06-05-2008 07:01 AM - edited 02-21-2020 03:45 PM
I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
The error on the router is:
Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
Jun 5 16:07:55.755: WV: server side not ready to send.
The following is the configuration:
!
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
!
!
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context vpn1
ssl authenticate verify all
!
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
!
!
policy group vpn1
url-list "eng"
default-group-policy vpn1
gateway ISR2801-RM domain clientless
inservice
!
!
webvpn context vpn2
ssl authenticate verify all
!
!
policy group vpn2tunnel
functions svc-enabled
svc address-pool "WEBVPN"
svc split include 10.0.0.2 255.255.255.255
default-group-policy vpn2tunnel
gateway ISR2801-RM domain tunnel
inservice
!
06-05-2008 12:52 PM
Is your pool in the same subnet as the inside interface?
Try to compare your configuration from the following link , maybe you are missing something?
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml
Regards
Farrukh
06-05-2008 01:07 PM
Also, I think you need to be running at least 12.4(15)Tx, to support the AnyConnect client, have a look at:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1393624
Regards
Farrukh
06-06-2008 01:12 AM
Thanks for the reply !!!!
the configation is the following:
!
!
interface Ethernet 0
ip address 10.0.0.128 255.255.255.0
!
!
ip http secure-server
!
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
!
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
ssl encryption aes-sha1
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context context-sslvpn1
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn1/
!
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
!
!
nbns-list cifs-servers
nbns-server 172.16.1.1 master
nbns-server 172.16.2.2 timeout 10 retries 5
nbns-server 172.16.3.3 timeout 10 retries 5
login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
this device are logged and violations of this policy may result in disciplinary action."
!
!
port-forward "portlist"
local-port 30019 remote-server ssh-server remote-port 22 description SSH
local-port 30020 remote-server mailserver remote-port 143 description IMAP
local-port 30021 remote-server mailserver remote-port 110 description POP3
local-port 30022 remote-server mailserver remote-port 25 description SMTP
!
!
policy group policy-sslvpn1
url-list "eng"
port-forward "portlist"
nbns-list "cifs-servers"
functions file-access
functions file-browse
functions file-entry
citrix enabled
default-group-policy policy-sslvpn1
gateway ISR2801-RM domain clientless
inservice
!
!
webvpn context context-sslvpn2
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn2/
!
!
policy group policy-sslvpn2
functions svc-enabled
svc address-pool "WEBVPN"
svc keep-client-installed
svc dpd-interval gateway 30
svc dpd-interval client 300
svc rekey method new-tunnel
svc rekey time 3600
svc split include 10.0.0.0 255.255.255.0
svc default-domain cisco.com
svc dns-server primary 192.168.3.1
svc dns-server secondary 192.168.4.1
default-group-policy policy-sslvpn2
gateway ISR2801-RM domain tunnel
inservice
!
!
ISR2801-RM#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+
2,2,0133
Mon 05/19/2008 12:58:52.34 v
ISR2801-RM#
WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
* the ssl client installed on the pc tell me can't connect.
* on the router the log:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
offset: 0, domain: 0)
Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
Jun 6 10:28:08.287: X-CSTP-Version: 1
Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
Jun 6 10:28:08.287: X-CSTP-MTU: 1406
Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
Jun 6 10:28:08.287:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
Jun 6 10:28:08.291: WV: server side not ready to send.
SSLVPN sock pid 182 sid 161: closing
06-06-2008 02:36 AM
Hello, config seems OK, Since your IP pool is on the same subnet as the LAN, thats also ok. Otherwise you have to create a loopback.
Anyway did you upgrade you IOS from 12.4(13r)T5 to 12.4(15)Tx ? (As mentioned in my last post). This is required for the 'new' Anyconnect client to work. You can only run the Cisco SSL VPN Client (SVC) on your IOS version.
Please re-read my last post. Regards
Farrukh
06-06-2008 02:38 AM
Also for your Clientless context, I don't think the following will work, SSH needs special handling (like the ASA firewall has a separate plugin for this). I don't think the IOS SSL VPN supports this to date? If you got it working please let me know also :). I need it for one customer.
local-port 30019 remote-server ssh-server remote-port 22 description SSH
Regards
Farrukh
06-06-2008 10:23 AM
Hi,
the IOS version on the cisco 2801 is the last: c2801-advipservicesk9-mz.124-15.T5.bin
and need to deploy only (for now) the context context-sslvpn2 (the one with Tunnel Mode-Full tunnel client mode).... but the error on the log remain.
Just a q:
if the ssl vpn client need to do a slip tunnel (connect the pool on the ssl tunnel only vs the network 10.0.0.0 /24) the following is correct ?
svc split include 10.0.0.0 255.255.255.0
Thanks again for your time.
RT
06-06-2008 12:12 PM
Yes, this systax seems correct, more details can be found here:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1354672
why don't you enable detailed debugging on the ROUTER and attach here?
debug webvpn tunnel
debug webvpn authentication
debug webvpn aaa
debug webvpn cookie
debug webvpn package
debug webvpn entry
Also one important thing, in Internet Explorer:
Tools >> Internet Options >> Advanced
Check "Use SSL 3.0" and "Use SSL 2.0"
Clear Browse Cache/Cookies
Regards
Farrukh
11-08-2011 07:51 AM
Hello,
you could try to remove the "domain clientless" extension defined in your webvpn context :
#gateway ISR2801-RM domain tunnel
I had the same issue and I believe that the domain is somehow linked to the trustpoint, so while the domain declared is not part of the selfsigned certificate defined in trustpoint, there is no need for the option domain tunnel;
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: