Unable to VPN using Anyconnect client to new 1941

mintecinc · ‎09-18-2012

I replaced the 1811 router with a 1941. SSLVPN was working fine on 1811 , but ever since i moved to 1941 no luck. Got Security,SSLVPN license pack installed and radius servers in AAA set for domain user authentication. Below , i have included configs from 1941, let me what you think.

VANC-1941#sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M3, REL
EASE SOFTWARE (fc1)
Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX161083A7
1 FastEthernet interface
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX161083A7

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
data          None          None           None

Configuration register is 0x2102

-----------------------------------------------------------------------------------

sh running-config

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER-1941
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 warnings
no logging console
enable secret 5 $1$74UD$vsB6b3ddY.Lq2u1wfZTPpsJ/
!
aaa new-model
!
!
aaa group server radius IAS-Servers
server 20.2.20.1.
server 20.1.20.1.
!
aaa authentication login userauthen group radius
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authentication login CiscoAdmins local group radius
aaa authorization console
aaa authorization exec CiscoAdmins local group radius
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone UTC -7 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
no ip dhcp use vrf connected

!
!
no ip bootp server
no ip domain lookup
ip domain name contoso.local
ip name-server 20.2.20.1.
ip inspect alert-off
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint SSL_Trust
enrollment selfsigned
serial-number
revocation-check none
hash sha512
!
!
crypto pki certificate chain SSL_Trust
certificate self-signed 01

quit
license udi pid CISCO1941/K9 sn FTX161083A7
!
!
archive
log config
hidekeys
vtp domain ROUTER
vtp mode transparent
username Ugene privilege 15 secret 5 $1$uNxT$seQjWUAlmLnisadfdsa

!
redundancy
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1

!
crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key contosogbl0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key contosogbl0 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 periodic
crypto isakmp client configuration address-pool local VPNClientPool
!
crypto isakmp client configuration group vpnCanouver
key contosovpn1
dns 20.2.20.1. 20.2.20.1.
wins 20.2.20.1. 20.2.20.1.
domain contoso.local
pool VPNClientPool
acl 191
max-users 10
max-logins 1
netmask 255.255.255.0
crypto isakmp profile DMVPN
   keyring dmvpnspokes
   match identity address 0.0.0.0
   keepalive 30 retry 2
crypto isakmp profile sdm-ike-profile-1
   match identity group vpnCanouver
   client authentication list userauthen
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   keepalive 30 retry 2
   virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile DMVPN
!
crypto ipsec profile SDM_Profile2
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface Loopback0
description Remote user VPN virtual interface$FW_INSIDE$
ip address 20.2.99.1 255.255.255.0
ip access-group lb0i in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Tunnel1
description DMVPN3 spoke tunnel
bandwidth 10000
ip address 20.1.0.100.12 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication CONTOSO01
ip nhrp map 20.1.0.100.11 119.234.180.16
ip nhrp map multicast 119.234.180.16
ip nhrp network-id 5555
ip nhrp holdtime 360
ip nhrp nhs 20.1.0.100.11
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 50
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 111222
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description 10mb Internet$ETH-WAN$$FW_OUTSIDE$
bandwidth 10000
ip address 123.22.33.22 255.255.255.248
ip access-group ei0i in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
ip verify unicast reverse-path
ip route-cache same-interface
load-interval 60
duplex full
speed 10
rj45-auto-detect-polarity disable
service-policy input AppfwP2pPm
service-policy output ParentQosPm
!
interface GigabitEthernet0/1
description Trunk to Core1
no ip address
duplex auto
speed auto
!

!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 190
!
!
snmp-server community public RO
snmp-server ifindex persist
radius-server host 20.2.20.1. key 7 0337530A140A257F4B0A0B0003
radius-server host 20.1.20.1. key 7 00371B07165E0F350A225E4B1D
!
!
!
control-plane
!
!
banner exec ^C AUTHORIZED ACCESS ONLY ^C
banner login ^C AUTHORIZED ACCESS ONLY ^C
!
line con 0
password 7 130712061F5F16031F
transport output telnet
line aux 0
modem InOut
transport output telnet
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class Vty0iAcl in
privilege level 15
authorization exec CiscoAdmins
login authentication CiscoAdmins
transport input telnet ssh
line vty 5 15
access-class Vty0iAcl in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 20.1.0.1
!
webvpn gateway gateway_1
ip address 123.22.33.22 port 443
ssl trustpoint SSL_Trust
inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-2.4.20.2.k9.pkg sequence 1
!
webvpn context ROUTERSSLVPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "SSLVPNClientPool" netmask 255.255.255.0
   svc default-domain "contoso.local"
   svc keep-client-installed
   svc split include 20.0.0.0 255.0.0.0
   svc dns-server primary 20.2.20.1.
   svc dns-server secondary 20.2.20.2.
   svc wins-server primary 20.2.20.1.
default-group-policy policy_1
gateway gateway_1
max-users 20
inservice
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end