SSL VPN (WebVPN) issues with IOS 15.0(1)M1

Atle Hardarson · ‎03-11-2010

Hello everyone... I need your help!

I am having some weird issues with webvpn/anyconnect, please find the relevant information below;

Symptoms:

- AnyConnect Client prompts users with the following error:

"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."

Debug:

Mar 5 13:09:45:

Mar 5 13:09:45: WV-TUNL: Tunnel CSTP Version recv use 1

Mar 5 13:09:45: WV-TUNL: Allocating tunl_info

Mar 5 13:09:45: WV-TUNL: Allocating stc_config

Mar 5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table

Mar 5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)

Mar 5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340

Mar 5 13:09:45: HTTP/1.1 401 Unauthorized

Mar 5 13:09:45:

Mar 5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table

Mar 5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP

Mar 5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:

Mar 5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)

WV-TUNL: Severity ERROR Type USER_LOGOUT

WV-TUNL: Text: HTTP response contained an HTTP error code.

Mar 5 13:09:45: WV-TUNL: Call user logout function

Mar 5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)

When the error occurs, the "SVCIP install TCP failed" counter increments:

VPN-Router1# show webvpn stats detail context CUSTOMER-VPN

[snip]

Tunnel Statistics:

Active connections : 1

Peak connections : 3 Peak time : 19:09:04

Connect succeed : 9 Connect failed : 5

Reconnect succeed : 0 Reconnect failed : 0

SVCIP install IOS succeed: 14 SVCIP install IOS failed : 0

SVCIP clear IOS succeed : 18 SVCIP clear IOS failed : 0

SVCIP install TCP succeed: 9 SVCIP install TCP failed : 5

DPD timeout : 0

[snip]

IOS Version Details:

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)

System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"

The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.

Config:

webvpn context CUSTOMER-VPN

title "SSL VPN for Customer"

ssl authenticate verify all

!

login-message "Enter username and passcode"

!

policy group CUSTOMER-VPN

functions svc-required

svc keep-client-installed

svc split include 10.1.16.0 255.255.240.0

svc split include 10.1.2.0 255.255.254.0

vrf-name CUSTOMER-VPN

default-group-policy CUSTOMER-VPN

aaa authentication list AAA-LIST

aaa authentication auto

aaa accounting list AAA-LIST

gateway vpn virtual-host customer.xx.com

logging enable

inservice

The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

Andreas Reimann · ‎06-14-2010

We encountered same issue very sporadically running IOS 12.4(24)T3 (ADV-IP-SERV) on 3825

It matches quite close your configuration. Did you opened already a Cisco TAC Case?

Atle Hardarson · ‎06-14-2010

Hi

Do you allocate the AnyConnect client's IP-adresses via IP pools on your ACS server? If so, you can consider switching it to a local ip pool on the router. This seemed to have solved the problem for us.

/Atle

Andreas Reimann · ‎06-14-2010

Yes, we allocate addresses through ACS. Local IP adress assignment i consider as a workaround only.

Andreas Reimann · ‎06-14-2010

Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?

At that point in time we were running with local pool definition.

As the http 401 rc happens very sporadically we still gathering incident reports internally.

Will open a case if you did not yet.

cheers, Andy