09-26-2013
12:18 PM
- last edited on
02-21-2020
11:54 PM
by
cc_security_adm
I am working on configuring the Anyconnect Phone VPN for a client. I have created a separate tunnel group and group policy for the phones as well. For the CM part, I worked with one of our voice engineers to get that part configured. However, when we try to connect a phone to the VPN, the authentication fails. I did a debug and can see the following:
webvpn_allocate_auth_struct: net_handle = 0x00007ffecba268a0
webvpn_portal.c:webvpn_determine_primary_username[6136]
webvpn_portal.c:webvpn_determine_secondary_username[6204]
webvpn_portal.c:ewaFormServe_webvpn_login[2258]
webvpn_portal.c:http_webvpn_kill_cookie[1053]
webvpn_free_auth_struct: net_handle = 0x00007ffecba268a0
webvpn_allocate_auth_struct: net_handle = 0x00007ffecba268a0
webvpn_free_auth_struct: net_handle = 0x00007ffecba268a0
webvpn_allocate_auth_struct: net_handle = 0x00007ffecf386600
webvpn_portal.c:ewaFormSubmit_webvpn_login[3600]
webvpn_portal.c:webvpn_login_validate_net_handle[2514]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2534]
webvpn_portal.c:webvpn_login_assign_app_next[2552]
webvpn_portal.c:webvpn_login_cookie_check[2569]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2626]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2660]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0CISCO-PHONES, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2722]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2774]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2847]
webvpn_login_resolve_tunnel_group: tgCookie = 0CISCO-PHONES
webvpn_login_resolve_tunnel_group: tunnel group name from url
webvpn_login_resolve_tunnel_group: TG_BUFFER = CISCO-PHONES
webvpn_portal.c:webvpn_login_negotiate_client_cert[2937]
webvpn_portal.c:webvpn_login_check_cert_status[3035]
webvpn_portal.c:webvpn_login_cert_only[3083]
webvpn_portal.c:webvpn_login_primary_username[3105]
webvpn_portal.c:webvpn_determine_primary_username[6136]
webvpn_portal.c:webvpn_determine_secondary_username[6204]
webvpn_portal.c:ewaFormServe_webvpn_login[2258]
webvpn_portal.c:http_webvpn_kill_cookie[1053]
webvpn_free_auth_struct: net_handle = 0x00007ffecf386600
webvpn_allocate_auth_struct: net_handle = 0x00007ffecf386600
webvpn_free_auth_struct: net_handle = 0x00007ffecf386600
I can see the phone trying to connect via the real time log view in ASDM, so it's trying to connect. I am not sure why it's failing though.
TIA for any help. If you need more information, just let me know.
Dan
Solved! Go to Solution.
09-26-2013 02:03 PM
Hi deyster94
Are you licensed for "Anyconnect for Cisco VPN Phone"?
Did you load the certificate into Call Manager?
Did you load the certificate on the ASA?
Did you let the phone register once on the inside corporate network before you tried conencting to the VPN?
Do you have the tunnel group/group policy set for certificate authentication?
09-26-2013 02:03 PM
Hi deyster94
Are you licensed for "Anyconnect for Cisco VPN Phone"?
Did you load the certificate into Call Manager?
Did you load the certificate on the ASA?
Did you let the phone register once on the inside corporate network before you tried conencting to the VPN?
Do you have the tunnel group/group policy set for certificate authentication?
09-26-2013 07:04 PM
Erick,
Thanks for the reply and here are the answers:
Are you licensed for "Anyconnect for Cisco VPN Phone"? - Yes
Did you load the certificate into Call Manager? - Yes
Did you load the certificate on the ASA? - Yes
Did you let the phone register once on the inside corporate network before you tried conencting to the VPN? - Yes
Do you have the tunnel group/group policy set for certificate authentication? - No, crap.
I changed the authentication to certificate and will have the client try tomorrow.
I will let you know if that worked.
Dan
09-26-2013 10:32 PM
Hi
Apart from the link naresh gave you, you can also try the following:
https://supportforums.cisco.com/docs/DOC-9124
https://supportforums.cisco.com/docs/DOC-21469
And one important thing, certificates are very crucial when connect VPN phones to an ASA. If you are using a self signed certificate then the Make sure you have the same on the Call Manager and you have the call Manager certificate on the ASA.
If you are using a third party certificate, may be public or an internal CA it should be binded on the outside interface.
Thanks
Jeet Kumar
09-26-2013 04:12 PM
Hi Dan,
You can go through below link as well:-
Regards,
Naresh
09-27-2013 05:45 AM
Erick, it worked this morning. Thanks for the help.
09-27-2013 07:47 AM
You're welcome!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide