AnyConnect VPN not working from outside the office

Vignesh Ekanathan · ‎09-06-2015

Hi all,

I have configured Anyconnect VPN for one of my client on a Cisco IOS router. I have configured it to use RADIUS authentication as it has a domain controller onsite.

I have tested it from within the office and it works fine. I can log into the WebVPN webpage, login using AD user details and it lets me in. However, if I try to access the webpage from outside the office, the webpage doesn't even load up. It gets timed out. :(

The client is on an ADSL connection and the maximum upload speed is 0.7Mbps. Could this be the factor?

Anyway, here is the config. Any help would be greatly appreciated.

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-gw1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 group radius
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-4180871535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4180871535
revocation-check none
rsakeypair TP-self-signed-4180871535
!
!
crypto pki certificate chain TP-self-signed-4180871535
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313830 38373135 3335301E 170D3135 30393034 30373230
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383038
37313533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B6CB 8CE5F992 21669F40 093723C1 F0AD5791 F99A60B7 2BA8AD2A D84AEB18
AF7D3995 89543A60 A2A14C7A 7A8DF7A1 F94DD91B 49073194 2156EA45 27600FB3
F398A311 3691D8C7 D6D1CFDB CCED7666 22090130 325B6249 7A43465A 6429BA1F
5D12AD7F 3E01D8D7 820B4241 EA983100 86CE3B30 0A0E1318 BE8E8ABB B687D09C
840F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1434B5C7 844BFC04 FD82C84A EFA76DD3 ECFC1F4F 81301D06
03551D0E 04160414 34B5C784 4BFC04FD 82C84AEF A76DD3EC FC1F4F81 300D0609
2A864886 F70D0101 05050003 818100A9 9AD2C891 D6C1358B 31686B73 E9D2101A
FFC28CCC B1B02E5E 4E8DA837 FFDDEB64 009DC436 88A33DDE C1CCEBBF C6FEDEF1
464C4648 852D9C0C D980EE5C C49633CC C1104E19 B38CAE2B F3C180E9 DDAAF97E
2509BDE0 503CA632 FF6D5783 EB256487 95560ADF 3AC1D324 FB36ED3C 0A591A4F
057032D6 5F4278F1 B6EB44F5 1F6292
quit
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license feature MEM-8XX-512U1GB
license udi pid C887VAM-K9 sn FGL193320G3
license accept end user agreement
!
!
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
controller VDSL 0
!
!
interface Loopback0
ip address 172.20.23.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
description ***INTERNAL_INTERFACE***
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ***iiNET***
ip address x.x.x.145 255.255.255.252
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xx
ppp chap password 0 xx
ppp pap sent-username xx
!
ip local pool WebVPN_Pool 172.20.23.1 172.20.23.20
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 172.20.23.254 443 interface Dialer0 443
ip nat inside source static tcp 172.20.23.254 80 interface Dialer0 80
ip nat inside source route-map IINET_NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map IINET_NAT permit 10
match ip address 100
set interface Dialer0
!
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
radius-server host 192.168.30.200 key xxxx
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
ip address 172.20.23.254 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-4180871535
inservice
!
webvpn context WebVPN
secondary-color white
title-color #669999
text-color black
virtual-template 1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN_Pool" netmask 255.255.255.255
svc keep-client-installed
svc split include 192.168.30.0 255.255.255.0
svc dns-server primary 192.168.30.200
svc dns-server secondary 203.0.178.191
default-group-policy policy_1
!
end

Kind Regards, Vignesh.

pjain2 · ‎09-06-2015

there is no nat exmeption configured for the traffic:

access-list 100 deny ip 192.168.30.0 0.0.0.255 172.20.23.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

Vignesh Ekanathan · ‎09-06-2015

Hi PJain,

I configured the access-list. Still no joy. :(

router-gw1#show ip access-lists
Extended IP access list 100
5 deny ip 192.168.30.0 0.0.0.255 172.20.23.0 0.0.0.255
10 permit ip 192.168.30.0 0.0.0.255 any (16433 matches)

Kind Regards, Vignesh.

pjain2 · ‎09-06-2015

are you able to ping 192.168.30.254 from the anyconnect client?

Vignesh Ekanathan · ‎09-07-2015

Hi,

Nope. The webpage doesn't even load up.

I have Anyconnect client installed on my computer. When I try to connect to it from my PC, I see the below message:

[7/09/2015 7:02:00 PM] Ready to connect.
[7/09/2015 7:02:15 PM] Contacting x.x.x.145.
[7/09/2015 7:02:49 PM] Connection attempt has failed.
[7/09/2015 7:03:09 PM] Connection attempt has failed.
[7/09/2015 7:03:09 PM] No valid certificates available for authentication.
[7/09/2015 7:03:29 PM] Connection attempt has failed.

When I try connecting to the VPN from work PC, I get the below:

[7/09/2015 7:08:02 PM] Contacting x.x.x.145.
[7/09/2015 7:08:28 PM] Please enter your username and password.
[7/09/2015 7:08:38 PM] User credentials entered.
[7/09/2015 7:08:49 PM] Establishing VPN session...
[7/09/2015 7:09:21 PM] Checking for profile updates...
[7/09/2015 7:09:21 PM] Checking for product updates...
[7/09/2015 7:10:25 PM] Connection attempt has failed.

Any ideas? I am currently using the router's self-signed certificate.

Kind Regards, Vignesh.

pjain2 · ‎09-07-2015

try generating a self signed cert for the webvpn again and use a 2048 bit RSA key to generate the cert

Vignesh Ekanathan · ‎09-08-2015

Hi,

I generated a 2048 bit self-signed rsa certificate. Reconfigured the webvpn interface to use the new certificate.

Now, when I try to connect to WebVPN, I get the following message.

[9/09/2015 9:51:40 AM] Contacting x.x.x.145.
[9/09/2015 9:52:10 AM] Please enter your username and password.
[9/09/2015 9:52:19 AM] User credentials entered.
[9/09/2015 9:52:30 AM] Establishing VPN session...
[9/09/2015 9:53:03 AM] Checking for profile updates...
[9/09/2015 9:53:03 AM] Checking for product updates...
[9/09/2015 9:53:27 AM] Checking for customization updates...
[9/09/2015 9:54:38 AM] Performing any required updates...
[9/09/2015 9:54:38 AM] Establishing VPN session...
[9/09/2015 9:54:38 AM] Establishing VPN - Initiating connection...
[9/09/2015 9:57:45 AM] Connection attempt has failed.
[9/09/2015 9:57:56 AM] VPN session ended.
[9/09/2015 9:57:56 AM] Disconnect in progress, please wait...

I created a DNS record called "vpn.xxx.com.au" and pointed it to the WAN IP of the router. Tried using "vpn.xxx.com.au" to initiate the connection. Still no joy. :(

Also, when I browse to https://x.x.x.145 or https://vpn.xxx.com.au, it doesn't load the webpage to login and download the Cisco Anyconnect software.

Any ideas?

Regards,

Vignesh.

Kind Regards, Vignesh.

pjain2 · ‎09-09-2015

Hey Vignesh,

can you share the webvpn debugs during the time of the connection from the router. also enable pki debugging.

Regards

Vignesh Ekanathan · ‎09-12-2015

Hi Pjain,

Just a quick update. I got a SSL cert from GoDaddy and installed on the router.

Changed the webvpn address to the dialer 0 interface. The latest config is:

router-gw1#show run
Building configuration...

Current configuration : 11244 bytes
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router-gw1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group radius
aaa authentication login ciscocp_vpn_xauth_ml_2 group radius
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint sslvpn.trustpoint
enrollment terminal
fqdn vpn.thefmagroup.com.au
subject-name CN=vpn.thefmagroup.com.au,OU=SSLVPN,O=FMAGroup,C=AU,ST=WA
revocation-check crl
rsakeypair sslvpn-2015-2016
!
crypto pki trustpoint my-selfsigned-cert
enrollment selfsigned
revocation-check crl
rsakeypair self-signed
!
!
crypto pki certificate chain sslvpn.trustpoint
certificate 7D3AC33BB8409622
30820543 3082042B A0030201 0202087D 3AC33BB8 40962230 0D06092A 864886F7
0D01010B 05003081 B4310B30 09060355 04061302 55533110 300E0603 55040813
07417269 7A6F6E61 31133011 06035504 07130A53 636F7474 7364616C 65311A30
18060355 040A1311 476F4461 6464792E 636F6D2C 20496E63 2E312D30 2B060355
040B1324 68747470 3A2F2F63 65727473 2E676F64 61646479 2E636F6D 2F726570
6F736974 6F72792F 31333031 06035504 03132A47 6F204461 64647920 53656375
72652043 65727469 66696361 74652041 7574686F 72697479 202D2047 32301E17
0D313530 39313131 34313630 335A170D 31363039 31313134 31363033 5A304431
21301F06 0355040B 1318446F 6D61696E 20436F6E 74726F6C 2056616C 69646174
6564311F 301D0603 55040313 1676706E 2E746865 666D6167 726F7570 2E636F6D
2E617530 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 B868F03A 0E28E87C CB691DFB AAF360F8 4753672F 0D4E9CED 3173A306
C0258DAC 9A1AA0D8 66475127 40A4AB40 DB96DE8C 39D9E9D4 D0EF6FFA 1E422EA9
CC4FF568 940C4DFD FBE2C471 D4503EF1 29F2EE80 2D608258 76C13328 CE8DE8CB
DC324A53 BEC9B26A B3337DD4 18209499 26B789D3 CD6FD796 B04B3ADB 3D8C8558
75418A38 D06F7D81 1477E9A8 942E5971 4C103ABD DC38D3D4 74BAD932 9EB172C3
06D675E1 429F4319 318FE180 2F7D4BC1 C7B8494C 3393F4EA 6DEFBEB5 32BE1F35
1A7EBE06 8F48708C F84BEB85 15F4D82C 9B603482 AB9FBB86 DD298FBB 3638A829
8759E2F4 585449BE 250C4067 408219B2 29BF4DE2 FC60AEE6 F2A3457C 7BAC1AFA
25FEE7EF 02030100 01A38201 C6308201 C2300C06 03551D13 0101FF04 02300030
1D060355 1D250416 30140608 2B060105 05070301 06082B06 01050507 0302300E
0603551D 0F0101FF 04040302 05A03037 0603551D 1F043030 2E302CA0 2AA02886
26687474 703A2F2F 63726C2E 676F6461 6464792E 636F6D2F 67646967 3273312D
3132312E 63726C30 53060355 1D20044C 304A3048 060B6086 480186FD 6D010717
01303930 3706082B 06010505 07020116 2B687474 703A2F2F 63657274 69666963
61746573 2E676F64 61646479 2E636F6D 2F726570 6F736974 6F72792F 30760608
2B060105 05070101 046A3068 30240608 2B060105 05073001 86186874 74703A2F
2F6F6373 702E676F 64616464 792E636F 6D2F3040 06082B06 01050507 30028634
68747470 3A2F2F63 65727469 66696361 7465732E 676F6461 6464792E 636F6D2F
7265706F 7369746F 72792F67 64696732 2E637274 301F0603 551D2304 18301680
1440C2BD 278ECC34 8330A233 D7FB6CB3 F0B42C80 CE303D06 03551D11 04363034
82167670 6E2E7468 65666D61 67726F75 702E636F 6D2E6175 821A7777 772E7670
6E2E7468 65666D61 67726F75 702E636F 6D2E6175 301D0603 551D0E04 16041467
F5918A1C 20B0775A 0AEA0D57 CF1EC56A 6A3B0730 0D06092A 864886F7 0D01010B
05000382 0101002C 359CA756 B2C8536A 23BCFC6C 44B2D620 D56B3EA1 6A84D40B
68EF6A60 0A0870F8 616EB0D7 0D650E13 2D8F4A72 D1D3941C 8A5AA247 7DDD09CB
34455818 E0963F77 7C94B410 9B16C4AE EF1129EE CA5B7B5B 3D8DA06B 2530601D
1DEDA91B 59074987 1A093575 BB374F9C 92C17E99 E43D9C6D 391949DB A1930382
2CA78601 3B73C8A1 8FBB1048 9C0447BC 53DAC135 446A1ECF 50241920 E0C68F88
BE4BFFC0 ED61A81D 34FBE80E CCAFF017 DF75F781 6FFAF799 B9575189 6986E219
FFDE6FC9 992646CE E51050DE 43243613 48E98928 4736D07F FFE87218 BED55A3F
4FFEA53B 4313581C B92FCF7D 0C41BDFF 6D40D2DD 51502B02 B3E5DC1A 95E4314C
A54ADC08 44DDCD
quit
certificate ca 07
308204D0 308203B8 A0030201 02020107 300D0609 2A864886 F70D0101 0B050030
8183310B 30090603 55040613 02555331 10300E06 03550408 13074172 697A6F6E
61311330 11060355 0407130A 53636F74 74736461 6C65311A 30180603 55040A13
11476F44 61646479 2E636F6D 2C20496E 632E3131 302F0603 55040313 28476F20
44616464 7920526F 6F742043 65727469 66696361 74652041 7574686F 72697479
202D2047 32301E17 0D313130 35303330 37303030 305A170D 33313035 30333037
30303030 5A3081B4 310B3009 06035504 06130255 53311030 0E060355 04081307
4172697A 6F6E6131 13301106 03550407 130A5363 6F747473 64616C65 311A3018
06035504 0A131147 6F446164 64792E63 6F6D2C20 496E632E 312D302B 06035504
0B132468 7474703A 2F2F6365 7274732E 676F6461 6464792E 636F6D2F 7265706F
7369746F 72792F31 33303106 03550403 132A476F 20446164 64792053 65637572
65204365 72746966 69636174 65204175 74686F72 69747920 2D204732 30820122
300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00B9E0CB
10D4AF76 BDD49362 EB3064B8 81086CC3 04D96217 8E2FFF3E 65CF8FCE 62E63C52
1CDA1645 4B55AB78 6B638362 90CE0F69 6C99C81A 148B4CCC 4533EA88 DC9EA3AF
2BFE8061 9D7957C4 CF2EF43F 303C5D47 FC9A16BC C3379641 518E114B 54F828BE
D08CBEF0 30381EF3 B026F866 47636DDE 7126478F 384753D1 461DB4E3 DC00EA45
ACBDBC71 D9AA6F00 DBDBCD30 3A794F5F 4C47F81D EF5BC2C4 9D603BB1 B24391D8
A4334EEA B3D6274F AD258AA5 C6F4D5D0 A6AE7405 645788B5 4455D42D 2A3A3EF8
B8BDE932 0A029464 C4163A50 F14AAEE7 7933AF0C 20077FE8 DF0439C2 69026C63
52FA77C1 1BC87487 C8B99318 5054354B 694EBC3B D3492E1F DCC1D252 FB020301
0001A382 011A3082 0116300F 0603551D 130101FF 04053003 0101FF30 0E060355
1D0F0101 FF040403 02010630 1D060355 1D0E0416 041440C2 BD278ECC 348330A2
33D7FB6C B3F0B42C 80CE301F 0603551D 23041830 1680143A 9A850710 6728B6EF
F6BD0541 6E20C194 DA0FDE30 3406082B 06010505 07010104 28302630 2406082B
06010505 07300186 18687474 703A2F2F 6F637370 2E676F64 61646479 2E636F6D
2F303506 03551D1F 042E302C 302AA028 A0268624 68747470 3A2F2F63 726C2E67
6F646164 64792E63 6F6D2F67 64726F6F 742D6732 2E63726C 30460603 551D2004
3F303D30 3B060455 1D200030 33303106 082B0601 05050702 01162568 74747073
3A2F2F63 65727473 2E676F64 61646479 2E636F6D 2F726570 6F736974 6F72792F
300D0609 2A864886 F70D0101 0B050003 82010100 087E6C93 10C838B8 96A9904B
FFA15F4F 04EF6C3E 9C8806C9 508FA673 F757311B BEBCE42F DBF8BAD3 5BE0B4E7
E679620E 0CA2D76A 637331B5 F5A848A4 3B082DA2 5D90D7B4 7C254F11 5630C4B6
449D7B2C 9DE55EE6 EF0C61AA BFE42A1B EE849EB8 837DC143 CE44A713 700D911F
F4C813AD 8360D9D8 72A87324 1EB5AC22 0ECA1789 6258441B AB892501 000FCDC4
1B62DB51 B4D30F51 2A9BF4BC 73FC76CE 36A4CDD9 D82CEAAE 9BF52AB2 90D14D75
188A3F8A 4190237D 5B4BFEA4 03589B46 B2C36060 83F87D50 41CEC2A1 90C3BBEF
022FD215 54EE4415 D90AAEA7 8A33EDB1 2D763626 DC04EB9F F7611F15 DC876FEE
469628AD A1267D0A 09A72E04 A38DBCF8 BC043001
quit
crypto pki certificate chain my-selfsigned-cert
certificate self-signed 02
30820174 3082011E A0030201 02020102 300D0609 2A864886 F70D0101 05050030
18311630 1406092A 864886F7 0D010902 1607464D 412D6777 31301E17 0D313530
39313130 37333435 355A170D 32303031 30313030 30303030 5A301831 16301406
092A8648 86F70D01 09021607 464D412D 67773130 5C300D06 092A8648 86F70D01
01010500 034B0030 48024100 8EAE2DF0 A3059246 C9FAD749 982A416B 231D4AFB
D677F8C7 1807FD02 81C71BE0 72DCB577 FECA2780 61FDC9E1 CB11F9A5 4A245CCD
941999FF C3B6BA42 C3B350BF 02030100 01A35330 51300F06 03551D13 0101FF04
05300301 01FF301F 0603551D 23041830 16801484 07DBCAFD 862043A2 EDB56E56
A7D46BC6 4C47F730 1D060355 1D0E0416 04148407 DBCAFD86 2043A2ED B56E56A7
D46BC64C 47F7300D 06092A86 4886F70D 01010505 00034100 0BB3FCCE BABCF84F
B4F5AFED 5F476A3A 54838397 EAE216A4 9DED97DB AD59D8F9 4E8B23A0 130FC489
113F812C E6F30859 4B48C0A1 203FE0C5 00D40B69 98058F4D
quit
!
!
!
!

!
!
!
!
ip name-server 192.168.30.200
ip name-server 203.0.178.191
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license udi pid C887VAM-K9 sn FGL193320G3
license accept end user agreement
!
!
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
!
!
!
!
controller VDSL 0
!
no ip ftp passive
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.20.23.254 255.255.255.0
ip virtual-reassembly in
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2
ip unnumbered Loopback0
!
interface Vlan1
description ***INTERNAL_INTERFACE***
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ***iiNET***
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password 7 xxxx
ppp pap sent-username xxxx password 7 xxxx
!
!
ip local pool WebVPN_Pool 172.20.23.1 172.20.23.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp x.x.x.145 443 interface Dialer0 443
ip nat inside source route-map IINET_NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map IINET_NAT permit 10
match ip address 100
set interface Dialer0
!
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
ip interface Dialer0 port 443
http-redirect port 80
ssl trustpoint sslvpn.trustpoint
inservice
!
webvpn context WebVPN
secondary-color white
title-color #669999
text-color black
virtual-template 2
aaa authentication list ciscocp_vpn_xauth_ml_3
gateway gateway_1
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN_Pool" netmask 255.255.255.255
svc keep-client-installed
svc split include 192.168.30.0 255.255.255.0
svc dns-server primary 192.168.30.200
svc dns-server secondary 203.0.178.191
default-group-policy policy_1
!
end

I can load the webvpn page from inside the office. But, when I try to access the WebVPN page from outside, it keeps timing out.

Tried searching for answers in various forums. Still no joy. :(

Any ideas?

Note: The address x.x.x.145 is the static WAN IP for the company. Same IP as the Dialer 0 interface.

Kind Regards, Vignesh.

Vignesh Ekanathan · ‎09-13-2015

Hi PJain,

I contacted cisco TAC regarding this issue and got it fixed.

Apparently, there is a bug with IOS versions 15.3(3)M3 and15.5(2)T. Webvpn cef needs to be turned off for it to be working from outside.

https://tools.cisco.com/bugsearch/bug/CSCuv58654/?reffering_site=dumpcr

All good now.

Thanks for your help. :)

Kind Regards, Vignesh.