Re: IKEv2-ERROR:AnyConnect EAP - failed to get author list - Page 2

sakatzidisgiwrgos · ‎11-22-2023

Hello community,

I am trying to implement IPSEC remote access VPN between Anyconnect on Windows and Cisco IOS router.

For some reason, i get the following error during the IKE_AUTH phase:

IKEv2-ERROR:AnyConnect EAP - failed to get author list

On the client side, the error is the following:

The VPN client failed to establish the connection.

The ikev2 configuration and the aaa are listed below :

crypto ikev2 authorization policy VPNPOL
pool SAKAS
netmask 255.255.255.0
route set interface
route set access-list split-tunnel

crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2

crypto ikev2 policy POLICY
proposal PROPOSAL

crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
identity local address 209.165.202.130
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint VPN
aaa authentication anyconnect-eap AUTH
aaa authorization group anyconnect-eap list AUTHZ VPNPOL
virtual-template 1

aaa new-model
aaa authentication login AUTH local
aaa authorization network AUTHZ local

I also named the profile that the client uses with the name of acvpn.xml

I do not know what I am missing to make it work.

Any help would be appreciated.

Thanks in advance.

Rob Ingram · ‎11-22-2023

@sakatzidisgiwrgos your IKEv2 profile is called "acvpn" (which it doesn't need to be) it should reference an anyconnect profile which must be called "acvpn", but you aren't referencing the anyconnect profile in your IKEv2 Profile. Amend as below and try again.

crypto vpn anyconnect profile acvpn bootflash:acvpn.xml

crypto ikev2 profile acvpn
anyconnect profile acvpn

What IOS image version are you running? Older versions did not support profile download, so if the above does not work disable profile download on the client and try again. You can disable the profile download using the AnyConnect VPN Profile Editor or manually change the XML profile configuration.

Reference:- https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

Note: In order to upload the XML profile to the router, Cisco IOS® XE 16.9.1 version or later is required. If older version of Cisco IOS® XE software is used, the profile download capability needs to be disabled on the client. Please refer to the section "Disable the AnyConnect downloader capability" for more information.

Disable the AnyConnect downloader capability (optional).

This step is only necessary if Cisco IOS® XE software version older than 16.9.1 is used. Prior to Cisco IOS® XE 16.9.1 the capability to upload the XML profile to the router was not available. The AnyConnect client tries to perform download of the XML profile after successful login by default. If the profile is not available, the connection fails. As a workaround, it is possible to disable the AnyConnect profile download capability on the client itself. In order to do that, this file can be modified:

For Windows:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

For MAC OS:
/opt/cisco/anyconnect/AnyConnectLocalPolicy.xml

The "BypassDownloader" option is set to "true", for example:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.6.03049">
<BypassDownloader>true</BypassDownloader>

After the modification, the AnyConnect client needs to be restarted.

sakatzidisgiwrgos · ‎11-23-2023

Hey Rob,

The router i am using probably does not support pushing the profile to the clients, as in the ikev2 profile i do not the option to issue the anyconnect profile acvpn command.

And thats is why i imported the .xml profile manually to the client

gajownik · ‎11-27-2023

Which version of AnyConnect do you use?

Could you please provide all debugs in one file?

show version
undebug all
debug crypto condition peer ipv4 <IP_of_the_peer> // can be checked with showip.net or any similar site if the client is behind NAT
debug crypto ikev2
debug crypto ikev2 error
debug crypto ikev2 internal
debug crypto ikev2 packet
debug crypto ipsec
debug crypto ipsec error
debug crypto ipsec message
debug crypto ipsec states
debug crypto ipsec hw-request
debug crypto kmi
debug vtemplate cloning
debug vtemplate error
debug vtemplate event
debug aaa authentication
debug aaa authorization
debug aaa per-user
debug ldap all // only if LDAP is used
debug radius //only if remote radius authentication is used
debug radius verbose //only if remote radius authentication is used
terminal monitor

sakatzidisgiwrgos · ‎11-27-2023

Hello gajownik,

I uploded the txt files.

The version of the Anyconnect is 4.8.01090

gajownik · ‎11-27-2023

Thanks. Based on the debugs everything goes fine, but in the end clients deletes the tunnel:

PQR-Rtr# 27 12:40:38.130: IKEv2:(SESSION ID = 3,SA ID = 1):Received Packet [From 192.0.2.2:4503/To 209.165.202.130:4500/VRF i0:f0]
Initiator SPI : 916C7D8461EEF3E2 - Responder SPI : 57AADFF4E7450014 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
*Nov 27 12:40:38.130: IKEv2-PAK:(SESSION ID = 3,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 6, length: 96
Payload contents:
DELETE Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol
PQR-Rtr# id: IKE, spi size: 0, num of spi: 0
NOTIFY(DELETE_REASON) Next payload: NONE, reserved: 0x0, length: 16
Security protocol id: IKE, spi size: 0, type: DELETE_REASON

We should check on the client why that happens. Could you please share:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

Please also collect DART bundle and from that DART bundle get Cisco AnyConnect Secure Mobility Client\AnyConnect.txt
https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#ID-1427-0000001e

Alternatively you can run cmd.exe as Administrator, run powershell and execute:
Get-WinEvent -path "$env:SystemRoot\System32\Winevt\Logs\Cisco AnyConnect Secure Mobility Client.evtx" | select RecordId,TimeCreated,LevelDisplayName,Message | Format-List > ~/Desktop/AnyConnectLogs.txt

In the AnyConnect logs we should see more information why tunnel was deleted.

By the way 03.16.06.S is already EoL and affected by multiple security vulnerabilities. I would suggest an upgrade to a newer release.
https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/eos-eol-notice-c51-738519.html

https://sec.cloudapps.cisco.com/security/center/softwarechecker.x?productSelected=ios_xe&selectedMethod=A&captchaPage=true&platformCode=NA&versionNamesSelected=3.16.6S&allAdvisoriesSelectedByTree=N&advisoryType=0&iosBundleId=cisco-sa-20230927-bundle&...

https://software.cisco.com/download/home/286323714/type/282046477/release/Amsterdam-17.3.8a

AnyConnect 4.8 is also not supported anymore.

MHM Cisco World · ‎11-27-2023

Sorry but I see in debug eap auth is timeout.

@sakatzidisgiwrgos do you add username and password to router for client ?

Do you check cert.?

Did you add aaa authz user cached ?

sakatzidisgiwrgos · ‎11-28-2023

Yes i have a username with a password configured.

Also certificates are there.

And i added also this extra command.

sakatzidisgiwrgos · ‎11-28-2023

Hello gajownik,

I uploaded the AnyConnectLocalPolicy.xml as an image.

Unfortunately, i can't upload the output of the powershell command, as i cant copy or transfer the file from the virtual lab environment that i have.

gajownik · ‎11-28-2023

Without data from AnyConnect client it will be impossible to provide exact root cause. We can start only guessing what is going on.

Anyway BypassDownloader option is still not set to true as suggested by @Rob Ingram . That means that AnyConnect will fail to verify profile/software updates on the VPN headend and connection will fail.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

After modifying AnyConnectLocalPolicy.xml you will need to restart PC or restart AnyConnect service (closing GUI is not enough). You might face additional problems as it's a new deployment, but as said before without AnyConnect logs it will be just guessing what is going on.

MHM Cisco World · ‎11-30-2023

Hi friend

Change proposal to use sha1 and check again' I find bug that not using sha1 make client reject cert. Of router.

integrity sha1

sakatzidisgiwrgos · ‎11-30-2023

Unfortunately it did not work.

MHM Cisco World · ‎11-30-2023

Clear crypto isakmp sa

And check again

sakatzidisgiwrgos · ‎11-30-2023

It did not work