IOS AnyConnect help

Unanswered Question
Aug 20th, 2010

Hi All,

I have a uc500-advipservicesk9-mz.124-22.YB6.bin configured to accept SSL VPN connections.

The problem that I have is that I get a certificate error on my laptop when trying to launch AnyConnect (even if I accept the certificate and install it/import it under the Trusted Sites, I still get the error and AnyConnect closes.

The AnyConnect package is this: anyconnect-dart-win-2.5.0217-k9.pkg

This is the relevant part fo the configuration:

webvpn gateway gateway_1
ip address 200.122.155.13 port 443 
http-redirect port 80
ssl trustpoint local
inservice
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 2
!
webvpn context sales
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "WEBVPN"
   svc dns-server primary 4.2.2.2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
max-users 10
inservice

Besides this, I created a self-signed certificate in IOS.

Don't know what I'm doing wrong or how to fix it, please help!

Federico.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Asim Malik Fri, 08/20/2010 - 14:03

What error message yo are getting? Cna you share teh complete error or screenshot

Federico Coto F... Fri, 08/20/2010 - 14:10

When I try to connect with my laptop, i get to https://Public_IP

Then, the SSL page comes up, I enter the credentials, and the AnyConnect client begins to download.

When going through the checks of the ActiveX, I get prompted that the certificate is not trusted.

I choose to install the certificate in my IE trusted sites and continue.

I then get this error:

A certificate problem has been encountered. A VPN connection will not be established.

After this error the AnyConnect just closes and can't establish the connection.

It seems to me that the problem is definitely with the certificate, but I've regenerate it several times and it shows valid.

What can we look at?

Federico.

Atri Basu Fri, 08/20/2010 - 15:50

Hey Fredrico,

From my understanding it appears as though you get this error message as soon as you try to install it. Could you try installing the standalone client with DART and then try to connect? If you can do that then please attach the DART diagnostic files.

To confirm that there is nothing wrong with the certificate please match the CN/SAN on the cert to that of the URL. IF there is no DNS entry, then you can use a local DNS entry by updating the host file for the hostname in the certificate.

Also there was a known issue with Anyconnect 2.4 and self signed certs for IOS headends: CSCtb73337. I see however that you are using anyconnect 2.5.0217. Just to confirm that it isn't a regression of this issue, you could also try downgrading to anyconnect 2.3. If you do not see the same error message then it is likely a similar issue.

Federico Coto F... Sat, 08/21/2010 - 09:42

Hi Atri,

It turns out I tried this on another router (2811) via SDM (configuring AnyConnect and generate a local self-signed cert) and it works perfectly.

The only difference I can see from the resulting configuration is that SDM generates the following trustpoint (and the self-signed cert):

Working certificate:

crypto pki trustpoint TP-self-signed-XXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXX

When I do it via CLI on the UC500, I was doing a configuration like this:

Non-working certificate:

crypto pki trustpoint local

enrollment selfsigned
subject-name cn=local

revocation-check none
rsakeypair local

crypto pki enroll local (to generate the cert)

As you can see I have to read a bit about certificates, but can you tell me what's the problem with the configuration above?

Thank you,

Federico.

Asim Malik Sat, 08/21/2010 - 16:38

This problem was known in anyconnect 2.4 version but not in 2.5 (CSCtb73337) however you can try the workaround

 
1) Make sure that the router cert is trusted (import into cert store)
   and then match the CN/SAN on cert to that of the URL
   If there is no DNS entry, then you can use a  Local DNS entry
   by updating the host file for the hostname in certificate.
2) Downgrade anyconnect to a previous version : 2.3

If this dosent work then can you provide the DART

Atri Basu Sun, 08/22/2010 - 06:12

Hey Fredrico,

It appears as though the CN  is different for the two certificates:

Working certificate:

crypto pki trustpoint TP-self-signed-XXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX

Non-working certificate:

crypto pki trustpoint local

enrollment selfsigned
subject-name cn=local

When you configured the self signed certificate it is likely that you forgot to mention the subject name, in this case it will use the default subject name and it is possible that this is why the certificate isn't accepted:

1. enable

2. configure terminal

3. crypto pki trustpoint name

4. enroll selfsigned

5. subject-name [x.500-name] (This portion is optional. It specifies the requested subject name to be used in the certificate request.If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, is used.)

Try defining the subjectname and see if that helps.


Regards,

Atri.

Federico Coto F... Mon, 08/23/2010 - 13:48

Hi,

I got it working now but I'm still confused as to why :-)

I kept the same certificate configuration, but the outside IP of the UC500 was received by DHCP.

Eventhough it is the same IP as always... as soon as I assigned the IP statically on the interface (and set the GW), it works now (no certificate error anymore).

So, I cannot connect with AnyConnect to this router if the outside interface has ''ip address dhcp''

If I manually configure the IP, then AnyConnect works fine.

crypto pki trustpoint local
enrollment selfsigned
serial-number
revocation-check crl

crypto pki enroll local

Everything works fine now, I would just like to know why the IP has to be assigned statically.

Federico.

Atri Basu Tue, 08/24/2010 - 11:31

HEy Fredreico,

Can you send me the sh tech from your router? I would like to recreate this issue in house.

Regards,

Atri.

Atri Basu Tue, 08/24/2010 - 11:57

Hey Fredrico,

Thanks for the data. Unfortunately I won't be able to try it right away, as my laptop is out of order, however I will keep you posted about the recreate.


Regards,

Atri.

Atri Basu Tue, 08/24/2010 - 12:00

Hey Fredrico,

Could you also attach the certificate that you get when you use the Anyconnect client to connect?

Regards,

Atri.

Federico Coto F... Tue, 08/24/2010 - 16:24

Another thing...

I think the UC500 might not be for AnyConnect?  :-)

I mean.. I got it working as I told you... but I've seen that it does not work very well...

i.e. The CPU goes up to 100% for a fraction of a second when connecting the AnyConnect (one single SSL connection)!

There's a lost in connectity for a fraction of a second, before split tunneling start working...

Also, I continue having the certificate error and I have to regenerate it and then it starts working again..

All of the above are problems that I have not seen on ISRs.

If you could test it and let me know your thoughts I will appreciate it!

Federico.

Actions

This Discussion