ā11-22-2023 12:30 PM
Hello community,
I am trying to implement IPSEC remote access VPN between Anyconnect on Windows and Cisco IOS router.
For some reason, i get the following error during the IKE_AUTH phase:
IKEv2-ERROR:AnyConnect EAP - failed to get author list
On the client side, the error is the following:
The VPN client failed to establish the connection.
The ikev2 configuration and the aaa are listed below :
crypto ikev2 authorization policy VPNPOL
pool SAKAS
netmask 255.255.255.0
route set interface
route set access-list split-tunnel
crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2
crypto ikev2 policy POLICY
proposal PROPOSAL
crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
identity local address 209.165.202.130
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint VPN
aaa authentication anyconnect-eap AUTH
aaa authorization group anyconnect-eap list AUTHZ VPNPOL
virtual-template 1
aaa new-model
aaa authentication login AUTH local
aaa authorization network AUTHZ local
I also named the profile that the client uses with the name of acvpn.xml
I do not know what I am missing to make it work.
Any help would be appreciated.
Thanks in advance.
ā11-22-2023 11:06 PM - edited ā11-22-2023 11:10 PM
@sakatzidisgiwrgos your IKEv2 profile is called "acvpn" (which it doesn't need to be) it should reference an anyconnect profile which must be called "acvpn", but you aren't referencing the anyconnect profile in your IKEv2 Profile. Amend as below and try again.
crypto vpn anyconnect profile acvpn bootflash:acvpn.xml
crypto ikev2 profile acvpn
anyconnect profile acvpn
What IOS image version are you running? Older versions did not support profile download, so if the above does not work disable profile download on the client and try again. You can disable the profile download using the AnyConnect VPN Profile Editor or manually change the XML profile configuration.
Note: In order to upload the XML profile to the router, Cisco IOSĀ® XE 16.9.1 version or later is required. If older version of Cisco IOSĀ® XE software is used, the profile download capability needs to be disabled on the client. Please refer to the section "Disable the AnyConnect downloader capability" for more information.
This step is only necessary if Cisco IOSĀ® XE software version older than 16.9.1 is used. Prior to Cisco IOSĀ® XE 16.9.1 the capability to upload the XML profile to the router was not available. The AnyConnect client tries to perform download of the XML profile after successful login by default. If the profile is not available, the connection fails. As a workaround, it is possible to disable the AnyConnect profile download capability on the client itself. In order to do that, this file can be modified:
For Windows:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml
For MAC OS:
/opt/cisco/anyconnect/AnyConnectLocalPolicy.xml
The "BypassDownloader" option is set to "true", for example:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.6.03049">
<BypassDownloader>true</BypassDownloader>
After the modification, the AnyConnect client needs to be restarted.
ā11-23-2023 03:09 AM
Hey Rob,
The router i am using probably does not support pushing the profile to the clients, as in the ikev2 profile i do not the option to issue the anyconnect profile acvpn command.
And thats is why i imported the .xml profile manually to the client
ā11-27-2023 02:13 AM
Which version of AnyConnect do you use?
Could you please provide all debugs in one file?
show version
undebug all
debug crypto condition peer ipv4 <IP_of_the_peer> // can be checked with showip.net or any similar site if the client is behind NAT
debug crypto ikev2
debug crypto ikev2 error
debug crypto ikev2 internal
debug crypto ikev2 packet
debug crypto ipsec
debug crypto ipsec error
debug crypto ipsec message
debug crypto ipsec states
debug crypto ipsec hw-request
debug crypto kmi
debug vtemplate cloning
debug vtemplate error
debug vtemplate event
debug aaa authentication
debug aaa authorization
debug aaa per-user
debug ldap all // only if LDAP is used
debug radius //only if remote radius authentication is used
debug radius verbose //only if remote radius authentication is used
terminal monitor
ā11-27-2023 04:45 AM
ā11-27-2023 08:45 AM
Thanks. Based on the debugs everything goes fine, but in the end clients deletes the tunnel:
PQR-Rtr# 27 12:40:38.130: IKEv2:(SESSION ID = 3,SA ID = 1):Received Packet [From 192.0.2.2:4503/To 209.165.202.130:4500/VRF i0:f0]
Initiator SPI : 916C7D8461EEF3E2 - Responder SPI : 57AADFF4E7450014 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
*Nov 27 12:40:38.130: IKEv2-PAK:(SESSION ID = 3,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 6, length: 96
Payload contents:
DELETE Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol
PQR-Rtr# id: IKE, spi size: 0, num of spi: 0
NOTIFY(DELETE_REASON) Next payload: NONE, reserved: 0x0, length: 16
Security protocol id: IKE, spi size: 0, type: DELETE_REASON
We should check on the client why that happens. Could you please share:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml
Please also collect DART bundle and from that DART bundle get Cisco AnyConnect Secure Mobility Client\AnyConnect.txt
https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#ID-1427-0000001e
Alternatively you can run cmd.exe as Administrator, run powershell and execute:
Get-WinEvent -path "$env:SystemRoot\System32\Winevt\Logs\Cisco AnyConnect Secure Mobility Client.evtx" | select RecordId,TimeCreated,LevelDisplayName,Message | Format-List > ~/Desktop/AnyConnectLogs.txt
In the AnyConnect logs we should see more information why tunnel was deleted.
By the way 03.16.06.S is already EoL and affected by multiple security vulnerabilities. I would suggest an upgrade to a newer release.
https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/eos-eol-notice-c51-738519.html
https://software.cisco.com/download/home/286323714/type/282046477/release/Amsterdam-17.3.8a
AnyConnect 4.8 is also not supported anymore.
ā11-27-2023 11:07 AM
Sorry but I see in debug eap auth is timeout.
@sakatzidisgiwrgos do you add username and password to router for client ?
Do you check cert.?
Did you add aaa authz user cached ?
ā11-28-2023 06:37 AM
Yes i have a username with a password configured.
Also certificates are there.
And i added also this extra command.
ā11-28-2023 06:39 AM
ā11-28-2023 06:56 AM - edited ā11-28-2023 06:57 AM
Without data from AnyConnect client it will be impossible to provide exact root cause. We can start only guessing what is going on.
Anyway BypassDownloader option is still not set to true as suggested by @Rob Ingram . That means that AnyConnect will fail to verify profile/software updates on the VPN headend and connection will fail.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
After modifying AnyConnectLocalPolicy.xml you will need to restart PC or restart AnyConnect service (closing GUI is not enough). You might face additional problems as it's a new deployment, but as said before without AnyConnect logs it will be just guessing what is going on.
ā11-30-2023 10:17 AM
Hi friend
Change proposal to use sha1 and check again' I find bug that not using sha1 make client reject cert. Of router.
integrity sha1
ā11-30-2023 12:09 PM
Unfortunately it did not work.
ā11-30-2023 12:22 PM
Clear crypto isakmp sa
And check again
ā11-30-2023 12:56 PM
It did not work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide