SSL WebVPN 404 error

DOUGLAS DRURY · ‎12-02-2012

I'm a bit stuck with my WebVPN weekend project. I've configured a WebVPN on my Cisco 1841 router using the command line but for some reason when I try to access the web portal i keep getting the 404 error. I tried reconfiguring it with Cisco CP but still no luck. Could someone point me in the right direction as to where the failure is in my configuration. I have useed the CCNA Security book as a guide.

Vauxhall_Cross#sh run

Building configuration...

Current configuration : 3674 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Vauxhall_Cross

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ZIm.$daY/Jq7JsIZrjcyYSyxiK0

!

aaa new-model

!

aaa authentication login sslvpn local

!

aaa session-id common

dot11 syslog

ip cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4132939895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4132939895

revocation-check none

rsakeypair TP-self-signed-4132939895

!

crypto pki certificate chain TP-self-signed-4132939895

certificate self-signed 01

30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34313332 39333938 3935301E 170D3132 31323032 31373434

33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333239

33393839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C6EA DF3C371A 659BC5D1 E2A7B3F2 2693FB25 EBADF417 555236DB 20C240E1

DE224E66 4F30415A 3DD3563F 5A60FF5C C3131B0E BC8B86B1 FA1FE1DE 99529F90

513364C9 51B6F697 631B5EAE 43C4AD67 13F49CCA B50D18D0 73940511 34996859

D11B754A D067CA3C 6E1B7B50 8CC2D9F2 D4102475 16116A46 95A71D23 39D15496

D7230203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

551D1104 12301082 0E566175 7868616C 6C5F4372 6F737330 1F060355 1D230418

30168014 666F8AD0 FBBD97C5 9C65DD53 10BEF801 63211495 301D0603 551D0E04

16041466 6F8AD0FB BD97C59C 65DD5310 BEF80163 21149530 0D06092A 864886F7

0D010104 05000381 8100ABAF 3D5779D1 FC2CBD57 3D15BA0D 1D9D3683 52BB0B93

2B92E049 0FBAE538 4E3919CA A47B5749 76D87BAB 065459A4 FC7AE507 8C3C00D1

066CE7B9 3F6532A5 F35785C6 0513FB4D 327B01E6 BC83E47F 4D72F871 84C83551

3C23EC82 8488344E 1815D2BF 0BB6F08A 7FCFCE65 FF392894 4175C296 64F0B6CA

B7DA9976 DC78EA58 8A40

quit

!

username drury secret 5 $1$Egaq$sjGRXhPMNduHUkuMXaXjC/

username webtest secret 5 $1$IEAw$HD7BkLEPnv4qVdUwJeML8/

archive

log config

hidekeys

!

interface FastEthernet0/0

description $OUTSIDE$

ip address 192.168.99.2 255.255.255.0

speed 100

full-duplex

!

interface FastEthernet0/1

description $INSIDE$

ip address 192.168.2.1 255.255.255.0

speed 100

full-duplex

!

router rip

network 192.168.2.0

network 192.168.99.0

!

ip local pool webvpn-pool 192.168.99.10 192.168.99.15

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.99.1

!

ip http server

ip http secure-server

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 130.88.203.12 source FastEthernet0/0

!

webvpn gateway Cisco-WebVPN-Gateway

ip address <removed> port 443

ssl encryption rc4-md5

ssl trustpoint my-trustpoint

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context Cisco-WebVPN

title "idrury WebVPN - Powered By Cisco"

ssl authenticate verify all

!

url-list "rewrite"

!

acl "ssl-acl"

permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0

!

login-message "Cisco Secure WebVPN"

!

policy group webvpnpolicy

functions svc-enabled

filter tunnel ssl-acl

svc address-pool "webvpn-pool"

svc rekey method new-tunnel

svc split include 192.168.99.0 255.255.255.0

default-group-policy webvpnpolicy

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

max-users 2

inservice

!

end

DOUGLAS DRURY · ‎12-05-2012

Yes it lets me login when I enter my username and password through IE or Chrome i get the 404 error so i can login of a sort. It should be the web portal where i log in but i seems to be getting login boxes

Gurpreet Puri · ‎12-05-2012

https://supportforums.cisco.com/thread/2083698

Please check this thread.

I think you need to update IOS.

Regards,
Gurpreet S Puri

*******************************
Keep Smiling, Peace
*******************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-05-2012

Do you know where on cisco.com i can get the update from, I guess i'll have to pay for it?

Thanks

Douglas

Gurpreet Puri · ‎12-05-2012

Please follow the link:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_bulletin0900aecd806571a6.html

Regards,
Gurpreet S Puri

********************
Keep Smiling, Peace
********************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Gurpreet Puri · ‎12-06-2012

Hi Douglas,

Please mark the correct answer and close the thread if you got what you are looking for.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

DOUGLAS DRURY · ‎12-06-2012

Hi Gurpreet

I'm going to re configure the WebVPN from scratch and see what happens if it still doesn't work I’ll have to give up as I don't have a service contract with Cisco and can't afford to pay for it to get the latest IOS.

Thankyou very much for your help.

Gurpreet Puri · ‎12-06-2012

You are welcome Douglas.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Gurpreet Puri · ‎12-05-2012

HWIC-3G-HSPA-G supported with 15.1(1)T or later

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/ps7272/product_data_sheet0900aecd80600f41.html

Its seems to be IOS Issue. You need to update it.

Regards,
Gurpreet S Puri

********************
Keep Smiling, Peace
********************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

sashkan16 · ‎12-22-2012

Hi,

Try to generate RSA keys, trustpoint and certificate wich includes IP address of GW and CN is FQDN (or IP address if you are accessing portal by IP), instead of using automatically generated certificate.

Example for certificates:

crypto pki trustpoint SSL

enrollment selfsigned

ip-address x.x.x.x

subject-name CN=x.x.x.x

revocation-check none

rsakeypair SSL

BR

ovidio.catrina · ‎01-09-2013

hy there i have the same issue here too but for me it works on the inside interface but on the outside interface it doesnt work, it loads the webpage and appears 404 error.

intranet# sh run

: Saved

:

ASA Version 8.4(5)

!

hostname intranet

domain-name sincronet.es

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan2

nameif outside

security-level 0

ip address 172.30.1.2 255.255.255.0

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.128.50 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.128.1

name-server 192.168.128.5

name-server 192.168.128.6

domain-name sincronet.es

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access extended permit tcp any any

access-list inside_access_in remark snmp leo

access-list inside_access_in extended permit ip any any log notifications

access-list inside_access_in remark snmp leo

access-list AccesoExt standard permit any

access-list outside_access_in extended permit ip any any log notifications

pager lines 24

logging enable

logging trap notifications

logging asdm informational

logging host inside 192.168.128.6

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 172.30.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 444

http 192.168.128.0 255.255.255.0 inside

snmp-server host inside 192.168.128.106 community ***** version 2c

snmp-server host inside 192.168.128.6 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

no sysopt connection permit-vpn

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des