No SSL VPN tunnel from AnyConnect to IOS

grischast · ‎09-13-2011

Dear all

Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.

But I simply cannot make it work.

I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".

Here is my configuration on the router:

crypto pki trustpoint TP-self-signed-595019360

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-595019360

revocation-check none

rsakeypair TP-self-signed-595019360

!

crypto pki certificate chain TP-self-signed-595019360

certificate self-signed 01

3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

[......skipped....]

interface Loopback123

ip address 192.168.123.254 255.255.255.0

ip local pool GS-POOL 192.168.123.1 192.168.123.10

webvpn gateway GS-GW

hostname GS-VPN-test

ip address x.x.x.x port 443

ssl trustpoint TP-self-signed-595019360

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context GS-CONTEXT

ssl authenticate verify all

!

policy group GS-POLICY

functions svc-required

svc address-pool "GS-POOL"

default-group-policy GS-POLICY

gateway GS-GW

inservice

These are my debug settings:

#sh debug

WebVPN Subsystem:

WebVPN (verbose) debugging is on

debug webvpn entry GS-CONTEXT

WebVPN HTTP (verbose) debugging is on

WebVPN AAA debugging is on

WebVPN tunnel (verbose) debugging is on

WebVPN Single Sign On debugging is on

And these are all debug messages I get upon incoming connection:

Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event

At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:

Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie

Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info

Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..

buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820

Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event

Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie

Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info

Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..

buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4

Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..

buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4

Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..

buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4

Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..

buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4

Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..

buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4

Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event

At this point the Anyconnect client says "Connection attempt failed" and that's all.

So please, any advice how to solve this?

And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?

Thanks a lot for any suggestions,

Grischa

Herbert Baerten · ‎09-16-2011

Grischa

you do need to install a pkg on the router. It does not necessarily have to be the same version as the client is running.

you can install multiple pkgs by adding a sequence number on the cli.

Now AC 3.x will not work with your IOS version, you'll need at least 15.0(1)M6 I believe, not sure off the top of my head.

If you're still having problems, first thing to do is check the Anyconnect eventlog.

hth

Herbert

Herbert Baerten · ‎09-16-2011

Some more restrictions:

12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.

In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:

CSCtb73337 AnyConnect does not work with IOS if cert not trusted/name mismatch

In short, if it's possible to upgrade, go to 15.0(1)M7 (or latest 12.4(24)Tx if 15.0 is out of the question)

If you're stuck with 12.4(15)T, only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).

hth

Herbert