Also, I think you need to be running at least 12.4(15)Tx, to support the AnyConnect client, have a look at:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1393624

Regards

Farrukh

Thanks for the reply !!!!

the configation is the following:

!

!

interface Ethernet 0

ip address 10.0.0.128 255.255.255.0

!

!

ip http secure-server

!

ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2

!

webvpn gateway ISR2801-RM

hostname ISR2801-RM

ip address 1.2.3.4 port 443

ssl trustpoint TP-self-signed-50153718

ssl encryption aes-sha1

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn install csd flash:/webvpn/sdesktop.pkg

!

webvpn context context-sslvpn1

ssl authenticate verify all

user-profile location flash:webvpn/sslvpn/context-sslvpn1/

!

url-list "eng"

url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"

!

!

nbns-list cifs-servers

nbns-server 172.16.1.1 master

nbns-server 172.16.2.2 timeout 10 retries 5

nbns-server 172.16.3.3 timeout 10 retries 5

login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on

this device are logged and violations of this policy may result in disciplinary action."

!

!

port-forward "portlist"

local-port 30019 remote-server ssh-server remote-port 22 description SSH

local-port 30020 remote-server mailserver remote-port 143 description IMAP

local-port 30021 remote-server mailserver remote-port 110 description POP3

local-port 30022 remote-server mailserver remote-port 25 description SMTP

!

!

policy group policy-sslvpn1

url-list "eng"

port-forward "portlist"

nbns-list "cifs-servers"

functions file-access

functions file-browse

functions file-entry

citrix enabled

default-group-policy policy-sslvpn1

gateway ISR2801-RM domain clientless

inservice

!

!

webvpn context context-sslvpn2

ssl authenticate verify all

user-profile location flash:webvpn/sslvpn/context-sslvpn2/

!

!

policy group policy-sslvpn2

functions svc-enabled

svc address-pool "WEBVPN"

svc keep-client-installed

svc dpd-interval gateway 30

svc dpd-interval client 300

svc rekey method new-tunnel

svc rekey time 3600

svc split include 10.0.0.0 255.255.255.0

svc default-domain cisco.com

svc dns-server primary 192.168.3.1

svc dns-server secondary 192.168.4.1

default-group-policy policy-sslvpn2

gateway ISR2801-RM domain tunnel

inservice

!

!

ISR2801-RM#show webvpn install status svc

SSLVPN Package SSL-VPN-Client version installed:

CISCO STC win2k+

2,2,0133

Mon 05/19/2008 12:58:52.34 v

ISR2801-RM#

WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client

https://1.2.3.4/tunnel

* the ssl client installed on the pc tell me can't connect.

* on the router the log:

Jun 6 10:28:08.283:

Jun 6 10:28:08.283:

Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,

Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,

offset: 0, domain: 0)

Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1

Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it

Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133

Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2

Jun 6 10:28:08.287: X-CSTP-Version: 1

Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata

Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0

Jun 6 10:28:08.287: X-CSTP-MTU: 1406

Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4

Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9

Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA

Jun 6 10:28:08.287:

Jun 6 10:28:08.291:

Jun 6 10:28:08.291:

Jun 6 10:28:08.291: WV: Appl. processing Failed : 2

Jun 6 10:28:08.291: WV: server side not ready to send.

SSLVPN sock pid 182 sid 161: closing

Hello, config seems OK, Since your IP pool is on the same subnet as the LAN, thats also ok. Otherwise you have to create a loopback.

Anyway did you upgrade you IOS from 12.4(13r)T5 to 12.4(15)Tx ? (As mentioned in my last post). This is required for the 'new' Anyconnect client to work. You can only run the Cisco SSL VPN Client (SVC) on your IOS version.

Please re-read my last post. Regards

Farrukh

Also for your Clientless context, I don't think the following will work, SSH needs special handling (like the ASA firewall has a separate plugin for this). I don't think the IOS SSL VPN supports this to date? If you got it working please let me know also :). I need it for one customer.

local-port 30019 remote-server ssh-server remote-port 22 description SSH

Regards

Farrukh

Hi,

the IOS version on the cisco 2801 is the last: c2801-advipservicesk9-mz.124-15.T5.bin

and need to deploy only (for now) the context context-sslvpn2 (the one with Tunnel Mode-Full tunnel client mode).... but the error on the log remain.

Just a q:

if the ssl vpn client need to do a slip tunnel (connect the pool on the ssl tunnel only vs the network 10.0.0.0 /24) the following is correct ?

svc split include 10.0.0.0 255.255.255.0

Thanks again for your time.

RT

Yes, this systax seems correct, more details can be found here:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1354672

why don't you enable detailed debugging on the ROUTER and attach here?

debug webvpn tunnel

debug webvpn authentication

debug webvpn aaa

debug webvpn cookie

debug webvpn package

debug webvpn entry

Also one important thing, in Internet Explorer:

Tools >> Internet Options >> Advanced

Check "Use SSL 3.0" and "Use SSL 2.0"

Clear Browse Cache/Cookies

Regards

Farrukh

Hello,

you could try to remove the "domain clientless" extension defined in your webvpn context :

#gateway ISR2801-RM domain tunnel

I had the same issue and I believe that the domain is somehow linked to the trustpoint, so while the domain declared is not part of the selfsigned certificate defined in trustpoint, there is no need for the option domain tunnel;