Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
0
Helpful
9
Replies

Cisco C1111 Router FlexVPN issue with Anyconnect

Remon.BA
Level 1
Level 1

‎01-11-2024 05:28 AM - edited ‎01-15-2024 11:48 PM

Dears 

I face below error with configuring FlexVPN on Cisco router C1111 for Cisco Anyconnect

From logs , i see this error 
""" Failed to receive the AUTH msg before the timer expired """
I have attached files of

1- running config
2- Debugs 
Crypto IPSEC debugging is on
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
IKEv2 internal debugging is on

3- output of
* sh version
show crypto pki certificates verbose

4- xml profile which downloaded on windows PC on Anyconnect path

Labels:
Preview file
3 KB
Preview file
11 KB
Preview file
30 KB
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎01-11-2024 06:30 AM 

Cisco router C1111 try to connect through win11 vpn client

Windows 11 VPN client - i take this as cisco anyconnect - what version ?

can you post below output :

#show crypto pki certificates verbose

#show version

 

I would cross check the configuraiton again.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Remon.BA
Level 1
Level 1
In response to balaji.bandi

‎01-11-2024 10:03 AM - edited ‎01-15-2024 11:49 PM

Hey
i use cisco AnyConnect

Attached the output of

#show crypto pki certificates verbose

#show version

0 Helpful

Remon.BA
Level 1
Level 1

‎01-11-2024 06:16 PM - edited ‎01-15-2024 11:50 PM



i have downloaded xml profile at path of Cisco AnyConnect Profiles 

0 Helpful

Remon.BA
Level 1
Level 1

‎01-15-2024 04:39 AM

Dears 

I face below error with configuring FlexVPN on Cisco router C1111 for Cisco Anyconnect

From logs , i see this error 
""" Failed to receive the AUTH msg before the timer expired """
I have attached files of

1- running config
2- Debugs 
Crypto IPSEC debugging is on
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
IKEv2 internal debugging is on

3- output of
* sh version
show crypto pki certificates verbose

4- xml profile which downloaded on windows PC on Anyconnect path

 

Preview file
11 KB
Preview file
30 KB
Preview file
3 KB
0 Helpful

Remon.BA
Level 1
Level 1

‎01-16-2024 06:40 AM

Dears

Now i received this error  ( All logs attached"
" IPSEC(ipsec_process_proposal): transform not supported: "

Running config regarding this part

crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
!

crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP


crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AUTHC
aaa authorization group anyconnect-eap list AUTHZ ikev2-auth-policy
virtual-template 100
anyconnect profile acvpn





Preview file
77 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Remon.BA

‎01-16-2024 07:44 AM

as per attached config you have below :

crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha-hmac

that may be becuase of that error :

an 16 14:13:02.841: IPSEC(ipsec_process_proposal): transform not supported:
{esp-gcm 256 }

can you post latest show run  - I have not got a chance to replicate this issue, i will try later tonight and let you know the outcome.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Remon.BA
Level 1
Level 1
In response to balaji.bandi

‎01-16-2024 09:29 AM

Hey
This is the last run .
Please note that i use Anyconnect for win v 4.10.8025

Preview file
21 KB
0 Helpful

MHM Cisco World
VIP
VIP

‎01-17-2024 09:01 AM

Hi friend sorry for late reply, 
I  was success to help other engieer in solve anyconnect ikev2 so I come this time with more acknolege hope we can solve this issue also 

crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
!

crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP


crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AUTHC
aaa authorization group anyconnect-eap list AUTHZ ikev2-auth-policy
virtual-template 100
anyconnect profile acvpn <<- if the router not push the profile you need to add it manually to client PC the profile will be acvpn.xml

also can I see profile after you edit it 
thanks 
MHM

0 Helpful
Customers Also Viewed These Support Documents