cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5160
Views
0
Helpful
4
Replies

SSL VPN (WebVPN) issues with IOS 15.0(1)M1

Atle Hardarson
Level 1
Level 1

Hello everyone... I need your help!

I am having some weird issues with webvpn/anyconnect, please find the relevant information below;

Symptoms:

- AnyConnect Client prompts users with the following error:

"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."

Debug:


Mar  5 13:09:45:

Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1

Mar  5 13:09:45: WV-TUNL: Allocating tunl_info

Mar  5 13:09:45: WV-TUNL: Allocating stc_config

Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table

Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)

Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340

Mar  5 13:09:45: HTTP/1.1 401 Unauthorized

Mar  5 13:09:45:

Mar  5 13:09:45:

Mar  5 13:09:45:

Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table

Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP

Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:

Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)

WV-TUNL:      Severity ERROR Type USER_LOGOUT

WV-TUNL:      Text: HTTP response contained an HTTP error code.

Mar  5 13:09:45: WV-TUNL: Call user logout function

Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)

When the error occurs, the "SVCIP install TCP failed" counter increments:

VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN

[snip]

Tunnel Statistics:

    Active connections       : 1       

    Peak connections         : 3          Peak time                : 19:09:04

    Connect succeed          : 9          Connect failed           : 5       

    Reconnect succeed        : 0          Reconnect failed         : 0       

    SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       

    SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       

    SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       

    DPD timeout              : 0        

[snip]

IOS Version Details:

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)

System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"

The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.

Config:

webvpn context CUSTOMER-VPN

title "SSL VPN for Customer"

ssl authenticate verify all

!       

login-message "Enter username and passcode"

!       

policy group CUSTOMER-VPN

   functions svc-required

   svc keep-client-installed

   svc split include 10.1.16.0 255.255.240.0

   svc split include 10.1.2.0 255.255.254.0

vrf-name CUSTOMER-VPN

default-group-policy CUSTOMER-VPN

aaa authentication list AAA-LIST

aaa authentication auto

aaa accounting list AAA-LIST

gateway vpn virtual-host customer.xx.com

logging enable

inservice

The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

4 Replies 4

Andreas Reimann
Level 1
Level 1

We encountered same issue very sporadically running IOS 12.4(24)T3 (ADV-IP-SERV) on 3825

It matches quite close your configuration. Did you opened already a Cisco TAC Case?

Hi

Do you allocate the AnyConnect client's IP-adresses via IP pools on your ACS server? If so, you can consider switching it to a local ip pool on the router. This seemed to have solved the problem for us.

/Atle

Yes, we allocate addresses through ACS. Local IP adress assignment i consider as a workaround only.

Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?

At that point in time we were running with local pool definition.

As the http 401 rc happens very sporadically we still gathering incident reports internally.

Will open a case if you did not yet.

cheers, Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: