Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
5
Replies

Cisco 3825 Router SSL VPN suddenly stop working after few years of no issue

malakipaa
Level 1
Level 1

‎03-19-2020 02:46 PM

Hello,

 

This is a home setup and I am stuck with burned 2 days of troubleshooting on and off. I am an intermediate Cisco technician with CCNA with few yrs of practice. I believe I reformatted my flash for the 3825 router just to clean it up since I thought the flash was acting weird that it didn't boot up few times. It eventually boot up after few tries. I couldn't exactly remember if I actually formatted the flash since I was working on few stuff at same time. Anyway,  I have a feeling that I deleted the license for it as well? And this is the reason why SSL VPN stopped working?  I thought this router doesn't need license anyway. The only changed I did was adding HSRP on the inside interface since I added a redundant 3845 router just in case which is offline when not needed. I don't know if it happened before this since I didn't test before doing this change. I thought it was just a straight forward change that nothing can go wrong.  I also didn't change any setting at all on the public facing interface. By the way I used VDSL2 for home internet in like 10 yrs without issue. Internet works fine and other services on the router works except this SSL VPN. Thanks for any help!

 

Bellow are some basic info:

 

I tried on Android anyconnect 4.6, 4.6 and windows 10 anyconnect 4.6 with error like

 

"Unable to contact XXX.XXX.XXX.XXX " public IP

 

- The ip nat translation is there at public facing IP when I tried to connect but its like SSL VPN on this router refuse to provide service.

 

 

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 12-Sep-14 11:36 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

 

 

Cisco 3825 (revision 1.1) with 480256K/44032K bytes of memory.
Processor board ID 
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
507024K bytes of ATA System CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device# PID SN FHK************
-------------------------------------------------
*0 CISCO3825

 

R1#show license


Index 1 Feature: ios-ips-update

 

R1#show license all


License Store: Primary License Storage

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 03:26 PM

Hi,

 

   Follow up on this guide, see what possible errors you could have made, test it out, and if it doesn't work, post here the config end explain what happens, where does the VPN connection break. There is no license needed for 3825.

 

Regards,

Cristian Matei.

0 Helpful

malakipaa
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 03:38 PM

Hi Cristian,

 

Thanks for your help and quick reply and verifying to me that 3825 doesn't need license for ssl vpn. I can breath after that. I know I needed help from experts.  I have been pulling my hair with this issue. I have run on my config many times and couldn't find anything suspicious. I'll check the link and see what I can find. Thanks and have a good day!

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to malakipaa

‎03-19-2020 03:54 PM

Hi,

 

   Also post the DART logs from Anyconnect on Windows, and the logs from mobile clients as they're trying to connect. Post debugs from the router while trying to connect "debug WebVPN", "debug crypto pki transactions", "debug crypto pki messages".

 

Regards,

Cristian Matei.

 

 

0 Helpful

malakipaa
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 07:24 PM

HI Christian,

 

I have solved the issue. The main issue is that all of the private keys on this router has been expired  or corrupted. So I deleted all the Trustpoint certificates and recreated them. 

 

By using this command "debug crypto pki messages" I saw the error below that gave me a clue while trying to connect SSL VPN session on the router.

 

"Mar 19 23:27:58.411: CRYPTO_PKI: Can not select private key (TP-self-signed-1520288292)"

 

From below link, I have chosen Workaround 2.

 

https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

 

Thanks for your help!

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to malakipaa

‎03-20-2020 02:14 AM

Hi,

 

  I'm glad it worked.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents