cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
541
Views
5
Helpful
3
Replies

SSL-VPN with AnyConnect to Cisco IOS 17.6.4

hannes1967
Level 1
Level 1

I start AnyConnect default configuration and can enter username and password.

Authentication works, but not authorized to open full tunnel.

Please check debug messages below.

Now I try SSL-VPN with anyconnect to Cisco 1111!

Getting following debug messages:

077275: Nov 3 09:51:14.694 MESZ: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hannes2] [Source: 213.142.97.2] [localport: 55443] at 09:51:14 MESZ Thu Nov 3 2022
C1111#
077276: Nov 3 09:51:15.214 MESZ:
077277: Nov 3 09:51:15.214 MESZ:
077278: Nov 3 09:51:15.214 MESZ: [CRYPTO-SSL-TUNL-EVT]:[FFFF4AFB0800] CSTP Version recd , using 1
077279: Nov 3 09:51:15.214 MESZ: [CRYPTO-SSL-TUNL-ERR]:[FFFF4AFB0800] Full Tunnel CONNECT request failed, Sending error
077280: Nov 3 09:51:15.214 MESZ: HTTP/1.1 401 Unauthorized
077281: Nov 3 09:51:15.215 MESZ:
077282: Nov 3 09:51:15.216 MESZ:
077283: Nov 3 09:51:15.216 MESZ:
077284: Nov 3 09:51:15.216 MESZ: [CRYPTO-SSL-TUNL-ERR]:[FFFF4AFB0800] User hannes2 not authorized to access Full tunnel

SSL Profile:

C1111#sh cry ssl prof

SSL Profile: SSL_PROFILE
Status: ACTIVE
Match Criteria:
URL: none
Policy: SSL_POLICY
AAA accounting List : local
AAA Authentication List : ANYCONNECT-USERS
AAA Authorization User List : ANYCONNECT-USERS
User : hannes2
Cached : True
AAA Authorization Group List : ANYCONNECT-USERS
Group List: hannes2
Override: True
Authentication Mode : user credentials
Interface : SSLVPN-VIF0
Status: DISABLE
Max Users : 10000

 

Hope that information is enough!

cheers, Hannes

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the configuration from router to look :

or refer reference document :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks!

The document describes the way with webvpn!

I use „crypto ssl“ commands.

I will provide the config etc. tomorrow!

cheers, Hannes

michal-miac
Level 1
Level 1

Hi @hannes1967,
the solution for me was this config:

aaa new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123

The game changer was: aaa authorization network sslvpn local
Cheers!