just now :

Dear Abdoul ,
Thank you for contacting Cisco

Please also be aware that ASA5516-FPWR-,ASR1001-X devices doesn't provide access to Anyconnect 4x.

As mentioned at the top of the AnyConnect 4.x e is only available to customers who have purchased Plus/Apex licenses.
PLUS license comes with a contract, which needs to be associated with the user's profile

which client are you using?

Rob Ingram · ‎10-09-2018

I use AnyConnect 4.6 with a Cisco 1921 router IOS version 15.7. The only other difference I see is, I don't have any certificate errors when I establish a connection...but that doesn't explain why you can connect on the inside interface.

DAK007 · ‎10-09-2018

can you show the show run and you profile.xml ?
il may help me

DAK007 · ‎10-09-2018

hi RJI,

no it is working fine.

access-list any any is not recommended by cisco for vpn so i have added a deny statement on the nat inside and it works fine .

thank you for all

DAK007 · ‎10-16-2018

Hi Rji,

Sorry if i ask toi much.

Vpn il working fine, I can only access the production network (10.10.0.0/24) and i want to access the management management network (172.23.0.0/24) also i really don't know how to add it to my vpn tunel