SSL VPN Error on Cisco 871

Unanswered Question
Jun 25th, 2009

I tried several methods (SDM, CCP, CLI) to configure an SSL VPN on a Cisco 871 router for a small office to use the full tunnel client. The office has static IP on AT&T DSL. Currently, after some cert errors, the client finally seems to install but when trying to establish the tunnel an error msg is displayed "The SSL VPN HTTP response code received from the gateway indicates an error." and the connection is ended. Please help! Config attached.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
auraza Thu, 06/25/2009 - 09:36

Configure a loopback interface with the IP in the same network as the pool. If your pool is 192.168.1.0/24, then I would change the pool to 192.168.1.2-254, and create a loopback interface with the 192.168.1.1 IP.

int lo0

ip add 192.168.1.1 255.255.255.0

Once you've done that, please try again.

PS. If you think this post was helpful, please do rate it.

mhdacegan Thu, 06/25/2009 - 10:02

Thanks for your reply. Currently in the config the loopback interface is set like this:

interface Loopback0

description Do not delete - SDM WebVPN generated interface

ip address 192.168.2.1 255.255.255.252

ip nat inside

ip virtual-reassembly

And the IP local pool for the VPN configured like this:

!

ip local pool VPN 192.168.5.50 192.168.5.100

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

Is that the problem? Should the VPN local pool be 192.168.2.xx instead of 192.168.5.xx??

auraza Thu, 06/25/2009 - 10:05

Either change the pool or change the IP address of the loopback interface. The idea is to have both in the same subnet.

mhdacegan Fri, 06/26/2009 - 08:25

I'm going to try and re-config this today...another question: I noticed the SDM configured the loopback IP 192.168.2.1 with a mask of 255.255.255.252, effectively limiting this subnet to 3 IPs. Does that mean my local pool needs to be configured with addresses 192.168.2.2 - 192.168.2.4 with mask 255.255.255.252 or can I put them both with the .0 class C mask and take advantage of the whole range? Is it this way because this device is limited to 3 VPN connections?

auraza Fri, 06/26/2009 - 08:37

I would recommend changing the loopback address network to 255.255.255.0, and then you have the option to use the whole range.

mhdacegan Mon, 06/29/2009 - 05:24

Ok, that worked...sort of. Now I have a new problem. We were able to connect with the SSL VPN client and get an IP address but cannot reach any devices on the remote lan (192.168.1.x.) I can ping the router gateway at 192.168.1.1 through the tunnel but cannot ping, remote desktop, or map a drive to any device on that network. Current config attached.

We are also still getting a different error when trying to connect from Vista machines...says it's unable to load the SSL VPN client. Is there a different version for Vista?

Thanks for the help so far.

auraza Mon, 06/29/2009 - 05:43

For the first problem, you're using zone-based firewall, which is not supported in 12.4(15)T with SSLVPN, but it is supported starting 12.4(20)T3. If you don't wish to upgrade, you can remove ZBF and use CBAC instead.

The second problem with Vista, make sure you are using the AnyConnect 2.x client and not the sslclient, also known as the SVC 1.x.

PS. Please rate the posts that you think have been helpful to you.

mhdacegan Mon, 06/29/2009 - 06:41

So if I upgrade, I won't have to change the config at all and it will work? Do you recommend I go right to the latest version 12.4(24)T1 or a different one?

Ahhh...that's the problem. It has the SVC pkg on it. What's the easiest method to load the new Anyconnect pkg onto the router?

auraza Mon, 06/29/2009 - 07:27

If you upgrade, you will need to use virtual-templates if you want to use ZBF.

To get the AnyConnect package, you can either use SDM, or FTP to transfer the file on to the flash and then use it.

mhdacegan Wed, 07/01/2009 - 06:46

Thanks for all your help so far but I'm still having problems with this thing. I upgraded the IOS version to the latest available 12.4(24)T1 AdvIPServ. which is 3 mb larger then the orginal image. I also uninstalled the old SSL VPN package and downloaded the Anyconnect pkg which was 3 mb. Using CCP, the pkg wouldn't load because it said the flash memory was full. I removed some stuff to make room and it finally started to install but failed at the end. I then saw that a brand new Anyconnect client came out yesterday that was only 2.6 mb and downloaded that one and tried to install it with the same result. I even deleted the CP express file from flash to make more room and the install still wont finish. The file exists in the flash memory but I guess it won't unpack or whatever. What can I do to get this working?

mhdacegan Sun, 07/05/2009 - 10:29

Ok, I finally got the AnyConnect pkg loaded using the command line and it works. The clients still couldn't access anything on the LAN so I ended up stripping out all the firewall related lines. Now they are able to see everything. A new problem has come up though - none of the local clients can access the internet anymore. I think it has something to do with the bridge mode config that was added by Cisco Network Assistant or one of those other tools when I loaded it. So, with my current config, what do I need to do to get access to the internet back and what's the best way to set up the firewall so everything still works...thanks.

Actions

This Discussion