cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1705
Views
0
Helpful
8
Replies

New Cisco 2800 WebVPN - Context inactive

chrisrostie
Level 1
Level 1

ALL -

I am experiencing a very weird issue with a fresh install of a Cisco 2800 at a client

site. I have configured the router as a zone-based firewall and then moved forward with setting up a Anyconnect WebVPN.

The issue I am having is I cannot in anyway get the WebVPN context to go into the "Up" state. In reviewing the config I can see that under the context "no inservice" is entered. Entering config mode I change it to "inservice" however it does not change in the config and will not remain even on a write mem.

The gateway that the context is associated with is "up".  When I navigate to the WebVPN website I receive the following error on the page:

"The requested WebVPN domain is not in service"

I was up very late last night searching this and every forum but was unable to solve the above issue. I must be missing something very straightforward here and would greatly appreciated any help with this issue.

I am running (C2801-ADVSECURITYK9-M), Version 15.1(1)XB

My current config is attached.

8 Replies 8

chrisrostie
Level 1
Level 1

Bump - Still unresolved. Any ideas why my WebVPN won't come up?

Any help on this one would be greatly appreciated!

Chris

Hi,

I am running the same IOS version as you on a Cisco 2811 and I have the same problem.   I also have my Router configured as a Firewall.  I looked the past 12 hours at this problem and i'm getting crazy now...!!

I am using functions like:  ip inspect (CBAC),  ip ips  (Intrusion Prevention), some extended ACL's and some other things.

I don't have a lot of possibilities to test because this is not a test router so I couldn't do a fresh install and then later add all my firewall components (because then we know WHAT is causing this).

I tried several things:

- Disabling IPS

- Disabling IP Inspect (CBAC)

- Disabling "no ip virtual-reassembly" on the interface to which the WebVPN is bound. (so actually it is "ip virtual-reassembly" then).

Beside the fact that i always see: "no inservice"  under the webvpn context, i also see something strange with the 'virtual-template X'.

Look at:  "show ip int brief",  are they all up  (the virtual template and the virtual access ?)

Unfortunatelly i have no possibility to reboot the router next for the next few weeks.. so i can't clear the virtual-access and virtual-template  interfaces completely....

Maybe you can do a step-by-step install.. then add all components/functionality step-by-step  and see what is causing this.. ?

Kind regards,

Roel Broersma

Roel - Unfortunatly I am in the same boat! My router is in production and I can only reboot during a brief window each night. I still have not resolved this issue as well. The description you provided of your symptoms is the same as I see. I have been hoping that someone that has experience with this issue will respond soon. I am running out of time with my customer to get a fix. My router is unfortunately not under support or I would contact TAC on this one.

The interesting think is when you search all the boards for info on how to resolve the issue, the first thing multiple posters ask is " What does a show webvpn context... show" Then the reply is " the context is up" by the individual with the issue. So, if this is the first question that potential helpers ask, then you would think someone would know what to do when it is not up. Alas, this is frustrating...

Roel if I get any headway on this issue I will surely post here my results!

Hi ChrisRostie,

I'm sorry, but i am leaving in 20 hours to Austria (by car) to ski.  And because of this stupid problem I didn't slept last night...before i knew it was 07:00 o'clock again.. otherwise i would have gone further this night...

I have a spare 2621XM to play with, but i prefer to get it working on the 2811 at the beginning.   I think to strip my config (drop IP IPS,  IP INSPECT, ACL's and NAT and then try it again..).  I can start with that 2 March at the earliest.

BTW. I don't have a support contract myselft but i 'maintain' routers for some customers which have it.  You don't have anything about it, except the downloading of software.  I think we're on our own here, but that is not a problem because we get to know the cause...

Can you please say all the functions your are using or give a summary of your config  (please strip the long ACL's, routes and NAT entries to 1 or 2 rules).

I just want to compare functional things. (packet inspect, virtual reassembly.. etc.. BTW. Can you reboot tonight?)

I'll be here for another 4 before going to sleep...finally..

Kind regards,

Roel Broersma

chrisrostie, did you already find a solution ?  I walked through your config and saw you are using different functions than I am using... actually.. we are using a totally different config. I am using autoqos, ip inspect, acl and some other. You are using zones, policy maps  (i am using that too) and other things.

You are using an 2801,  i am using an 2811 with 768MB memory.  We both have the last IOS.

Send me a mail at roel -a-t- gigaweb -d-o-t- nl and we discuss further.

Kind regards,

Roel

This is a known bug in 15.1(1)XB:
CSCtc72615    SSLVPN: Inservice command is not working for webvpn context

Is there any particular reason why you are running that version? You should never be running X or Y versions unless there is a specific need (usually, if you are using new hardware that is not yet supported in an M or T release).

So I suspect that if you go to 15.0(1)M2 you should be fine.

Edit: 15.0(1)M1 is available now, 15.0(1)M2 is expected soon.

hth

Herbert

Herbert,  thanks.

Problems with 15.0(1)M1:

I had some problems with 15.0(1)M1 release too (when scanning for signatures (ip ips), I had some packet loss or something like that (our webservers, email servers and voip conversations were not working good anymore, something I didn't had with the 12.4T release).

Why did we upgraded to 15.x ?

We upgraded to 15.x because the speed (and use of resources) of the IOS is much better.  Before we had some problems with "auto qos" / voip: When the router was doing check_heaps (every x seconds / minute), it used quite some %CPU and our voip conversations were uggly.. until the check_heaps was finished .. a few seconds later..    When we start using 15.x that was not a problem anymore.

When does 15.0(1)M2 arrive ?

I won't pin you on this one.. but i am just making a global planning.  Do you have any idea if it will arrive this week.. next week...next month.. ?

Just some informal estimate.. ?

Kind regards,

Roel Broersma

Roel,

sorry to hear you've been having all these problems. I can't really give a recommendation then without checking those issues in more detail, but that would lead me outside my domain I'm afraid.

When does 15.0(1)M2 arrive ?

I won't pin you on this one.. but i am just making a global planning.  Do you have any idea if it will arrive this week.. next week...next month.. ?

Just some informal estimate.. ?

Sorry, I don't know. Anything is possible... much depends on the QA testing that is done on the release candidate(s), if any catastrophic bugs are found then the release can be delayed by a few days or weeks.

You could also keep an eye out for 15.1(1)T which is also expected soon (sorry, same remark applies here). If 15.1(1)XB was working fine for you (apart from the webvpn issue) then that might be the way to go...

hth

Herbert