Anyconnect VPN - Portal Not Loading - Cisco 871

Unanswered Question
Jul 6th, 2010

Hello,

I've got a problem and some questions about a test router I'm setting up in the lab.

I'm just trying to get Anyconnect VPN to work, and I've really been running around in circles trying to figure the bugger out - there is a huge amount of at least partially conflicting information out there, no doubt because of the 871.

I'm using IOS version 12.4(24)T, with sslclient-win-1.1.4.179-anyconnect.pkg as my SSL client. I have no idea if it's the right one, but CCP accepted it.

I recall setting up Anyconnect once before, and the filename was most certainly different. Am I using the right one? It seems to me that there's at least three types of "Client VPN" that Cisco's can do. They are:

SSLVPN

SSL VPN SVC

Anyconnect SSL VPN

Or something like that. I've seen such an assortment, that I'm not sure what's what. What is the difference between them, especially as far as Anyconnect is concerned?

What's up with that "SVC" designation? A few guides I've seen have mentioned it specifically.

Ok, moving on to my troubles.

The problem I'm having right now is when I browse to the VPN page, I get a blank screen that's "Done". Am I correct in thinking I've missed a setting somewhere, or is it perhaps related to the anyconnect package I'm using?

Here's my running-config:

---------------------------------------

Current configuration : 4618 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco871

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 $1$OTpa$smj0mTouZOMp01yDNwW1W0

enable password hidden

!

aaa new-model

!

!

aaa authentication login sslvpn local

!

!

aaa session-id common

!

crypto pki trustpoint MyCert

enrollment selfsigned

serial-number

revocation-check crl

!

!

crypto pki certificate chain MyCert

certificate self-signed 02

blah numbers blah

        quit

dot11 syslog

ip source-route

!

!

!

ip dhcp pool vpnpool

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.1

   dns-server 208.67.222.222 208.67.220.220

   lease 28

!

!

ip cef

no ip domain lookup

ip domain name domain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username blargle privilege 15 password 0 blargle

!

!

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface Loopback1

description SSL DHCP Pool Gateway Address

ip address 192.168.250.1 255.255.255.0

!

interface Loopback2

description SSL VPN Website Address

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

ip address 10.1.70.5 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

no ip address

!

ip local pool sslvpnpool 192.168.250.2 192.168.250.100

ip default-gateway 10.1.70.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.1.70.1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

!

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 10.10.10.1 443 interface FastEthernet0 443

ip nat inside source static tcp 10.10.10.1 80 interface FastEthernet0 80

!

ip access-list extended INTERNET_ACL

remark Used with CBAC(?)

permit icmp any any unreachable

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit tcp any any eq 443 www

deny   ip any any log

ip access-list extended VTY_ACL

permit ip 192.168.0.0 0.0.0.255 any

deny   ip any any log

!

access-list 1 permit 192.168.0.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password 8letters

transport input telnet ssh

!

scheduler max-task-time 5000

!

webvpn gateway MyGateway

ip address 10.10.10.1 port 443

http-redirect port 80

ssl trustpoint MyCert

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context SecureMeContext

title "My Wintastic VPN Service"

ssl authenticate verify all

!

login-message "Welcome to the VPN. It's tasty!"

!

policy group MyDefaultPolicy

   functions svc-enabled

   svc address-pool "sslvpnpool"

   svc keep-client-installed

default-group-policy MyDefaultPolicy

aaa authentication list sslvpn

gateway MyGateway domain testvpn

max-users 100

inservice

!

end

------------------------------------
Thar she blows.
This is the guide I used to create the setup:
I've got this sample config now:
I'm prepared to try it next, but my concerns about the client package are putting things on hold. Can the 871 even do this sort of thing? I see things for the other types of SSL VPN, but no one has mentioned Anyconnect. I assume they are similar, however.
Finally, I can't use CCP to configure the VPN - it gives me a message about not supporting the self-signed cert, and I can't even start the process through the GUI unless that is resolved. Is that supposed to happen?
Thanks for your assistance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
redlazer420 Tue, 07/06/2010 - 16:33

So, it turns out I was entering the URL wrong. Glad I caught that one.

In any case, I got this message once I logged in:

The installer was not able to start the Cisco SSL VPN Client.

I got an IP address from my pool, but the software very clearly failed to install. Is it possible there is a conflict with an already installed version? Is there some specific logging settings I should enable?

Once again, thanks for your time.

elviscardin Wed, 07/07/2010 - 06:00

Yes, there is a conflict with a software that is already installed on your PC. Unsinstall any such applications and try again.

Also note that you need to figure out the correct vpn client package for the IOS running on the router and the OS on the PC.

redlazer420 Wed, 07/07/2010 - 12:35

I removed the Anyconnect software already installed on my computer, and I am having the same problem, although it seems like I've made it further than before.

I see that the page is titled "No Support". I imagine this means I'm using the wrong Anyconnect client, but in that case, which one should I be using? Does any Anyconnect client (that's for my OS) work, or do I need a specific version for the 871, like a IOS version or something?

Basically, am I getting the "No Support" because my computer is incompatible with the Anyconnect client it's using, or because the Cisco isn't compatible with the version of Anyconnect on it?

elviscardin Sun, 07/18/2010 - 22:31

The anyconnect client that you are using is slightly old. Why dont you try a later version like 2.4 or 2.5?

What OS are you using on your anyclient host?

Actions

This Discussion