cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
0
Replies

FlexVPN AnyConnect client unable to SSH to headend

cschwartz
Level 1
Level 1

Cisco 4351 configured as FlexVPN headend AND spoke to DMVPN. Hub and spoke seems to be working just fine.

AnyConnect clients authenticate locally and seem to work fine with one problem. From AnyConnect client we cannot SSH to FlexVPN's headend G0/0/1.319 internal interface of 192.168.19.254 (needed for mgmt.) Some details:

Client receives 192.168.1.1 and can ping 192.168.19.254.

Client can SSH to other hosts on 192.168.19.0/24 network.

Client can SSH to a loopback address if configured on router and route is given to client

DMVPN Hub router can SSH to 192.168.19.254.

 

Some debug output:

 

000686: *Apr  2 13:12:56.622 EDT: TCPADJMSS: process_enqueue_feature
000687: *Apr  2 13:12:56.622 EDT: IP: s=192.168.1.1 (Virtual-Access1), d=192.168.19.254, len 52, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwE
000688: *Apr  2 13:12:56.623 EDT: PAKDBG: COND_DEB_OFF: Direction 0   CBUG ID: 0  Packet: 0
000689: *Apr  2 13:12:56.623 EDT: Setting New Reno as congestion control algorithm
000690: *Apr  2 13:12:56.623 EDT: VTYMGT: tableid = 0, laddr = 192.168.19.254, faddr = 192.168.1.1, lport = 22
000691: *Apr  2 13:12:56.624 EDT: vrfmgr: Tableid 0xFFF returned for ivrf id 0x0
000692: *Apr  2 13:12:56.624 EDT: VTYMGT: Connection table id (0) does not match LIIN table id (4095)
000693: *Apr  2 13:12:56.624 EDT: AN: INFRA_EVENT -  SSH connection detetced, failed to get vrf id
000694: *Apr  2 13:12:56.625 EDT: IP: s=192.168.19.254 (local), d=192.168.1
IOS-RP-CMAN: Rcv msg handler: msg_len 2243.1, len 44, local feature, feature skipped, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
000695: *Apr  2 13:12:56.625 EDT: IP: tableid=0, s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), routed via FIB
000696: *Apr  2 13:12:56.625 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, sending
000697: *Apr  2 13:12:56.626 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, NAT Inside(8), rtype 1, forus FALSE, sendsE
000698: *Apr  2 13:12:56.627 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, TCP Adjust MSS(58), rtype 1, forus FALSE, E
000699: *Apr  2 13:12:56.627 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, debug packet(100), rtype 1, forus FALSE, sE

 

Here are the relevant parts of our config:

!
version 16.6
!
vrf definition Mgmt-intf
!
aaa new-model
!
aaa group server radius ISE-RADIUS
 server name ISE01-RADIUS
!
aaa group server tacacs+ ISE-TACACS
 server name ISE01-TACACS
!
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authentication login a-eap-authen-local local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network a-eap-author-grp local
!
aaa attribute list AAA-attr
 attribute type interface-config "ip mtu 1300"
!
no ip bootp server
ip name-server x.x.x.x
ip domain name [domain.com]
!        
crypto pki trustpoint TRUST_POINT
 enrollment terminal pem
 usage ike
 subject-name [blah blah]
 revocation-check none
 rsakeypair KEYPAIR
 hash sha256
!
crypto pki certificate chain TRUST_POINT
 certificate [blah blah]
 certificate ca [blah blah]
!
crypto ikev2 authorization policy ANYCONNECT-IKEV2-AUTH-POLICY
 pool ANYCONNECTPOOL-1
 netmask 255.255.255.0
 include-local-lan
 aaa attribute list AAA-attr
 route set remote ipv4 192.168.19.0 255.255.255.0
 route set remote ipv4 192.168.1.0  255.255.255.0
!
crypto ikev2 proposal SPOKE-IKEV2-PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 profile ANYCONNECT-IKEV2-PROFILE
 match identity remote key-id *$AnyConnectClient$*
 identity local dn
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint TRUST_POINT
 aaa authentication anyconnect-eap a-eap-authen-local
 aaa authorization group anyconnect-eap list a-eap-author-grp ANYCONNECT-IKEV2-AUTH-POLICY
 aaa authorization user anyconnect-eap cached
 virtual-template 100
!
crypto ikev2 profile SPOKE-IKEV2-PROFILE
 match identity remote address 0.0.0.0
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint TRUST_POINT
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode transport
crypto ipsec transform-set TS4 esp-aes 256 esp-sha512-hmac
 mode transport
!
crypto ipsec profile ANYCONNECT-IPSEC-PROFILE
 set transform-set TS4
 set ikev2-profile ANYCONNECT-IKEV2-PROFILE
!
crypto ipsec profile SPOKE-IPSEC-PROFILE
 set transform-set TS
 set ikev2-profile SPOKE-IKEV2-PROFILE
!
interface Loopback0
 no ip address
!
interface Tunnel1
 description IKEv2-Tunnel
 bandwidth 1000
 ip address 10.x.x.x 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 10.x.x.x  x.x.x.x
 ip nhrp map multicast x.x.x.x
 ip nhrp network-id 20
 ip nhrp holdtime 360
 ip nhrp nhs 10.x.x.x
 delay 1000
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 20
 tunnel protection ipsec profile SPOKE-IPSEC-PROFILE
!
interface GigabitEthernet0/0/0
 description ---OUTSIDE---
 ip address x.x.x.x
 ip nat outside
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/1.319

 description --- INSIDE---
 encapsulation dot1Q 319
 ip address 192.168.19.254 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
!
interface Virtual-Template100 type tunnel
 ip unnumbered Loopback0
 ip nat inside
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ANYCONNECT-IPSEC-PROFILE
!
ip local pool ANYCONNECTPOOL-19 192.168.19.10 192.168.19.20
ip local pool ANYCONNECTPOOL-1  192.168.1.1 192.168.1.9
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0/1.319
ip ssh version 2
!
access-list 198 permit tcp 192.168.1.0  0.0.0.255 any
access-list 198 permit tcp 192.168.19.0 0.0.0.255 any
access-list 198 deny   ip any any log
!
line vty 0 4
 session-timeout 30
 access-class 198 in
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 session-timeout 30
 access-class 198 in
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 transport input ssh
!
end

0 Replies 0