Need help with SSL VPN full tunnel using Anyconnect...

nakimble0 · ‎02-18-2012

Hey guys, I need help with the full tunnel feature of the IOS SSL VPN using a Cisco 1841. Here is what I see...

-I login to the portal page and click the "Start" button for "Tunnel Connection (SVC)"

-Security Alert message "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?" I click yes.

-Anyconnect says "Please wait while VPN connection is established"

-Anyconnect error "The certificate on the secure gateway is invalid. The VPN connect will not establish"

I'm using a self signed certificate on the router. What am I missing?

Thanks!

Nick

andrew.prince · ‎02-20-2012

Post a screen shot of the cert

Jason Gervia · ‎02-21-2012

I agree with Andrew - seeing the cert (or the base 64 representation of it from your router config) would help. Typically though, if the cert is generated by the router it should have the correct key usage. Try taking the ssl trustpoint command out from under the webvpn gateway and taking the gateway in and out of service (I belive it will regenerate a self signed cert at that point, but if not, generate your own selfsigned cert and putting the ssl trustpoint command back in).

--Jason

nakimble0 · ‎02-23-2012

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname nickster

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.124-24.T.bin

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

dot11 syslog

ip source-route

!

ip cef

ip domain name www.nickster.com

!

multilink bundle-name authenticated

!

crypto pki trustpoint Nickster

enrollment selfsigned

serial-number none

fqdn www.nickster.com

ip-address 192.168.0.180

subject-name cn=www.nickster.com

revocation-check none

rsakeypair Nickster 1024 1024

!

crypto pki certificate chain Nickster

certificate self-signed 01

3082029F 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

58311930 17060355 04031310 7777772E 6E69636B 73746572 2E636F6D 313B301A

06092A86 4886F70D 01090813 0D313932 2E313638 2E302E31 3830301D 06092A86

4886F70D 01090216 10777777 2E6E6963 6B737465 722E636F 6D301E17 0D313230

32323430 35333130 345A170D 32303031 30313030 30303030 5A305831 19301706

03550403 13107777 772E6E69 636B7374 65722E63 6F6D313B 301A0609 2A864886

F70D0109 08130D31 39322E31 36382E30 2E313830 301D0609 2A864886 F70D0109

02161077 77772E6E 69636B73 7465722E 636F6D30 819F300D 06092A86 4886F70D

01010105 0003818D 00308189 02818100 9FA337CE 8E00E6BA 4E899495 A7F768B8

BAF5E80D BA99D19F 04676505 FEA0D59E DDFF6DC1 28601AAF EAB464A3 EA6E0BB6

20D9444C 58C20A5E 3316A7D1 E0EBAD6E FD230232 A51A9D11 FB03A1DA 8B278AB0

2E205146 1790B878 5E721126 D9D8F5F2 E8DA3FAA 90E0B45D 7256597F 5B93C00D

2CAA81AE 38EA2024 44A24778 83FC63ED 02030100 01A37930 77300F06 03551D13

0101FF04 05300301 01FF3024 0603551D 11041D30 1B82196E 69636B73 7465722E

7777772E 6E69636B 73746572 2E636F6D 301F0603 551D2304 18301680 14FA06A3

09F7F8F0 599E7AA2 F98D6DE9 30B56103 00301D06 03551D0E 04160414 FA06A309

F7F8F059 9E7AA2F9 8D6DE930 B5610300 300D0609 2A864886 F70D0101 04050003

81810055 9DEA3412 2D4E3193 3288AC6A 5AD07EE8 A3F40B1E 548F948C A4954695

2972B551 8FD0C9AD A9184F45 279DF582 5FB1BD15 63836FA9 B20C8C29 7CA01D67

A624B909 AC83A5D9 462B63B8 D4F046E6 BBC8A24E BA3D9D70 28C3DA0A 69AF469C

64EF3402 1D46DBAE D806158F AD6026D6 4E2EEDAA FA3A5BB9 E73A1D99 5E5A0FE3 FDE4D0

quit

!

username cisco1 privilege 15 secret 5 $1$9AyN$TgwBVTuAsl1p4/12NJSqO0

archive

log config

hidekeys

!

interface FastEthernet0/0

ip address 192.168.100.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.0.180 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

ip local pool webvpn_pool 192.168.5.1 192.168.5.50

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.1

ip http server

ip http authentication local

no ip http secure-server

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 5 15

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip address 192.168.0.180 port 443

http-redirect port 80

ssl trustpoint Nickster

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context WWW

secondary-color white

title-color #FFFF00

text-color black

ssl authenticate verify all

!

policy group policy_1

functions svc-enabled

svc address-pool "webvpn_pool"

svc keep-client-installed

default-group-policy policy_1

aaa authentication list default

gateway gateway_1

inservice

!

end

!

% Key pair was generated at: 05:30:57 UTC Feb 24 2012

Key name: Nickster

Storage Device: private-config

Usage: Signature Key

Key is not exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 009FA337

CE8E00E6 BA4E8994 95A7F768 B8BAF5E8 0DBA99D1 9F046765 05FEA0D5 9EDDFF6D

C128601A AFEAB464 A3EA6E0B B620D944 4C58C20A 5E3316A7 D1E0EBAD 6EFD2302

32A51A9D 11FB03A1 DA8B278A B02E2051 461790B8 785E7211 26D9D8F5 F2E8DA3F

AA90E0B4 5D725659 7F5B93C0 0D2CAA81 AE38EA20 2444A247 7883FC63 ED020301 0001

% Key pair was generated at: 05:31:01 UTC Feb 24 2012

Key name: Nickster

Storage Device: private-config

Usage: Encryption Key

Key is not exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B85771

2EFB4C76 9B32C2A1 7993DA18 6509B7BD 1B0F4BF5 70F0E458 12772632 E30F3959

852E92EC 6956BC88 5D08399E 9D081565 6A74C6D7 12296220 AAEA7F3C 3BECA851

6B3E6F8D 07252BFD 2CFB2D7F DD5BBF1D 786E459F E8190C66 A018D9AD 01F373C7

E4ACB925 5D81F89B 098FDFF8 C9B930B1 1554B4D7 24BD4B48 A152D97B ED020301 0001

% Key pair was generated at: 05:31:04 UTC Feb 24 2012

Key name: Nickster.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AA0DC0 6867C8CC

9E07B3AE B946AD50 9FCB815C BB58B271 5F2EAD60 87AE4B80 E6DC3960 EA556B95

AF6B445E 93E0EB4D D50DD70D 3CD8A169 32D40A0F 83005F8F 72BCD038 E4620E44

9D9F0B13 00B6948F 5F9615F2 41B9BFCC 7E71123F 895C24ED A1020301 0001

!

Jason Gervia · ‎02-24-2012

Nick,

Not sure what the order of operations was here, but this is what I would do to correct it (this is the 'overly safe' method, you could probably get away without bringing the gateway down but I like to make sure nothing is held in memory).

You need to generate general usage keys for use with SSL. Try the following:

! shutdown gateway and remove trustpoint from gateway

conf t

webvpn gateway gateway_1

no inservice

no ssl trustpoint Nickster

! remove certificate referencing bad key

no crypto pki trustpoint Nickster

! generate new general usage key

crypto key generate rsa modulus 2048 general-keys

! put back trustpoint config and reference the keyname only with no modulus defined

crypto pki trustpoint Nickster

enrollment selfsigned

serial-number none

fqdn www.nickster.com

ip-address 192.168.0.180

subject-name cn=www.nickster.com

revocation-check none

rsakeypair Nickster

! recreate certificate

crypto pki enroll Nickster

! put trustpoint back in gateway config and restart gateway

webvpn gateway gateway_1

ssl trustpoint Nickster

inservice

nakimble0 · ‎02-24-2012

Jason,

Thanks for your fast response. I gave it a try, but no love. Is it a problem that I'm not really Nickster.com? I don't think it would be, but you never know. Here is a paste of the config pieces you had me tweak. Let me know if you think of anything else to try. Oh, by the way, I'm getting the same error no matter which browser I use or whose computer I use.

!

crypto pki trustpoint Nickster

enrollment selfsigned

serial-number none

fqdn www.nickster.com

ip-address 192.168.0.180

subject-name cn=www.nickster.com

revocation-check none

rsakeypair Nickster

!

crypto pki certificate chain Nickster

certificate self-signed 01

3082021A 308201C4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

58311930 17060355 04031310 7777772E 6E69636B 73746572 2E636F6D 313B301A

06092A86 4886F70D 01090813 0D313932 2E313638 2E302E31 3830301D 06092A86

4886F70D 01090216 10777777 2E6E6963 6B737465 722E636F 6D301E17 0D313230

32323530 37343535 385A170D 32303031 30313030 30303030 5A305831 19301706

03550403 13107777 772E6E69 636B7374 65722E63 6F6D313B 301A0609 2A864886

F70D0109 08130D31 39322E31 36382E30 2E313830 301D0609 2A864886 F70D0109

02161077 77772E6E 69636B73 7465722E 636F6D30 5C300D06 092A8648 86F70D01

01010500 034B0030 48024100 9A6270F6 C69107C8 D11A69FD DD62D703 27458BA8

014D8F0B 5F81A689 AB5EC994 2927DBE7 D1FB365C C3D10C49 1D8BC273 E6FE27F4

3C100D56 F3C2325B 2DD45353 02030100 01A37930 77300F06 03551D13 0101FF04

05300301 01FF3024 0603551D 11041D30 1B82196E 69636B73 7465722E 7777772E

6E69636B 73746572 2E636F6D 301F0603 551D2304 18301680 14DF4305 15B0E905

F8A930EF EC3FAE5F 0F9F6C0A 61301D06 03551D0E 04160414 DF430515 B0E905F8

A930EFEC 3FAE5F0F 9F6C0A61 300D0609 2A864886 F70D0101 04050003 41007691

34C3CFD7 A5517700 D85914C5 39AE5BC3 F9F53302 94597F93 7EF44558 3CABE8BB

5178D8B5 AA3F5348 527C2523 30E1D609 0F043506 2EDC1DC2 695887C4 E4FB

quit

!

webvpn gateway gateway_1

ip address 192.168.0.180 port 443

http-redirect port 80

ssl trustpoint Nickster

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context WWW

secondary-color white

title-color #FFFF00

text-color black

ssl authenticate verify all

!

policy group policy_1

functions svc-enabled

svc address-pool "webvpn_pool"

svc keep-client-installed

default-group-policy policy_1

aaa authentication list default

gateway gateway_1

inservice

!

nickster#show cry key my rsa

% Key pair was generated at: 07:44:17 UTC Feb 25 2012

Key name: nickster.www.nickster.com

Storage Device: private-config

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00C40735 327A32B0 E1070118 C1D6B719 644EC1D1 B3A30538 9D8FD2BE 33255E89

96F973D5 FBDF7582 E4075C40 E7AE2B8F DC6C5C23 DF0643B8 C9B5D41F E9C7E093

C41A6E8A EA87D4B2 52A2EA31 AA363D55 51450CF2 C8D40C0D 2B4C6398 CF035947

99B68B65 CE7EBA4F AE1FEEF2 6343946C 3046E92A 6DF06C96 67A92430 76EA4732

C26353A8 66438407 A952D07E 74797383 915DA295 6BA2CD7D B576F484 86C41134

8719CC4D 28A6702E E5D80AA7 169F0759 C28A25D6 72DC2927 C6C5EC56 4565560A

FD1FAF63 0FC60ABE 936D99C9 DA271129 169FA97A 7F42DBEF 456C751B D6EFD574

1D35D458 62772B55 560F1C75 4B3C49AB 4D563707 DE0D333D DDCFBBFB 2B9097F6

B9020301 0001

% Key pair was generated at: 07:44:20 UTC Feb 25 2012

Key name: nickster.www.nickster.com.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 008E753C C5B9C9D0

A29EB19B E104B4ED 83107AB6 7FC646DA 85FC71BC 64EFE4DA 644376C3 D2FFB7BE

8190CE28 03E55E6C B9467E2B 9EB0EDEB DB47B78F 9DF17DA1 F998A250 B6BA713E

F6CA1F92 3B9084CA DDC40060 64005D3B DBCD2EDD 932F28D0 BB020301 0001

% Key pair was generated at: 07:45:55 UTC Feb 25 2012

Key name: Nickster

Storage Device: private-config

Usage: General Purpose Key

Key is not exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 009A6270 F6C69107

C8D11A69 FDDD62D7 0327458B A8014D8F 0B5F81A6 89AB5EC9 942927DB E7D1FB36

5CC3D10C 491D8BC2 73E6FE27 F43C100D 56F3C232 5B2DD453 53020301 0001

!

Jason Gervia · ‎02-25-2012

Nick,

Get a 'debug crypto pki transactions' and 'debug crypto pki validation' from the router when you try to connect. Also, assuming that you are running anyconnect on Windows, there should be a log with anyconnect messages in them - that might yield some information as well.

nakimble0 · ‎03-01-2012

Jason,

I started the debugs as you asked. I login and accept cert and all I see are these.

!

*Mar 2 06:04:00.303: CRYPTO_PKI: Identity selected (Nickster) for session 10001

*Mar 2 06:04:00.307: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:00.311: CRYPTO_PKI: Identity selected (Nickster) for session 10002

*Mar 2 06:04:00.311: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:00.315: CRYPTO_PKI: Identity selected (Nickster) for session 10003

*Mar 2 06:04:00.319: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:00.319: CRYPTO_PKI: Identity selected (Nickster) for session 10004

*Mar 2 06:04:00.323: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:00.323: CRYPTO_PKI: Identity selected (Nickster) for session 10005

*Mar 2 06:04:00.327: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:00.331: CRYPTO_PKI: Identity selected (Nickster) for session 10006

*Mar 2 06:04:00.331: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.087: CRYPTO_PKI: Identity selected (Nickster) for session 10007

*Mar 2 06:04:07.091: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.151: CRYPTO_PKI: Identity selected (Nickster) for session 10008

*Mar 2 06:04:07.155: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.175: CRYPTO_PKI: Identity selected (Nickster) for session 10009

*Mar 2 06:04:07.175: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.179: CRYPTO_PKI: Identity selected (Nickster) for session 1000A

*Mar 2 06:04:07.179: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.183: CRYPTO_PKI: Identity selected (Nickster) for session 1000B

*Mar 2 06:04:07.187: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.447: CRYPTO_PKI: Identity selected (Nickster) for session 1000C

*Mar 2 06:04:07.451: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.451: CRYPTO_PKI: Identity selected (Nickster) for session 1000D

*Mar 2 06:04:07.455: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.503: CRYPTO_PKI: Identity selected (Nickster) for session 1000E

*Mar 2 06:04:07.507: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:07.507: CRYPTO_PKI: Identity selected (Nickster) for session 1000F

*Mar 2 06:04:07.511: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.571: CRYPTO_PKI: Identity selected (Nickster) for session 10010

*Mar 2 06:04:19.571: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.639: CRYPTO_PKI: Identity selected (Nickster) for session 10011

*Mar 2 06:04:19.643: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.775: CRYPTO_PKI: Identity selected (Nickster) for session 10012

*Mar 2 06:04:19.779: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.831: CRYPTO_PKI: Identity selected (Nickster) for session 10013

*Mar 2 06:04:19.835: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.871: CRYPTO_PKI: Identity selected (Nickster) for session 10014

*Mar 2 06:04:19.871: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.975: CRYPTO_PKI: Identity selected (Nickster) for session 10015

*Mar 2 06:04:19.979: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.983: CRYPTO_PKI: Identity selected (Nickster) for session 10016

*Mar 2 06:04:19.983: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:19.987: CRYPTO_PKI: Identity selected (Nickster) for session 10017

*Mar 2 06:04:19.987: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:20.039: CRYPTO_PKI: Identity selected (Nickster) for session 10018

*Mar 2 06:04:20.043: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:20.059: CRYPTO_PKI: Identity selected (Nickster) for session 10019

*Mar 2 06:04:20.063: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:20.063: CRYPTO_PKI: Identity selected (Nickster) for session 1001A

*Mar 2 06:04:20.067: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:20.067: CRYPTO_PKI: Identity selected (Nickster) for session 1001B

*Mar 2 06:04:20.071: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

nickster#

*Mar 2 06:04:43.135: CRYPTO_PKI: Identity selected (Nickster) for session 1001C

*Mar 2 06:04:43.139: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:46.835: CRYPTO_PKI: Identity selected (Nickster) for session 1001D

*Mar 2 06:04:46.839: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:49.175: CRYPTO_PKI: Identity selected (Nickster) for session 1001E

*Mar 2 06:04:49.179: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:04:57.363: CRYPTO_PKI: Identity selected (Nickster) for session 1001F

*Mar 2 06:04:57.363: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:03.503: CRYPTO_PKI: Identity selected (Nickster) for session 10020

*Mar 2 06:05:03.507: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:20.563: CRYPTO_PKI: Identity selected (Nickster) for session 10021

*Mar 2 06:05:20.563: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:22.991: CRYPTO_PKI: Identity selected (Nickster) for session 10022

*Mar 2 06:05:22.991: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:25.471: CRYPTO_PKI: Identity selected (Nickster) for session 10023

*Mar 2 06:05:25.475: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:26.959: CRYPTO_PKI: Identity selected (Nickster) for session 10024

*Mar 2 06:05:26.959: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

*Mar 2 06:05:29.011: CRYPTO_PKI: Identity selected (Nickster) for session 10025

*Mar 2 06:05:29.015: CRYPTO_PKI: unlocked trustpoint Nickster, refcount is 0

!

Does this mean anything?

Nick

nakimble0 · ‎03-01-2012

Jason,

Here is what I see with a 'debug webvpn'. All I do is initiate using the Anyconnect client.

!

nickster#

*Mar 2 06:27:08.365: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:08.369: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:10.205: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:10.213: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:10.213: WV: Entering APPL with Context: 0x66B856A0,

Data buffer(buffer: 0x66BBDC38, data: 0xF612F818, len: 1,

offset: 0, domain: 0)

*Mar 2 06:27:10.213: WV: Fragmented App data - buffered

*Mar 2 06:27:10.213: WV: Entering APPL with Context: 0x66B856A0,

Data buffer(buffer: 0x66BBD758, data: 0xF5C0D438, len: 236,

offset: 0, domain: 0)

*Mar 2 06:27:10.213: WV: Appl. processing Failed : 2

*Mar 2 06:27:10.213: WV: server side not ready to send.

*Mar 2 06:27:18.253: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:18.257: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:19.373: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:19.377: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:19.381: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:19.381: WV: Entering APPL with Context: 0x66B85028,

Data buffer(buffer: 0x66BBDC38, data: 0xF61305D8, len: 1,

offset: 0, domain: 0)

*Mar 2 06:27:19.381: WV: Fragmented App data - buffered

*Mar 2 06:27:19.381: WV: Entering APPL with Context: 0x66B85028,

Data buffer(buffer: 0x66BBD758, data: 0xF5C0FB38, len: 236,

offset: 0, domain: 0)

*Mar 2 06:27:19.381: WV: Appl. processing Failed : 2

*Mar 2 06:27:19.385: WV: server side not ready to send.

*Mar 2 06:27:21.437: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:21.441: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:21.913: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:21.913: WV: Entering APPL with Context: 0x66B849B0,

Data buffer(buffer: 0x66BBDC38, data: 0xF61F2298, len: 589,

offset: 0, domain: 0)

*Mar 2 06:27:21.913: WV: http request: /test.html with cookie: Cookie: webvpn=00@3232235717@00000@3539657059@0040591968@WWW; webvpnc="p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:11F614436F9A65CAAB10254978E0FA62593B2F5A&"; webvpnlang=1

*Mar 2 06:27:21.913: WV: [Q]Client side Chunk data written..

buffer=0x66BBD758 total_len=1009 bytes=1009 tcb=0x67ACA844

*Mar 2 06:27:21.913: WV: Client side Chunk data written..

buffer=0x66BBD738 total_len=134 bytes=134 tcb=0x67ACA844

*Mar 2 06:27:21.917: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:21.985: WV: sslvpn process rcvd context queue event

*Mar 2 06:27:21.985: WV: Entering APPL with Context: 0x66B849B0,

Data buffer(buffer: 0x66BBDC38, data: 0xF6132758, len: 489,

offset: 0, domain: 0)

*Mar 2 06:27:21.989: WV: http request: /favicon.ico with cookie: Cookie: webvpn=00@3232235717@00000@3539657059@0040591968@WWW; webvpnc="p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:11F614436F9A65CAAB10254978E0FA62593B2F5A&"; webvpnlang=1

*Mar 2 06:27:21.989: WV: Client side Chunk data written..

buffer=0x66BBD738 total_len=135 bytes=135 tcb=0x67ACA844

*Mar 2 06:27:21.989: WV: sslvpn process rcvd context queue event

nickster#

!

nakimble0 · ‎03-01-2012

Jason,

I got it to work, but I had to do 2 specific things. (1) I had to modify my hosts file and (2) and had to manually install the cert into the trusted folder. I arrived at this solution by analyzing the cert details in Windows 7. I noticed that no matter how I generated the cert on the router, it had a "Subject Alternative Name" field set to "DNS=X.X" where X.X was the "hostname.domain". So, I I generated a cert where my host and domain name were both "nick". Then I modified my hosts file to have an entry "192.168.0.180 nick.nick". The moment I did this, my browser(chrome) saw my router as a trusted site(green lock next to URL), because the DNS lookup matched what the cert claimed. However, it STILL didn't work at this point, so I manually installed the cert into the trusted folder. Please note that I went back and tried both of these steps independantly and it did not work. I have to do BOTH to make it work.

Can anyone explain this to me? Is this because Anyconnect has such strict rules on cert checking that you must have a verifyable domain?

Nick

Jason Gervia · ‎03-02-2012

Nicholas,

This is starting to sound familiar - what version of anyconnect are you using?

Q. When I attempt to connect with AnyConnect VPN Client version 2.4, I receive this error message: `A certificate problem has been encountered. A VPN connection will not be established`. How can I resolve this issue?

A. This error occurs due to an issue documented in Cisco bug ID CSCtb73337 (registered customers only) . AnyConnect Client version 2.4 does not work with Cisco IOS headend when a certificate is used that is not trusted or there is mismatch in the host name entered in the URL to that to the CN (common name) or SAN (subject alternative name) in the Cisco IOS router certificate.
AnyConnect 2.4 fails to connect with Cisco IOS headend due to certificate verify fail error.
This issue can be resolved through one of these workarounds:
Make sure that the router certificate is trusted (import into certificate store) and then match the CN/SAN on the certificate to that of the URL. If there is no DNS entry, then you can use a local DNS entry by updating the host file for the host name in certificate.
Downgrade AnyConnect to a previous version: 2.3.

Also, I'm not sure chrome can install certs - you might need to browse your ASA with internet explorer which can install certs in the windows store on the fly so you don't manually install it.

However, the easiest way would be to get a valid cert (from Godaddy, for example) and put the entry in DNS and this issue should go away.

Need help with SSL VPN full tunnel using Anyconnect...

Q. When I attempt to connect with AnyConnect VPN Client version 2.4, I receive this error message: A certificate problem has been encountered. A VPN connection will not be established. How can I resolve this issue?

Q. When I attempt to connect with AnyConnect VPN Client version 2.4, I receive this error message: `A certificate problem has been encountered. A VPN connection will not be established`. How can I resolve this issue?