Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1697
Views
0
Helpful
6
Replies

SSL-VPN Anyconnect fails after rebooting 2811

Go to solution
Peter Miller
Level 1
Level 1

‎09-27-2012 11:01 AM - edited ‎02-21-2020 06:22 PM

Hello all,

I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails.  I think it has something to do with the SSL Cert being ereased.  Here is my configuration, please let me know if you need anything else:

! Last configuration change at 02:03:27 CDT Thu Sep 27 2012

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-XXXXXXXXXX

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-XXXXXXXXXX

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033

  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534

  34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48

  E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC

  5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875

  7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E

  BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06

  03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609

  2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A

  A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43

  9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416

  10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8

  23191E2E E4BF390B D62DAA2B 351C09

        quit

username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.

ip local pool SSL-VPN 192.168.11.5 192.168.11.8

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

bvpn gateway gateway_1

ip interface Dialer1 port 443

ssl trustpoint SSL-VPN

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1

!

webvpn context SSL-VPN

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "SSL-VPN"

   svc default-domain "DOMAIN"

   svc keep-client-installed

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary DNS-SERVER

default-group-policy policy_1

gateway gateway_1

inservice

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Peter Miller

‎09-28-2012 06:14 PM

Here is the bug description that matches your explaination of the issue:

MF: HTTPS generates a new self-signed cert on reboot even if one exists

Symptom:
With Secure HTTP server enabled, IOS device  generates a new self-signed certificate when it reloads even if a valid  self-signed certificate already exists.

Conditions:
When there is no CA(Certificate Authority) provided certificate on the device

Workaround:
Use CA provided certificate.

The resolution is to upgrade it to version 15.2(1)T or higher.

Unfortunately you would need to have SmartNet contract to be able to download the software from CCO.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Peter Miller
Level 1
Level 1

‎09-27-2012 12:51 PM

I also made a back up of the config when it was working and I think I nailed the problem but I don't know why it is doing this.  Backup Config:

crypto pki trustpoint SSL-VPN

enrollment selfsigned

serial-number

subject-name cn=SSL-VPN

revocation-check crl

rsakeypair SSL-VPN

!

!

crypto pki certificate chain SSL-VPN

certificate self-signed 05 nvram:XXXXXXXXXXXXXX.cer

If you look at the previous version it removed this and added garbage code, WHY?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Peter Miller

‎09-27-2012 11:06 PM

Looks like you are hitting bugID: CSCto52409 (HTTPS generates a new self-signed cert on reboot even if one exists):

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto52409

To resolve the issue, pls upgrade to version 15.1(3)S or higher.

0 Helpful

Go to solution
Peter Miller
Level 1
Level 1
In response to Jennifer Halim

‎09-28-2012 08:17 AM

I have Version 15.1(3)T, is this higher or lower than that version.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Peter Miller

‎09-28-2012 01:07 PM

Yes, that version is also affected.

Here is the bug that has fixed for higher version: CSCtj17637

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj17637

Fixed version: 15.2(1)T or higher.

0 Helpful

Go to solution
Peter Miller
Level 1
Level 1
In response to Jennifer Halim

‎09-28-2012 01:16 PM

Alright I actually am a student and bought this router off ebay and I don't have access to see the bug code links you have attached.  I also cannot get CCO access to upgrade to the version.  Anyway to a CCO access?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Peter Miller

‎09-28-2012 06:14 PM

Here is the bug description that matches your explaination of the issue:

MF: HTTPS generates a new self-signed cert on reboot even if one exists

Symptom:
With Secure HTTP server enabled, IOS device  generates a new self-signed certificate when it reloads even if a valid  self-signed certificate already exists.

Conditions:
When there is no CA(Certificate Authority) provided certificate on the device

Workaround:
Use CA provided certificate.

The resolution is to upgrade it to version 15.2(1)T or higher.

Unfortunately you would need to have SmartNet contract to be able to download the software from CCO.

0 Helpful
Customers Also Viewed These Support Documents