Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1795
Views
0
Helpful
0
Replies

Anyconnect fails on Cisco 3945 router

alexpara72
Level 1
Level 1

‎11-08-2012 02:22 AM - edited ‎02-21-2020 06:28 PM

Hi.

I'm not successful to implement IOS SSL VPN on a 3945 router using Anyconnect (thin client solution works instead).

Debugging on the router (webvpn AAA/webservice; ssl) when I try to connect with Anyconnect (I have 2.5.60005 pkg installed on router) I can see:

- the AAA completing successfully

*Nov  8 09:09:51.922: SSL_accept:SSLv3 read finished A

*Nov  8 09:09:51.926: Handshake done: SSL negotiation finished successfully

*Nov  8 09:09:51.926: WV-WEBSERVICE: remapped file /webvpn.html to /auth.html

*Nov  8 09:09:51.926: WV-WEBSERVICE: Found file: /auth.html, length: 473, data: 0x1020C44

*Nov  8 09:09:51.926: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:09:51 GMT, Expires: Thu, 08 Nov 2012 08:09:51 GMT

*Nov  8 09:09:51.926: Downgrading x_transcend_version to 1 from 1

*Nov  8 09:09:51.926: WV-WEBSERVICE: Created HTTP reply header dump

*Nov  8 09:09:51.926: HTTP/1.1 200 OK

*Nov  8 09:09:51.926: Cache-Control: max-age=0

*Nov  8 09:09:51.926: Content-Type: text/html

*Nov  8 09:09:51.926: Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/

*Nov  8 09:09:51.926: Set-Cookie: webvpncontext=00@JACK-VPN-CTX; path=/

*Nov  8 09:09:51.926: X-Transcend-Version: 1

*Nov  8 09:09:51.926: Content-Length: 473

*Nov  8 09:09:51.926: Connection: close

*Nov  8 09:09:51.926:

*Nov  8 09:09:51.926:

*Nov  8 09:09:51.926:

*Nov  8 09:09:51.926: WV-WEBSERVICE: Created 473 byte content data to send to external client for requested file: /auth.html

*Nov  8 09:09:51.926: <?xml version="1.0" encoding="UTF-8"?>

<auth id="main">

        <title>Default Customization</title>

        <message>Please enter your username and password.</message>

        <form method=?

*Nov  8 09:09:51.926:

...

...

*Nov  8 09:10:33.882: SSL_accept:SSLv3 read finished A

*Nov  8 09:10:33.882: Handshake done: SSL negotiation finished successfully

*Nov  8 09:10:33.882: WV-AAA: Nas Port ID set to 80.x.x.x.

*Nov  8 09:10:33.882: WV-AAA: AAA authentication request sent for user: "testuser"

*Nov  8 09:10:33.886: WV-AAA: username: Processing AV

*Nov  8 09:10:33.886: WV-AAA: clid: Processing AV

*Nov  8 09:10:33.886: WV-AAA: AAA Authentication Passed!

*Nov  8 09:10:33.886: WV-AAA: User "testuser" has logged in from "80.x.x.x" to gateway "JACK-VPN-GW"

             context "JACK-VPN-CTX"

*Nov  8 09:10:33.886: WV-WEBSERVICE: remapped file /logon.html to /success.html

*Nov  8 09:10:33.886: WV-WEBSERVICE: Found file: /success.html, length: 222, data: 0x256B0F0

*Nov  8 09:10:33.886: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:10:33 GMT, Expires: Thu, 08 Nov 2012 08:10:33 GMT

*Nov  8 09:10:33.886:  SHA1 hash is:C7B30C7C41BCF0CC00888EAC4832733B9A3716AC

*Nov  8 09:10:33.886: Downgrading x_transcend_version to 1 from 1

*Nov  8 09:10:33.886: WV-WEBSERVICE: Created HTTP reply header dump

*Nov  8 09:10:33.886: HTTP/1.1 200 OK

*Nov  8 09:10:33.886: Cache-Control: max-age=0

*Nov  8 09:10:33.890: Content-Type: text/html

*Nov  8 09:10:33.890: Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/

*Nov  8 09:10:33.890: Set-Cookie: webvpn=00@1353313019@00124@3561354633@1685504030@JACK-VPN-CTX; path=/

*Nov  8 09:10:33.890: Set-Cookie: webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:C7B30C7C41BCF0CC00888EAC4832733B9A3716AC&; path=/

*Nov  8 09:10:33.890: X-Transcend-Version: 1

*Nov  8 09:10:33.890: Content-Length: 147

*Nov  8 09:10:33.890: Connection: close

*Nov  8 09:10:33.890:

*Nov  8 09:10:33.890:

*Nov  8 09:10:33.890:

*Nov  8 09:10:33.890: WV-WEBSERVICE: Created 147 byte content data to send to external client for requested file: /success.html

*Nov  8 09:10:33.890: <?xml version="1.0" encoding="UTF-8"?><auth id="success"><title>SSL VPN Service</title><banner></banner><message>Success</message><success/></auth>

- But just after clicking to accept the cert, I can see some 404 http errors and some ssl decode error and the AnyConnect popup window saying "AnyConnect was not able to estabilish a connection to the specified secure gateway. Please try connecting again" and then "The VPN client failed to estabilish a connection"

...

...

*Nov  8 09:13:06.391: SSL_accept:SSLv3 read finished A

*Nov  8 09:13:06.391: Handshake done: SSL negotiation finished successfully

*Nov  8 09:13:06.395: WV-WEBSERVICE: HTTP request: 0, path: /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect

*Nov  8 09:13:06.395: WV-WEBSERVICE: remapped file /+CSCOT+/translation-table?type=combined-manifes to /+CSCOT+/translation-table?type=combined-manifes

*Nov  8 09:13:06.395: WV-WEBSERVICE: Could not find requested file: /+CSCOT+/translation-table?type=combined-manifes

*Nov  8 09:13:06.395: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:13:06 GMT, Expires: Thu, 08 Nov 2012 08:13:06 GMT

*Nov  8 09:13:06.395: WV-WEBSERVICE: Created HTTP reply for not found message

*Nov  8 09:13:06.395: HTTP/1.1 404 Not Found

*Nov  8 09:13:06.395: Date: Thu, 08 Nov 2012 09:13:06 GMT

*Nov  8 09:13:06.395: Content-Length:  0

*Nov  8 09:13:06.395: Content-Type: text/html

*Nov  8 09:13:06.395: Connection: Keep-Alive

*Nov  8 09:13:06.395:

*Nov  8 09:13:06.395:

*Nov  8 09:13:06.395:

*Nov  8 09:13:06.431: WV-WEBSERVICE: HTTP request: 0, path: /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect

*Nov  8 09:13:06.431: WV-WEBSERVICE: remapped file /+CSCOT+/translation-table?type=combined-manifes to /+CSCOT+/translation-table?type=combined-manifes

*Nov  8 09:13:06.431: WV-WEBSERVICE: Could not find requested file: /+CSCOT+/translation-table?type=combined-manifes

*Nov  8 09:13:06.431: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:13:06 GMT, Expires: Thu, 08 Nov 2012 08:13:06 GMT

*Nov  8 09:13:06.431: WV-WEBSERVICE: Created HTTP reply for not found message

*Nov  8 09:13:06.431: HTTP/1.1 404 Not Found

*Nov  8 09:13:06.431: Date: Thu, 08 Nov 2012 09:13:06 GMT

*Nov  8 09:13:06.431: Content-Length:  0

*Nov  8 09:13:06.431: Content-Type: text/html

*Nov  8 09:13:06.431: Connection: Keep-Alive

*Nov  8 09:13:06.431:

*Nov  8 09:13:06.431:

*Nov  8 09:13:06.431:

*Nov  8 09:13:06.527: WV-WEBSERVICE: HTTP request: 0, path: /+CSCOT+/oem-customization?app=AnyConnect&type=manifest&platform=win

*Nov  8 09:13:06.527: WV-WEBSERVICE: remapped file /+CSCOT+/oem-customization?app=AnyConnect&type=m to /+CSCOT+/oem-customization?app=AnyConnect&type=m

*Nov  8 09:13:06.527: WV-WEBSERVICE: Could not find requested file: /+CSCOT+/oem-customization?app=AnyConnect&type=m

*Nov  8 09:13:06.527: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:13:06 GMT, Expires: Thu, 08 Nov 2012 08:13:06 GMT

*Nov  8 09:13:06.527: WV-WEBSERVICE: Created HTTP reply for not found message

*Nov  8 09:13:06.527: HTTP/1.1 404 Not Found

*Nov  8 09:13:06.527: Date: Thu, 08 Nov 2012 09:13:06 GMT

*Nov  8 09:13:06.527: Content-Length:  0

*Nov  8 09:13:06.527: Content-Type: text/html

*Nov  8 09:13:06.527: Connection: Keep-Alive

*Nov  8 09:13:06.527:

*Nov  8 09:13:06.527:

*Nov  8 09:13:06.527:

*Nov  8 09:13:06.563: WV-WEBSERVICE: HTTP request: 0, path: /+CSCOT+/oem-customization?app=AnyConnect&type=manifest&platform=win

*Nov  8 09:13:06.563: WV-WEBSERVICE: remapped file /+CSCOT+/oem-customization?app=AnyConnect&type=m to /+CSCOT+/oem-customization?app=AnyConnect&type=m

*Nov  8 09:13:06.563: WV-WEBSERVICE: Could not find requested file: /+CSCOT+/oem-customization?app=AnyConnect&type=m

*Nov  8 09:13:06.563: WV-WEBSERVICE: Date: Thu, 08 Nov 2012 09:13:06 GMT, Expires: Thu, 08 Nov 2012 08:13:06 GMT

*Nov  8 09:13:06.563: WV-WEBSERVICE: Created HTTP reply for not found message

*Nov  8 09:13:06.563: HTTP/1.1 404 Not Found

*Nov  8 09:13:06.563: Date: Thu, 08 Nov 2012 09:13:06 GMT

*Nov  8 09:13:06.563: Content-Length:  0

*Nov  8 09:13:06.563: Content-Type: text/html

*Nov  8 09:13:06.563: Connection: Keep-Alive

*Nov  8 09:13:06.563:

...

...

*Nov  8 09:13:06.831: SSL_accept:SSLv3 write certificate A

*Nov  8 09:13:06.831: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

*Nov  8 09:13:06.831:     0E 00 00 00

*Nov  8 09:13:06.831:

*Nov  8 09:13:06.831: SSL_accept:SSLv3 write server done A

*Nov  8 09:13:06.831: SSL_accept:SSLv3 flush data

*Nov  8 09:13:06.831: SSL_accept:would block on read in SSLv3 read client certificate A

*Nov  8 09:13:06.831: SSL_accept:would block on read in SSLv3 read client certificate A

*Nov  8 09:13:07.107: <<< TLS 1.0 Alert [length 0002], fatal decode_error

*Nov  8 09:13:07.107:     02 32

*Nov  8 09:13:07.107:

*Nov  8 09:13:07.107: SSL3 alert read:fatal:decode error

*Nov  8 09:13:07.107: SSL_accept:failed in SSLv3 read client certificate A

*Nov  8 09:13:07.107: 0:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:1111:SSL alert number 50

*Nov  8 09:13:07.107: 0:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:863:

And then the Anyconnect "rest in peace" unconnected...

But (ther's always a "but") the router shows that I'm connected...(??)

JK-ROUTER-01#sh webvpn session context JACK-VPN-CTX

WebVPN context name: JACK-VPN-CTX

Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used

cogetech           80.x.x.x             0         00:12:32  00:11:04

cogetech           80.x.x.x             2         00:00:08  00:00:03

JK-ROUTER-01#

The following is the conf I used:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

!

crypto vpn anyconnect flash0:/webvpn/anyconnect-dart-win-2.5.6005-k9.pkg sequence 1

!

crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-2.5.3055-k9.pkg sequence 2

!

ip local pool SSL_VPN 10.2.0.230 10.2.0.240

!

webvpn gateway JACK-VPN-GW

ip address 10.4.0.240 port 443

ssl encryption rc4-md5

ssl trustpoint Jack-trustpoint-ca

inservice

!

webvpn context JACK-VPN-CTX

title "Jack - Portal-1"

login-message "Jack - Portal-1"

!

port-forward "Port Forwarding"

   local-port 223 remote-server "10.2.0.253" remote-port 23 description "JK-TW-1"

   local-port 222 remote-server "10.2.0.41" remote-port 22 description "Grabber"

   local-port 33389 remote-server "10.2.0.34" remote-port 3389 description "Backup Server"

!

policy group JACK-VPN-PLCY

   port-forward "Port Forwarding"

   svc address-pool "VPN-SSL-POOL" netmask 255.255.255.0

   svc keep-client-installed

   svc split include 10.2.0.0 255.255.255.0

   url-list "Links"

default-group-policy JACK-VPN-PLCY

gateway JACK-VPN-GW

max-users 10

!

ssl authenticate verify all

!

url-list "Links"

   heading "Links"

   url-text "Portal Web 1" url-value "http://10.2.0.31"

inservice

!

I repeat that the port forward on the web vpn portal (thin client) is working well. The only not working is AnyConnect (even downloading from the portal).

What could be the problem??

I already read many posts regarding issues similar to this.

I already downscaled to rc4 enc, because it was suggested, without any result.

The same, I uninstalled the KB2585542 update from Windows without any result, and I don't think this could be a problem because I get the same behaviour using AnyConnect on Linux.

I already uninstalled AnyConnect pkg from the router and reinstalled it.

I didn't try to install the last AnyConnect version, but I'm almost sure that it wouldn't solve the problem.

Please help!

Regards.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Top