Anyconnect issue with MacOSX client

Unanswered Question
Jun 26th, 2008

I have one 2821 configured as a WebVPN gateway. The router is running IOS release 12.4(15)T5. Then i installed the AnyConnect VPN client release 2.2.0133 on a MAC OSX 10.4 machine. The issue is when i try to establish the connection with the gateway, it does not work. I'm able to see the messages "%SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED" in the router console but i was not able to find the exact meaning of this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
antonio-soares Fri, 06/27/2008 - 07:33

Without any debugs enabled, this is what i get in the console:

+++++++++++++++++++++

WebVPN-GW#

*Jun 27 15:53:59.343: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: MY_CONTEXT vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 192.168.252.222:49293

WebVPN-GW#

*Jun 27 15:54:05.639: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 192.168.252.222:49295

*Jun 27 15:54:05.643: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: MY_CONTEXT vw_gw: GW_1 remote_ip: 192.168.252.222 status: HTTP request without login cookie resource: /

WebVPN-GW#

+++++++++++++++++++++

With "debug webvpn" enabled:

+++++++++++++++++++++

WebVPN-GW#

*Jun 27 15:55:11.503: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: GW_1 i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 192.168.252.222:49297

*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event

*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event

*Jun 27 15:55:11.507: WV: sslvpn process rcvd context queue event

*Jun 27 15:55:11.511: WV: Entering APPL with Context: 0x481EAD10,

Data buffer(buffer: 0x46D9EAA0, data: 0x3F403D58, len: 149,

offset: 0, domain: 0)

*Jun 27 15:55:11.511: WV: http request: / with no cookie

*Jun 27 15:55:11.511: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: MY_CONTEXT vw_gw: GW_1 remote_ip: 192.168.252.222 status: HTTP request without login cookie resource: /

*Jun 27 15:55:11.511: WV: Client side Chunk data written..

buffer=0x46D9E3E0 total_len=193 bytes=193 tcb=0x487D6E80

*Jun 27 15:55:11.511: WV: sslvpn process rcvd context queue event

*Jun 27 15:55:11.511: WV: sslvpn process

WebVPN-GW# rcvd context queue event

*Jun 27 15:55:11.511: WV: Entering APPL with Context: 0x481EAD10,

Data buffer(buffer: 0x46D9EAA0, data: 0x3F4029D8, len: 197,

offset: 0, domain: 0)

*Jun 27 15:55:11.511: WV: http request: /webvpn.html with domain cookie

*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..

buffer=0x46D9E3E0 total_len=1009 bytes=1009 tcb=0x487D6E80

*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..

buffer=0x46D9EB60 total_len=1009 bytes=1009 tcb=0x487D6E80

*Jun 27 15:55:11.511: WV: [Q]Client side Chunk data written..

buffer=0x46D9EAE0 total_len=1009 bytes=1009 tcb=0x487D6E80

*Jun 27 15:55:11.515: WV: [Q]Client side Chunk data written..

buffer=0x46D9EAC0 total_len=1009 bytes=1009 tcb=0x487D6E80

*Jun 27 15:55:11.515: WV: Client side Chunk data written..

buffer=0x46D9EA80 total_len=637 bytes=637 tcb=0x487D6E80

*Jun 27 15:55:11.519: WV: sslvpn process rcvd context queue event

WebVPN-GW#

+++++++++++++++++++++

This is my Webvpn config:

+++++++++++++++++++++

!

webvpn gateway GW_1

ip address 192.168.252.218 port 443

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint 192.168.252.218

logging enable

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context MY_CONTEXT

ssl authenticate verify all

!

!

policy group MY_POLICY

functions svc-required

svc address-pool "ssl"

default-group-policy MY_POLICY

aaa authentication list WEBVPN

gateway GW_1

logging enable

inservice

!

+++++++++++++++++++++

I noticed that i get the same problem when i use the Windows standalone client. But Weblaunch works fine under Windows.

Thanks.

Farrukh Haroon Sat, 06/28/2008 - 00:59

Which MAC version are you running, OS X 10.4.6?

Also what is the browser version?

Regards

Farrukh

antonio-soares Mon, 06/30/2008 - 03:09

The MAC OSX version is 10.4.11. In the MAC, i have Firefox 3.0 and Safari 3.0.4. As i said before, i noticed that WebVPN client in standalone mode does not work in Windows. So the problem does not seem to be MAC specific. So right now i have:

Windows: standalone n/ok, weblaunch ok

MAC: standalone n/ok, weblaunch n/ok

Thanks.

Farrukh Haroon Mon, 06/30/2008 - 03:42

Is it possible for you to post the complete sanitized configuration here? (SSL pools, AAA lists etc.)

Regards

Farrukh

Farrukh Haroon Mon, 06/30/2008 - 12:45

I checked your config, they seem to be OK. Can you also post the configuration of the following:

show webvpn context MY_CONTEXT

show webvpn gateway

show webvpn stats detail context MY_CONTEXT

show webvpn install package svc

show webvpn install status svc

Also are you trying to login using a Windows Admin account?

Regards

Farrukh

antonio-soares Tue, 07/01/2008 - 07:04

Hello Farrukh,

First of all, thank you for your efforts with this issue. Your help is very appreciated.

I'm attaching the outputs you asked me. I don't understand the question related with the Windows Account. Do i need to do anything about it ? Under Windows, i'm able to connect using the Web interface. I see that the Web page launches the client in the background and it connects without problems. When i use the Anyconnect client directly, i get those errors in the Gateway and i see in the Client's status bar the message "unable to process response from 192.168.252.218". I'm attaching a printscreen for your better understanding.

Thanks.

Regards,

Antonio Soares

antonio-soares Wed, 07/02/2008 - 09:11

Hello,

It seems AnyConnect in standalone mode is not supported with IOS:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1053807

This was a big and bad surprise, but it's written so there's nothing to do about it.

I wonder if anybody has a WebVPN IOS gateway serving simultaneously Windows, Linux and Mac clients. I would say it's impossible since IOS only permitts one SVC package installed in the flash.

Thanks.

Regards,

Antonio Soares

Farrukh Haroon Sun, 07/06/2008 - 03:43

You can just use a group-policy with 'svc-requried' and make users open a web-page everytime.

Regards

Farrukh

antonio-soares Mon, 07/07/2008 - 03:24

Yes, but there is also Bug CSCsq43634 that basically says that WebVPN does not work with Mac OSX Clients.

Thanks.

Regards,

Antonio Soares

Farrukh Haroon Mon, 07/07/2008 - 05:32

Why don't you approach your Cisco Account team and ask them when this will be fixed? Maybe they already have a workaround.

Regards

Farrukh

jechoi Wed, 07/09/2008 - 17:08

Weird, Cisco seems like removed or hidden the bug on the bug tool kit. I was veiwing this bug 2 days ago with no problem.

"The bug ID CSCsq43634 does not exist. Please verify the bug ID and try again. If you feel you reached this message in error, please send us feedback including the bug ID in question. (Click the feedback link in the upper right corner of this page). "

jechoi Wed, 07/09/2008 - 17:19

Found it. Used search with keywords to view the bug. hope cisco fix this.

Actions

This Discussion