cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2255
Views
4
Helpful
25
Replies

WebVPN - no connectivity from outside interface

mateid1234
Level 1
Level 1

Hello,

I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.

Thanks!

1 Accepted Solution

Accepted Solutions

This is you main route

ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123

This is you backup route

ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124

If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.

You need do "Local PBR" for correction...

View solution in original post

25 Replies 25

Jason Gervia
Cisco Employee
Cisco Employee

do a

'show tcp brief all num'

And that will show you what ports the router is listening on. If you see an IPADDRESS:443 vs *:443, then it's listening on that IP address.

Please post your configuration for more assistance.

mateid1234
Level 1
Level 1

The command returned the ip address assigned by the ISP followed by ".443" and (state) as "LISTEN". I have attached my current config for reference.

Does the 'show webvpn context' show the context as up?

Yes, the context is up (AS/up, OS/up) and I can access the portal from the inside interface by using the public ip address. It's only when I try to connect from the Internet that the router fails to respond.

It's like the router is blocking all connections to itself from the outside interfaces based on some default rule/policy/ACl/etc., but I have no idea what that may be or how it can be altered.

The only way I was able to open port 443 was by forwarding it to some computer behind the router, which obviously is of no help.

mateid1234
Level 1
Level 1

After analyzing the problem in more detail I came to the conclusion that the port is indeed open on the outside interface, but the tcp connections are dropped during the initial handshake. Here is what actually happens:

TCB84E12BD4 created

Reserved port 443 in Transport Port Agent for TCP IP type 1

TCP0: state was LISTEN -> SYNRCVD [443 -> y.y.y.y(4718)]

TCP: tcb 84E12BD4 connection to y.y.y.y:4718, peer MSS 1460, MSS is 516

TCP: sending SYN, seq 2578099390, ack 3152674293

TCP0: Connection to y.y.y.y:4718, advertising MSS 536

x.x.x.x:3 <---> y.y.y.y:4718 congestion window changes

cwnd from 536 to 536, ssthresh from 65535 to 1072

TCP0: timeout #1 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

TCP0: timeout #2 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

connection attempt to port 36109

TCP: sending RST, seq 0, ack 2677520110

TCP: sent RST to 92.84.106.222:2777 from x.x.x.x:36109

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

Released port 443 in Transport Port Agent for TCP IP type 1 delay 240000

TCP0: state was SYNRCVD -> CLOSED [443 -> y.y.y.y(4718)]

TCB 0x84E12BD4 destroyed

where x.x.x.x is the address of the router and y.y.y.y is the address of the remote client (a 2003 server machine)

I would very much appreciate any ideas on how to solve this problem!

I am having the same issues. How was this condition resolved?

Unfortunately, I am still trying to find a solution for this problem. Maybe you could post your configuration, so we can try to at least rule out what is not causing this behavior.

Exclude ip address of the local interface from the NAT.

[Pls RATE if HELPS]

Please elaborate a bit more on your solution, because I'm not sure that I understand what I'm supposed to do. The ip address of the virtual interface (BVI1) is not being natted directly, but several computers behind the router (sharing the same IP class) are. Is this the problem?

ip access-list ext NAT

deny ip host 172.16.0.100 any

permit ip 172.16.0.0 0.0.0.255 any

route-map ISP1nat permit 10

match ip address NAT

match interface FastEthernet0

!

route-map ASYNCnat permit 10

match ip address NAT

match interface Dialer2

!

route-map ISP2nat permit 10

match ip address NAT

match interface Dialer0

!

Yes, this works, but now I cannot use different ISPs for different computers. If I create two access lists like

ip access-list ext THRUISP1

deny ip host 172.16.0.100 any

permit ip host 172.16.0.1 any

or

permit ip 172.16.0.0 0.0.0.7 any

and

ip access-list ext THRUISP2

deny ip host 172.16.0.100 any

permit ip host 172.16.0.9 any

or

permit ip 172.16.0.8 0.0.0.7 any

the problem reappears! I think I'm missing the logic behind this.

Is there an alternative way of using concurrent NAT translations without having this problem?

My ultimate goal is to allow

access list 1 -> ISP1 -> ISP2 -> ASYNC

access list 2 -> ISP2 -> ISP1 -> ASYNC

while using ISP2 for incoming webvpn connections.

Is this possible? Thanks!

Use policy based routing and stay NAT as it is.

[Pls RATE if HELPS]

This is what I'm using right now (leaving the ASYNC interface aside):

interface BVI1

ip policy route-map RMAP

ip access-list ext NAT

deny ip host 172.16.0.100 any

permit ip 172.16.0.0. 0.0.0.255 any

ip access-list standard THRUISP1

permit 172.16.0.1

permit 172.16.0.2

ip access-list standard THRUISP2

permit 172.16.0.3

permit 172.16.0.4

route-map RMAP permit 10

match ip address THRUISP1

set ip next-hop verify-availability x.x.x.x 10 track 123

set ip next-hop verify-availability y.y.y.y 20 track 124

!

route-map RMAP permit 20

match ip address THRUISP2

set ip next-hop verify-availability y.y.y.y 10 track 124

set ip next-hop verify-availability x.x.x.x 20 track 123

!

route-map ISP1nat permit 10

match ip address NAT

match interface FastEthernet0

!

route-map ISP2nat permit 10

match ip address NAT

match interface Dialer0

ip nat inside source route-map ISP1nat interface FastEthernet0 overload

ip nat inside source route-map ISP2nat interface Dialer0 overload

In this configuration the problem remains the same. As soon as I try to add a specific host to either THRUISP1 or THRUISP2 the router stops responding to incoming connections! The only way it works is if I replace both acces lists with the NAT list. Am I doing something wrong?

show the configuration

describe you problem again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: