Hi,
I have been trying to get SSL VPN to work for multiple VRFs on a single router. I have created different contexts, mapped them with different virtual-template interfaces but AnyConnect keeps failing when trying to connect. Below is the SSL VPN related configuration:
aaa authentication login SSLVPN-DC1 local
aaa authentication login SSLVPN-DC2 local
ip vrf DC1
ip vrf DC2
interface GigabitEthernet0/0.6
encapsulation dot1Q 6
ip vrf forwarding DC1
ip address ****
ip nat outside
ip virtual-reassembly in
interface GigabitEthernet0/0.7
encapsulation dot1Q 7
ip vrf forwarding DC2
ip address ****
ip nat outside
ip virtual-reassembly in
interface Virtual-Template1
ip vrf forwarding DC1
ip address 196.1.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Virtual-Template2
ip vrf forwarding DC2
ip address 196.1.200.254
ip nat inside
ip virtual-reassembly in
ip local pool SSLVPN-DC1 196.1.200.1 196.1.200.20
ip local pool SSLVPN-DC1 196.2.200.1 196.2.200.20
webvpn gateway SSLVPN-DC1
vrfname DC1
ip interface GigabitEthernet0/0.6 port 443
ssl trustpoint SSLVPN-DC1
inservice
!
webvpn gateway SSLVPN-DC2
vrfname DC2
ip interface GigabitEthernet0/0.7 port 443
ssl trustpoint SSLVPN-DC2
inservice
!
webvpn context SSLVPN-DC1
virtual-template 1
aaa authentication list SSLVPN-DC1
gateway SSLVPN-DC1
!
ssl authenticate verify all
inservice
!
policy group SSLVPN-DC1
functions svc-enabled
svc address-pool "SSLVPN-DC1" netmask 255.255.255.0
svc dns-server primary 10.1.41.1
svc dns-server secondary 10.2.41.1
default-group-policy SSLVPN-DC1
!
webvpn context SSLVPN-DC2
virtual-template 2
aaa authentication list SSLVPN-DC2
gateway SSLVPN-DC2
!
ssl authenticate verify all
inservice
!
policy group SSLVPN-DC2
functions svc-enabled
svc address-pool "SSLVPN-DC2" netmask 255.255.255.0
svc dns-server primary 10.2.41.1
svc dns-server secondary 10.1.41.1
default-group-policy SSLVPN-DC2
!
I am being prompted for the credentials so it gets to that point but then the debugs show the following output:
Aug 23 16:34:29.732 UTC: [WV-TUNL-ERR]:[0] Vaccess 2 failed to read from backend server in process paterm no
Aug 23 16:34:32.480 UTC: [WV-TUNL-PAK]:[0] RxServer, Could not identify session for this pak
Aug 23 16:34:32.480 UTC: [WV-TUNL-ERR]:[0] Session owning the pak 3DC89FD0 not found
Aug 23 16:34:32.480 UTC: [WV-TUNL-PAK]: IP4 Len =76 src=196.2.200.254 Dst =224.0.0.5 Prot =89
I have found a bug related to that:
CSCuv43257
However, I am not trying to route the traffic between VRFs so I am not sure if that is applicable. Has anyone experienced that issue before?
Thank you,
Mikolaj