My Problem: Cisco Anyconnect Client with IOS SSL

Unanswered Question
Apr 1st, 2009
User Badges:

Hi Team,

I am trying to setup the Cisco IOS SSL to support Anyconnect client.

Much as I have entered all the required commands, the configuration doesn't work. My IOS is (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T.

I would appreciate if any in this team with experience setting up anyconnect with IOS can draw my attention to any caveats.

I have selected the necessary portion of my router config for your review, if necessary.

Many thanks.

aaa new-model


aaa authentication login VPN local

aaa authorization network VPN local

crypto pki trustpoint TP-self-signed-2613188008

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2613188008

revocation-check none

rsakeypair TP-self-signed-2613188008

username remote secret 5 $1$86qN$CJ2uc1l7PYy7a5sNMrPK2/

ip local pool WEBVPN

webvpn gateway SSL

hostname CIS-EDGE1

ip address port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-2613188008



webvpn install svc flash:/webvpn/svc_1.pkg sequence 1


webvpn install svc flash:/webvpn/svc_2.pkg sequence 2


webvpn install svc flash:/webvpn/svc_3.pkg sequence 3


webvpn context SSL

ssl authenticate verify all



policy group SSL

functions svc-enabled

svc address-pool "WEBVPN"

svc default-domain ""

svc keep-client-installed

svc dpd-interval gateway 30

svc keepalive 300

svc split dns ""

svc split include

svc split include

svc split include

svc split include

svc dns-server primary

svc dns-server secondary

default-group-policy SSL

aaa authentication list VPN

aaa authorization list VPN

gateway SSL domain

logging enable


interface Loopback1

description For SSL VPN Use

ip address

interface GigabitEthernet0/0.80

encapsulation dot1Q 80

ip address

ip access-group OUTSIDE in //this acl permits ports 80 and 443 to the interface

no ip unreachables

ip nat outside

ip inspect CBAC out

ip virtual-reassembly

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pedrulesall Wed, 04/01/2009 - 13:49
User Badges:

what does not work, specifically? what errors are you seeing? what client are you testing, win-mac-linux?

did you try without the ACL and the NAT?

felixnkansah Wed, 04/01/2009 - 18:22
User Badges:

Thanks Pedrulesall,

I am testing the Win client.

When I direct my browser to the outside interface of my router (, it only warns me of an unknown certificate, and when I agree to proceed, nothing appears in my browser or I get 'the webpage cannot be found' error depending on the browser in use.

If I access using http, the redirect to https works fine but nothing appears in my browser.

I receive no errors besides the certificate warnings, for which I always proceed affirmatively.

I have also manually installed the anyconnect client on my Vista laptop for testing. When I connect using this client, it only prompts me of an unknown certificate. After accepting to continue, nothing more happens. It remains 'Contacting' forever.

I get a similar outcome even when the ACL is removed.

I hope the information provided above is sufficient. Thanks in advance.


This Discussion