cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5061
Views
0
Helpful
14
Replies

Continuing problems with security certificate warnings (both with browser and the AnyConnect client) when establishing a VPN connection to a 1941ISR using SSLVPN

rtoomey
Level 1
Level 1

I have a follow-up question re: an issue that I received help to resolve (via this discussion forum) back in early March. (See original discussion at https://supportforums.cisco.com/message/3309140#3309140)

The customer just called me with a question I haven't been able to answer...

Back in March, when I followed the suggestions offered by a forum contributor and generated a new self signed certificate with the correct name, from that point on, the customer could browse to the outside interface of the 1941 ISR (74.4.29.86) and not get a certificate error warning. However, early this month he had his domain name hosting service (Yahoo Domains) create a domain name entry for 74.4.29.86: remote.tsfhs.org. He informed me that he had done this, and I updated the TP-SSLVPN trustpoint to reflect the new CN= value, like so:

crypto pki trustpoint TP-SSLVPN

enrollment selfsigned

subject-name cn=remote.tsfhs.org (This had been set to 74.4.29.86)

revocation-check crl

rsakeypair sslkey

Assuming that I would have to regenerate the self-signed certificate with the updated CN value for the trustpoint, I ran the crypto pki enroll TP-SSLVPN command sequence.

However, now when the customer browses to remote.tsfhs.org (on a new PC that has never been connected to the SSL web vpn gateway), the certificate error doesn't occur. But when the AnyConnect client is subsequently downloaded for the first time, instead of "remote.tsfhs.org" appearing in the "Connect to:" box, it's "74.4.29.86". Supplying a username & password at this point connects successfully with no errors. However, what the IT manager WANTS to see in the "Connect to:" box is "remote.tsfhs.org".

Moreover, keying remote.tsfhs.org (instead of 74.4.29.86) and supplying a correct username & password does generate a certificate error. The connection attempt is successful, but the customer wants to be able to direct his users to always enter the DNS name (rather than the IP address) in the AnyConnect "Connect to:" box, and he wants that to be the default, i.e., after a first-time connection is successfully made via Internet Explorer and the AnyConnect client is downloaded for the first time, he wants to see "remote.tsfhs.org" appear in the AnyConnect client "Connect to:" box rather than the IP address. Should I have deleted the TP-SSLVPN trustpoint entirely, recreated it with the new "CN=" value, and reran crypto pki enroll TP-SSLVPN? I would appreciate any suggestions for the procedure to correct this.

14 Replies 14

Jennifer Halim
Cisco Employee
Cisco Employee

Hi Again

I just did a quick test from my browser to: https://remote.tsfhs.org, however I was presented with the old certificate, ie: the one that has CN=74.4.29.86 with the certificate created on 07/03/2011.

It seems to me that the router is still using the OLD certificate, instead of the new one created.

You might want to create a new TrustPoint name alltogether, and created certificate with CN=remote.tsfhs.org

Then, on the WebVPN configuration, remove the old trustpoint, and add the new trustpoint in.

Hope this helps.

Hello, Jennifer...

Thanks for the reply. I took your advice... I created a new trustpoint name (TSFHS-SSLVPN) with CN=remote.tsfhs.org , removed the old trustpoint from the webvpn config, then added the new trustpoint. I then ran crypto pki enroll TSFHS-SSLVPN, and then deleted the old trustpoint from the config. I then launched Internet Explorer, ran Tools, Internet Options, and clicked the "Content" tab. From there, I clicked the Certificates button and removed the certificate that I'd installed for 74.4.29.86 several weeks ago. Interestingly, when I installed the new certificate associated with remote.tsfhs.org last week (after changing the CN= value in the old trustpoint from 74.4.29.86 to remote.tsfhs.org), I never thought to remove the 74.4.29.86 certificate from my browser at that time. I didn't see remote.tsfhs.org in my browser certificate store today before I made the router config change by adding the new trustpoint.

Anyway, when I browsed to remote.tsfhs.org for the first time after the changes to the router config and after deleting the 74.4.29.86 certificate from my browser certificate store, I (as expected) got the standard "there is a problem with this web site's certificate" message. I clicked continue, and on the Cisco SSL VPN login screen, I clicked on the certificate error button to the right of the URL entry area, and chose the "View Certificates" option. I then installed remote.tsfhs.org as a trusted root authority certificate. However, I'm continuing to get the certificate error each time I browse to remote.tsfhs.org, except that now clicking on the Certificate W\Error button returns a "Mismatched Address" error. I'm still trying to figure this out. Any additional suggestions welcome. Please let me know if you'd like me to post a copy of the 1941 ISR config.

I think I just found the problem... In the webvpn gateway context, there is a "hostname" option. I entered "hostname remote.tsfhs.org" under webvpn gateway and voila! that appears to have resolved the issue. Now when I browse to remote.tsfhs.org, I donon't get the certificate error, and when I get to the Cisco SSL VPN login page, I no longer see https://74.4.29.86/webvpn.html in the URL box, but I instead see https://remote.tsfhs.org/webvpn.html as I'd expect to.

Here's how the webvpn gateway is now configured:

webvpn gateway gateway_1
hostname remote.tsfhs.org
ip address 74.4.29.86 port 443
http-redirect port 80
ssl trustpoint TSFHS-SSLVPN
inservice

Spot on...

I've just tested the same, and the certificate looks correct now.

Hi rtoomey and Jennifer.

rtoomey, im having huge problems with configuring the exact same thing on my Cisco 1941 router. Would you be so kind to paste your config for the SSL VPN configuration and such? It would be very much apriciated.

Thank you very much in advance.

Regards Tommy Svensson

Tommy,

Here are the items I added to make SSL VPN work. I've substituted "< >" for actual config elements due to my customer's security policy.

- Create a trustpoint for the 1941's self-signed certificate:

crypto pki trustpoint enrollment selfsigned
subject-name cn= revocation-check crl
rsakeypair sslkey

- Generate a self-signed certificate for the trustpoint that was created:

crypto pki enroll

- Create a Loopback interface with the IP address you'll be assigning your Web VPN gateway:

interface Loopback0
ip address

- Here are the webvpn commands in my config:

webvpn gateway

hostname

ip address [port nnn; optional]
http-redirect port 80
ssl trustpoint

inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-2.5.2017-k9.pkg sequence 1
!
webvpn context tsfhs
ssl authenticate verify all
!
!
policy group remote-users
   functions svc-enabled
   mask-urls
   svc address-pool ""
   svc default-domain ""
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include
   svc dns-server primary

default-group-policy remote-users
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway
(i.e., the name you gave your webvpn gateway with "webvpn gateway" command, above)

inservice
!
end

Also, check out this link for a good config example: http://www.networkstraining.com/configuring-anyconnect-webvpn-on-cisco-router/

Thank you very much good sir. Just one more question.
Where can i get hold of the anyconnect-win-2.5.2017-k9.pkg and is that free? I already have a SSL licesence for 10 users.


Ive already got "sslclient-win-1.1.4.176.pkg" and i thought that was for the clients to install for accessing the SSL VPN. But as i access the webbsite and choose:

"Application AccessTunnel Connection  (AnyConnect)"It all fails and it wont install any client on the computer.


Regards Tommy Svensson

It is downloadable from the Cisco download center if you have a CCO account. I'm unsure of the cost. The routers we provided for our customer have 25-user SSL licenses. I can't recall offhand if the anyconnect client was already in flash when we unboxed the equipment or if I downloaded it from CCO. In any case, I would think that if you have a 10-user SSL license, that would entitle you to the anyconnect client at no additional cost, but I'm not sure. Have you done a show flash and confirmed that the client is NOT already in the router's flash? Keep in mind that the config details I posted should download the client to the PC from the router at the first SSL VPN connection attempt.

I already have the sslclient-win-1.1.4.176.pkg installed on the router but i cant get it to install on my computer. Is there support for IE 8 and Windows 7 ?


Regards Tommy Svensson

scanlaser-router-2>en
Password:
scanlaser-router-2#show flash
-#- --length-- -----date/time------ path
1     48516696 Dec 14 2010 03:46:26 c1900-universalk9-mz.SPA.151-2.T2.bin
2         2903 Dec 14 2010 04:03:10 cpconfig-19xx.cfg
3      2941440 Dec 14 2010 04:03:36 cpexpress.tar
4         1038 Dec 14 2010 04:03:44 home.shtml
5       115712 Dec 14 2010 04:03:56 home.tar
6      1697952 Dec 14 2010 04:04:18 securedesktop-ios-3.1.1.45-k9.pkg
7       415956 Dec 14 2010 04:04:32 sslclient-win-1.1.4.176.pkg
8          660 Mar 15 2011 16:36:34 vlan.dat
10           0 Apr 01 2011 09:56:56 webvpn
11      415956 Apr 12 2011 11:48:04 webvpn/sslclient-win-1.1.4.176.pkg
12           0 Apr 01 2011 10:01:30 webvpn/SSL_VPN
13         137 Apr 01 2011 10:01:32 webvpn/SSL_VPN/iosoft.xml
14        3274 Apr 05 2011 06:03:22 FHK145170X5_20110404105349509.lic
15           0 Apr 12 2011 11:51:24 webvpn/vpn
16         136 Apr 12 2011 11:51:26 webvpn/vpn/tommy.xml
17     1697952 Apr 12 2011 12:42:48 webvpn/sdesktop.pkg
18         137 Apr 12 2011 12:52:16 webvpn/vpn/iosoft.xml

200626176 bytes available (55861248 bytes used)

Tommy,

Yes, IE 8 and Windows 7 are supported. What precisely is happening after you login for the first time via IE 8, i.e., what messages/notifications are you receiving? If you don't already have what I think is the lastest version of the AnyConnect Admin Guide (Release 2.4), it's at the following link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/acadmin24.pdf

I have not the annyconnect installed. Ive used the sslclient-win-1.1.4.176.pkg as it came with the router. I go to the website https://192.168.96.20/webvpn.html and accept certificate. Then i login and get the option of star "Tunnel Connection (AnyConnect)". When i try to do that i get the message:

The installer was not able to start the Cisco SSL VPN  Client.
Please contact your IT administrator for more information.
Click here to logout.


Regards Tommy Svensson


R1#show run

webvpn gateway gateway_2
ip address 192.168.96.20 port 443
ssl trustpoint TP-self-signed-2148026383
inservice
!
webvpn install svc flash0:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn install csd flash0:/webvpn/sdesktop.pkg
!
webvpn context vpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "10.0.1.0_POOL"
svc default-domain "scanlaserrouter.local"
svc keep-client-installed
svc rekey method new-tunnel
svc dns-server primary 8.8.8.8
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_2 domain vpn
inservice
!
end

Tommy,

I've attached several screen snapshots of what a normal sequence looks like on a PC that doesn't have the AnuConnect client installed yet.

- Screen1.png is what I get when I browse to the 1941.

- Screen2.png is what I get after successfully logging in.

- Clicking the "Start" button for "Tunnel Connection" gets me to "Screen3.png". I suspect that the downloader appearing here never starts for you, correct? Is the error message you're getting being displayed in the "WebLaunch" window that I captured behind the downloader window in Screen3.png? If so, please confirm that you have installed/enabled the necessary IE component to support AnyConnect (ActiveX or Sun JRE 1.4+).

Hello again.

Im having problems with the certificate and i wonder what you did on this matter.
Im having problems making my router a certificate authority, im guessing thats needed for SSL VPN to work from company employees at home to external address of my router.

Cisco CP tells me the following when i try to start the task create certificate authority

"Cisco CP could not authenticate your credentials. Please try again."

Is it something with my licensing so that im not allowed to use this function?
What do you have activaded in form of licenses and such? Or do i even need to set up an CA?

When i used the self-signed certificate worked for a minute and then it crashed with some error about the certificate.

Hoping you might have some ideas regarding this issue.

Regards Tommy Svensson

Tommy- the authentication error is likely because you are connecting via http and Cisco CP is looking to https to run those tasks.  I was able to get past that error by enabling http secure-server and rediscovering the router with the secure options checked.

Rgds,

Andrew