SSL WebVPN 404 error

DOUGLAS DRURY · ‎12-02-2012

I'm a bit stuck with my WebVPN weekend project. I've configured a WebVPN on my Cisco 1841 router using the command line but for some reason when I try to access the web portal i keep getting the 404 error. I tried reconfiguring it with Cisco CP but still no luck. Could someone point me in the right direction as to where the failure is in my configuration. I have useed the CCNA Security book as a guide.

Vauxhall_Cross#sh run

Building configuration...

Current configuration : 3674 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Vauxhall_Cross

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ZIm.$daY/Jq7JsIZrjcyYSyxiK0

!

aaa new-model

!

aaa authentication login sslvpn local

!

aaa session-id common

dot11 syslog

ip cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4132939895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4132939895

revocation-check none

rsakeypair TP-self-signed-4132939895

!

crypto pki certificate chain TP-self-signed-4132939895

certificate self-signed 01

30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34313332 39333938 3935301E 170D3132 31323032 31373434

33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333239

33393839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C6EA DF3C371A 659BC5D1 E2A7B3F2 2693FB25 EBADF417 555236DB 20C240E1

DE224E66 4F30415A 3DD3563F 5A60FF5C C3131B0E BC8B86B1 FA1FE1DE 99529F90

513364C9 51B6F697 631B5EAE 43C4AD67 13F49CCA B50D18D0 73940511 34996859

D11B754A D067CA3C 6E1B7B50 8CC2D9F2 D4102475 16116A46 95A71D23 39D15496

D7230203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

551D1104 12301082 0E566175 7868616C 6C5F4372 6F737330 1F060355 1D230418

30168014 666F8AD0 FBBD97C5 9C65DD53 10BEF801 63211495 301D0603 551D0E04

16041466 6F8AD0FB BD97C59C 65DD5310 BEF80163 21149530 0D06092A 864886F7

0D010104 05000381 8100ABAF 3D5779D1 FC2CBD57 3D15BA0D 1D9D3683 52BB0B93

2B92E049 0FBAE538 4E3919CA A47B5749 76D87BAB 065459A4 FC7AE507 8C3C00D1

066CE7B9 3F6532A5 F35785C6 0513FB4D 327B01E6 BC83E47F 4D72F871 84C83551

3C23EC82 8488344E 1815D2BF 0BB6F08A 7FCFCE65 FF392894 4175C296 64F0B6CA

B7DA9976 DC78EA58 8A40

quit

!

username drury secret 5 $1$Egaq$sjGRXhPMNduHUkuMXaXjC/

username webtest secret 5 $1$IEAw$HD7BkLEPnv4qVdUwJeML8/

archive

log config

hidekeys

!

interface FastEthernet0/0

description $OUTSIDE$

ip address 192.168.99.2 255.255.255.0

speed 100

full-duplex

!

interface FastEthernet0/1

description $INSIDE$

ip address 192.168.2.1 255.255.255.0

speed 100

full-duplex

!

router rip

network 192.168.2.0

network 192.168.99.0

!

ip local pool webvpn-pool 192.168.99.10 192.168.99.15

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.99.1

!

ip http server

ip http secure-server

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 130.88.203.12 source FastEthernet0/0

!

webvpn gateway Cisco-WebVPN-Gateway

ip address <removed> port 443

ssl encryption rc4-md5

ssl trustpoint my-trustpoint

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context Cisco-WebVPN

title "idrury WebVPN - Powered By Cisco"

ssl authenticate verify all

!

url-list "rewrite"

!

acl "ssl-acl"

permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0

!

login-message "Cisco Secure WebVPN"

!

policy group webvpnpolicy

functions svc-enabled

filter tunnel ssl-acl

svc address-pool "webvpn-pool"

svc rekey method new-tunnel

svc split include 192.168.99.0 255.255.255.0

default-group-policy webvpnpolicy

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

max-users 2

inservice

!

end

DOUGLAS DRURY · ‎12-03-2012

Anyone know?

Sent from Cisco Technical Support iPad App

Gurpreet Puri · ‎12-04-2012

Hi Dauglas,

Can you please send me output of "show version" command.

Thanks.

***
Keep Smiling, Peace :)
***

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-04-2012

Hi

Thanks for replying

Vauxhall_Cross#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, R ELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Vauxhall_Cross uptime is 57 minutes

System returned to ROM by reload at 12:35:51 UTC Tue Dec 4 2012

System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 1841 (revision 6.0) with 117760K/13312K bytes of memory.

Processor board ID FCZ110116JS

2 FastEthernet interfaces

1 ATM interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Gurpreet Puri · ‎12-04-2012

Hi,

In here,

webvpn gateway Cisco-WebVPN-Gateway

ip address port 443

http-redirect port 80

ssl encryption rc4-md5

ssl trustpoint my-trustpoint

inservice

***
Keep Smiling, Peace
***

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-04-2012

Hi

I've added in that extral line http-redirect port 80 but i'm still getting the 404 error.

Gurpreet Puri · ‎12-04-2012

and

policy group webvpnpolicy

functions svc-required

functions svc-enabled

filter tunnel ssl-acl

svc address-pool "webvpn-pool" netmask 255.255.255.0

svc rekey method new-tunnel

svc split include 192.168.99.0 255.255.255.0

default-group-policy webvpnpolicy

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

max-users 2

inservice

***
Keep Smiling, Peace
***

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-04-2012

Hi

I've added the functions svc-required but it will not let me enter svc address-pool "webvpn-pool" netmask 255.255.255.0 any ideas why

Vauxhall_Cross(config-webvpn-group)#svc address-pool "webvpn-pool" netmask 255.255.255.0

% Invalid input detected at '^' marker.

Thanks

Douglas

Gurpreet Puri · ‎12-04-2012

Please send me output of show license all

Sent from Cisco Technical Support iPhone App

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-04-2012

show license all isn't working. Marker point failes at C in license

Vauxhall_Cross#sh license

all

% Invalid input detected at '^' marker.

Anim Saxena · ‎12-04-2012

Hi Douglas,

Kindly have a look at the link mentioned below:

https://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_qas0900aecd80323cba.html

Regards

Anim saxena

(Kindly rate helpful post)

DOUGLAS DRURY · ‎12-04-2012

Does that mean my 404 error is down to a licensing issue?

Thanks for the link by the way

Sent from Cisco Technical Support iPad App

Gurpreet Puri · ‎12-04-2012

Hi,

There is a big bug that causes Windows clients browser to report errors such as ""The page isn't redirecting properly"" when trying to connect to the SSL WebVPN Gateway. According to Cisco, this bug surfaces as a Windows machine gets updated with security update KB2585542. Cisco's workaround solution is to use the rc4-md5

encryption instead, as shown above.

Cisco has assigned bug ID: CSCtx38806 with the description "

IOS SSL VPN fails to connect after microsoft security update KB258554".

Check If that security update is installed. If do then kindly uninstall it:

Control Panel > All Control Panel Items > Programs and Features > View installed updates > Right clicked security update KB2585542 > Uninstall > Rebooted the machine

****************************
Keep Smiling, Peace
****************************

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-05-2012

Hi

I've done what you suggested and uninstalled the KB updates but still i keep getting the 404 error. I've tried IE and Chrome where I'm prompted to login but It's not the portal. When I login thats when I get the 404 error. I've tested this on a Windows XP and Linux PC

Gurpreet Puri · ‎12-05-2012

Hi,

Are you able to login when it prompts you username and password after the site security certificate not trsuted error?

Regards,
Gurpreet S Puri

********************
Keep Smiling, Peace :)
********************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)