Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco CSR 1000v Anyconnect SSL VPN setup issues

Hi all,

I'm looking for help on getting Anyconnect SSL VPN setup on a CSR 1000v running IOS XE v3.13.01S. There is an abundance of info on the webvpn style SSL VPN setup but very little on the "crypto ssl" XE SSL VPN style setups.

I have been working mostly from

I have configured the router with the commands in the attached file config.txt, when I connect using Anyconnect I see the user authenticate however the user is denied access to the tunnel :

csr1000v_3-13-3#debug crypto ssl aaa 
csr1000v_3-13-3#debug crypto ssl tunnel 
Crypto SSL Tunnel debugging is on
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: Nas Port ID set to
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test_user"
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Nov  9 20:15:03.693: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn-profile vw_gw: sslvpn-policy remote_ip: user_name: test_user, Authentication successful, user logged in
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: User "test_user" has logged in from "" to gateway "sslvpn-policy" 
             context "sslvpn-profile"
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-EVT]:[7FD0806E48E0] CSTP Version recd , using 1
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] Full Tunnel CONNECT request failed, Sending error
*Nov  9 20:15:04.029: HTTP/1.1 401 Unauthorized
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] User test_user not authorized to access Full tunnel
*Nov  9 20:15:06.089: HTTP/1.1 200 OK
*Nov  9 20:15:06.089: Content-Type: text/html
*Nov  9 20:15:06.089: Content-Length: 0
*Nov  9 20:15:06.089: Cache-Control: no-cache
*Nov  9 20:15:06.090: Connection: Keep-Alive
*Nov  9 20:15:06.090: Date: Sun, 09 Nov 2014 20:15:06 GMT
*Nov  9 20:15:06.090: X-Aggregate-Auth: 1
*Nov  9 20:15:06.090: 
*Nov  9 20:15:06.090: 


Checking the config I notice however I have matched the policy and configured a ssl authorization policy:

csr1000v_3-13-3#sh run | sec crypto ssl profile
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication list AAA_SSLVPN_LIST 
 authentication remote user-credentials 
 virtual-template 1
 !Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)

Any tips would be must appreciated!

New Member

I see, you have virtual

I see, you have virtual template configured under ssl profile. Remove it if your device is CSR1000v. Authorization is missing under ssl profile.



aaa authentication login sslvpn local
aaa authorization network sslvpn local

crypto ssl authorization policy DEF_SSL_AUTH_POLICY
 pool DEF_POOL
 route set access-list SSL_ACL
 timeout idle 2400
 timeout session 6000
 timeout disconnect 6000


crypto ssl profile DEF_SSL_PROF
 match policy DEF_SSL_POLICY
 aaa authentication list sslvpn
 aaa authorization group list sslvpn DEF_SSL_AUTH_POLICY
 authentication remote user-credentials


New Member

Hi!  Thanks for help it's

Hi!  Thanks for help it's really little helps auth is ok, but can't select need context.


*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test1"
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTHOR is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA list LOCAL_AUTH is local. Auth policy SSL_AUTHOR_POLICY
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Jan 28 08:52:11.298: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: profile1 vw_gw: policy1 remote_ip: user_name: test1, Authentication successful, user logged in
*Jan 28 08:52:11.298: CRYPTO-SSL-AAA: User "test1" has logged in from "83.170.x.x" to gateway "policy1"
             context "profile1"
*Jan 28 08:52:11.299: AGGR-MSG: complete: Login failed: There is no profile matching the name

CSR2#sh run | s crypto ssl
crypto ssl proposal SSL_Proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
crypto ssl authorization policy SSL_AUTHOR_POLICY
 client profile profile1
 pool VPN_POOL
 def-domain xxx.local
 route set access-list SPLIT-ROUTE_ACL
crypto ssl policy policy1
 ssl proposal SSL_Proposal
 pki trustpoint VPN_XXX sign
 ip interface GigabitEthernet1 port 443
crypto ssl profile profile1
 match policy policy1
 match url
 aaa authentication list LOCAL_AUTH
 aaa authorization user list LOCAL_AUTH SSL_AUTHOR_POLICY
 aaa authorization group list LOCAL_AUTHOR SSL_AUTHOR_POLICY
 authentication remote user-credentials


CSR2#sh crypto ssl profile


SSL Profile: profile1
 Status: ACTIVE
 Match Criteria:
   Policy: policy1
 AAA accounting List      : local
 AAA Authentication List  : LOCAL_AUTH
 AAA Authorization User List   : LOCAL_AUTH
   Cached : False
 AAA Authorization Group List  : LOCAL_AUTHOR
   Override: False
 Authentication Mode      : user credentials
 Interface                : SSLVPN-VIF0
   Status: DISABLE
 Max Users                : 10000

New Member

Seems like "no client profile

Seems like "no client profile profile1"  in "crypto ssl authorization policy SSL_AUTHOR_POLICY" helps.

New Member

Hello,Why is virtual-template


Why is virtual-template not available for CSR1000v ? How does it work with virtual-template/virtual-access cloning ?