Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
0
Helpful
5
Replies

SSLVPN Text: Configuration received from secure gateway was invalid.

kiro.mihajlovski
Level 1
Level 1

‎09-29-2021 11:48 PM

Hey guys, 

 

I really need your help as I'm stuck at this moment.

I'm trying to configure Webvpn to router C881G-4G-GA-K9 with IOS 15.4(3r)M1.

I'm able to download the package update from the router but on the next step it's failing with the error in the subject. 

 

Here is full error:

*Sep 29 16:02:57.826: WV-AAA: Nas Port ID set to 188.194.169.59.
*Sep 29 16:02:57.826: WV-AAA: AAA authentication request sent for user: "user-vpn"AAA returned status: 2 for session 2570
*Sep 29 16:02:57.826: WV-AAA: AAA Authentication Passed!
*Sep 29 16:02:57.826: WV-AAA: User "user-vpn" has logged in from "188.194.169.59" to gateway "SSLVPN_GATEWAY"
context "SSLVPN_CONTEXT"
*Sep 29 16:03:01.342:
*Sep 29 16:03:01.342:
*Sep 29 16:03:01.342: [WV-TUNL-EVT]:[2266CF30] CSTP Version recd , using 1
*Sep 29 16:03:01.342: [WV-TUNL-EVT]:[2266CF30] Allocating IP 192.168.22.112 from address-pool VPNPOOL
*Sep 29 16:03:01.342: [WV-TUNL-EVT]:[2266CF30] Using new allocated IP 192.168.22.112 255.255.255.0
*Sep 29 16:03:01.342: Inserting static route: 192.168.22.112 255.255.255.255 Virtual-Access2 to routing table
*Sep 29 16:03:01.342: [WV-TUNL-EVT]:[2266CF30] Full Tunnel CONNECT request processed, HTTP reply created
*Sep 29 16:03:01.342: HTTP/1.1 200 OK
*Sep 29 16:03:01.342: Server: Cisco IOS SSLVPN
*Sep 29 16:03:01.342: X-CSTP-Version: 1
*Sep 29 16:03:01.346: X-CSTP-Address: 192.168.22.112
*Sep 29 16:03:01.346: X-CSTP-Netmask: 255.255.255.0
*Sep 29 16:03:01.346: X-CSTP-Keep: false
*Sep 29 16:03:01.346: X-CSTP-DNS: 8.8.8.8
*Sep 29 16:03:01.346: X-CSTP-Lease-Duration: 43200
*Sep 29 16:03:01.346: X-CSTP-MTU: 1399
*Sep 29 16:03:01.346: X-CSTP-Split-Include: 0.0.0.0/0.0.0.0
*Sep 29 16:03:01.346: X-CSTP-DPD: 300
*Sep 29 16:03:01.346: X-CSTP-Disconnected-Timeout: 2100
*Sep 29 16:03:01.346: X-CSTP-Idle-Timeout: 2100
*Sep 29 16:03:01.346: X-CSTP-Session-Timeout: 0
*Sep 29 16:03:01.346: X-CSTP-Keepalive: 30
*Sep 29 16:03:01.346:
*Sep 29 16:03:01.346:
*Sep 29 16:03:01.346:
*Sep 29 16:03:01.346: [WV-TUNL-EVT]:[2266CF30] For User user-vpn, DPD timer started for 300 seconds
*Sep 29 16:03:01.458: [WV-TUNL-EVT]:[2266CF30] CSTP Control, Recvd a Req Cntl Frame (User user-vpn, IP 192.168.22.112)
Severity ERROR, Type USER_LOGOUT
Text: Configuration received from secure gateway was invalid.
*Sep 29 16:03:01.458: [WV-TUNL-EVT]:[2266CF30] CSTP Control, Recvd User Logout Frame
*Sep 29 16:03:01.458: [WV-TUNL-EVT]:[2266CF30] For User user-vpn, Closing the Tunnel Session
*Sep 29 16:03:31.634: Deleting static route: 192.168.22.112 255.255.255.255 Virtual-Access2 from routing table
*Sep 29 16:03:31.634: [WV-TUNL-EVT]:[2266CF30] Tunnel context 0x2266CF30 is removed from session 0x2268A510
*Sep 29 16:03:31.634: [WV-TUNL-EVT]:[0] Returning address 192.168.22.112 to pool

 

 

Here is my configuration:

aaa new-model
!
!
aaa authentication login VPNGROUP local
aaa authorization network VPNGROUP local
!
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint SSLVPN_CERT
enrollment selfsigned
serial-number
subject-name CN=router.dyndns.org
subject-alt-name router.dyndns.org
revocation-check none
rsakeypair SSLVPN_KEYPAIR


crypto vpn anyconnect flash:/webvpn/anyconnect-win-arm64-4.10.03104-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect flash:/webvpn/anyconnect-macos-4.10.03104-webdeploy-k9.pkg sequence 2
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.10.03104-webdeploy-k9.pkg sequence 3
!
crypto vpn anyconnect profile SSLVPN_PROFILE flash:customer.xml

!

ip local pool VPNPOOL 192.168.22.100 192.168.22.200

!

interface Virtual-Template1
ip unnumbered Loopback100
no peer default ip address

!

interface Loopback100
ip address 192.168.169.1 255.255.255.255

!

webvpn gateway SSLVPN_GATEWAY
hostname router.dyndns.org
ip interface Cellular0 port 443
http-redirect port 80
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context SSLVPN_CONTEXT
virtual-template 1
aaa authentication list VPNGROUP
gateway SSLVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group SSLVPN_POLICY
functions svc-enabled
svc address-pool "VPNPOOL" netmask 255.255.255.0
svc profile SSLVPN_PROFILE
svc split include acl 1
svc dns-server primary 8.8.8.8
default-group-policy SSLVPN_POLICY
!
end

 

Please help as I'm not sure why the security gateway configuration is invalid.

Many thanks

Labels:
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-30-2021 03:50 AM

Hi @kiro.mihajlovski,

Try without profile push:

no svc profile SSLVPN_PROFILE

I know this functionality cause issues for me. It came fairly recently, and it comes with some limitations. Also check your AnyConnectLocalPolicy.xml file (located under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client), for BypassDownloader option.

BR,

Milos

 

0 Helpful

kiro.mihajlovski
Level 1
Level 1
In response to Milos_Jovanovic

‎09-30-2021 06:06 AM

Hi @Milos_Jovanovic , 

Thanks a lot, I tried that earlier, unfortunately is not working, same error again. 

Regarding the AnyConnectLocalPolicy.xml, what should be the correct configuration for macOS?

Thanks

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to kiro.mihajlovski

‎09-30-2021 11:06 PM

Hi @kiro.mihajlovski,

There is no right or wrong configuration, there is only what suits you or not.

I configured VRF-aware AnyConnect (over IKEv2, not SSL) earlier, and I know there are some limitations when using router as compared to ASA. For this purpose, certificate on the router needs to be trusted by the client, and, at that time, profile push was not supported. For this, BypassDownloader needed to be set to True, which later causes issues with other VPNs. Later, profile push capability came, but again with some limitation (I believe it was related to profile naming).

Try going through these config guides, if you haven't already:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-16-9/sec-conn-sslvpn-xe-16-9-book/sec-conn-sslvpn-ssl-vpn.html

BR,

Milos

0 Helpful

kiro.mihajlovski
Level 1
Level 1
In response to Milos_Jovanovic

‎10-04-2021 12:30 AM

Hi @Milos_Jovanovic ,

Many thanks for your reply.

I tried the BypassDownloader without any success. I went through the second link and try also few things, without success. 

The first link I used as reference for this configuration so every step is done

Still on same error. 

Thanks 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to kiro.mihajlovski

‎10-04-2021 12:52 AM

Hi @kiro.mihajlovski,

If you followed these guidelines, you did everything you should have done. Next step is to open a TAC case, they should be able to tell you what is worng with the configuration.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents