Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
0
Replies

Cisco IOS SSLVPN - 2901 - multi VRF

Mikolaj Moryto
Level 1
Level 1

‎08-23-2020 09:51 AM - edited ‎08-23-2020 09:52 AM

Hi,

I have been trying to get SSL VPN to work for multiple VRFs on a single router. I have created different contexts, mapped them with different virtual-template interfaces but AnyConnect keeps failing when trying to connect. Below is the SSL VPN related configuration:

aaa authentication login SSLVPN-DC1 local
aaa authentication login SSLVPN-DC2 local

ip vrf DC1
ip vrf DC2

interface GigabitEthernet0/0.6
 encapsulation dot1Q 6
 ip vrf forwarding DC1
 ip address ****
 ip nat outside
 ip virtual-reassembly in
interface GigabitEthernet0/0.7
 encapsulation dot1Q 7
 ip vrf forwarding DC2
 ip address ****
 ip nat outside
 ip virtual-reassembly in

interface Virtual-Template1
 ip vrf forwarding DC1
 ip address 196.1.200.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
interface Virtual-Template2
 ip vrf forwarding DC2
 ip address 196.1.200.254
 ip nat inside
 ip virtual-reassembly in

ip local pool SSLVPN-DC1 196.1.200.1 196.1.200.20
ip local pool SSLVPN-DC1 196.2.200.1 196.2.200.20

webvpn gateway SSLVPN-DC1
 vrfname DC1
 ip interface GigabitEthernet0/0.6 port 443
 ssl trustpoint SSLVPN-DC1
 inservice
 !
webvpn gateway SSLVPN-DC2
 vrfname DC2
 ip interface GigabitEthernet0/0.7 port 443
 ssl trustpoint SSLVPN-DC2
 inservice
 !
webvpn context SSLVPN-DC1
 virtual-template 1
 aaa authentication list SSLVPN-DC1
 gateway SSLVPN-DC1
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSLVPN-DC1
   functions svc-enabled
   svc address-pool "SSLVPN-DC1" netmask 255.255.255.0
   svc dns-server primary 10.1.41.1
   svc dns-server secondary 10.2.41.1
 default-group-policy SSLVPN-DC1
!
webvpn context SSLVPN-DC2
 virtual-template 2
 aaa authentication list SSLVPN-DC2
 gateway SSLVPN-DC2
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSLVPN-DC2
   functions svc-enabled
   svc address-pool "SSLVPN-DC2" netmask 255.255.255.0
   svc dns-server primary 10.2.41.1
   svc dns-server secondary 10.1.41.1
 default-group-policy SSLVPN-DC2
!

I am being prompted for the credentials so it gets to that point but then the debugs show the following output:

Aug 23 16:34:29.732 UTC: [WV-TUNL-ERR]:[0] Vaccess 2 failed to read from backend server in process paterm no
Aug 23 16:34:32.480 UTC: [WV-TUNL-PAK]:[0] RxServer, Could not identify session for this pak
Aug 23 16:34:32.480 UTC: [WV-TUNL-ERR]:[0] Session owning the pak 3DC89FD0 not found
Aug 23 16:34:32.480 UTC: [WV-TUNL-PAK]: IP4 Len =76 src=196.2.200.254 Dst =224.0.0.5 Prot =89 

I have found a bug related to that:

CSCuv43257 

However, I am not trying to route the traffic between VRFs so I am not sure if that is applicable. Has anyone experienced that issue before?

Thank you,

Mikolaj

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents