cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
1
Replies

VPN Phones Fail to Connect via IOS 15.3 SSL VPN (webvpn) Gateway - Solution

jcp408ADP
Level 1
Level 1

If you have deployed or are deploying VPN phones using IOS Router SSL VPN and the router is or being upgraded to IOS 15.3(x), and IOS-XE 3.3, then you will most likely run into the problem described below which causes the the phone to start the negotiate the VPN but fail during the DTLS phase.

If the phone debug log shows this error:

VPNC: -process_login: login failed, 'webvpn=' not found in cookie

Then it's most likely you have this same problem.

The fix is contrary to the configuration procedures here and elsewhere::

AnyConnect VPN Phone Connection to a Cisco IOS Router Configuration Example

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/authentication-authorization-accounting-aaa/116313-configure-anyconnect-00.html

The change to the standard configuration to work-around the failure is:

webvpn context<context_name>
 policy group <policy_name>
  functions svc-enabled
  no functions svc-required
  no svc dtls

The following excerpt from TAC SR 638209465 is essentially saying DTLS as of IOS 15.3 was updated to current security standards and phone firmware has not yet been updated to match.

Action Taken

============

** AnyConnect from desktop was working as expected

** From the debugs we notice that tunnel is failing during DTLS connection

** We had below defect which mandate 4 bytes field in DTLS packet coming from SSL VPN Client:

CSCup56792    Supporting 4 byte DTLS header

** Due to which only any connect 3.1.x can work with DTLS connection, in our case phone had SSLVPN client 1.0

** So the workaround is not to use DTLS connection, which we did and fixed the issue

** Below are the enhancement request to enable new DTLS attribute on phone SSL VPN Client:

CSCuv83594    AnyConnect VPN phones issues after an IOS upgrade

CSCuv83608    AnyConnect VPN phones issues after an IOS upgrade 

NOTE: Above bug are not visible on cisco.com.

1 Reply 1

infrateam
Level 4
Level 4

OP I raised a TAC for this issue back in April 2015. 

You must use DTLS for phones, else they fall back to using TCP. The result is extremely poorly working phones. Have you tested this?