Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT- SSL VPN ON ROUTERS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn with Cisco expert Aamir Waheed how to use Secure Sockets Layer VPN so that you can securely and transparently extend your company's network to any Internet-enabled location. Aamir, is a product manager for remote-access VPN's in Cisco's router security group in San Jose. He is responsible for bringing advanced IOS security products to market, while integrating customer and market requirements with Cisco products and services to create solutions.

Remember to use the rating system to let Aamir know if you have received an adequate response.

Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 20, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

73 REPLIES
New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Dear Sir,

I need your Help , My Question is very simple.

I am fail to save configuration setting on router when reload its come earlier setting .

Kindly can you help me, I think there is some Register setting , but I dont know what is the procedure to correct the setting.

Regards

Hameed

Kuwait

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Hameed,

Thanks for your question, although its not related to SSLVPN I will try to point you int he right direction. The factory default value for config register is 0x2102 and if thats not the value you have on the router (check in show version) then go to the following link for more information on how to change it http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml

Hope this helps,

Rgds,

Aamir Waheed

Product Manager

IOS SSLVPN

CCIE #8933

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

hi,

Check your config-register..Your config-register may be wrong

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Aamir,

We have a VPN 3005 Concentrator, ver. 4.71. Occasionally, I got this error message sent to me from the VPN Concentrator when the users tried to login through VPN Client "416047 10/08/2006 20:46:56.230 SEV=3 AUTH/5 RPT=870 69.130.131.160 Authentication rejected: Reason = Unspecifiedhandle = 607, server = 172.43.1.10, user = doe_john, domain = " Do you have any suggestions on how to fix this problem?

Thanks.

Jill

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

hi i would like to know which routers support this feature.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Sebastan,

Cisco IOS? SSL VPN/WebVPN is a licensed feature supported on Cisco? 871, 1800, 2800, 3700, 3800, 7200, and 7301 routers running the Advanced Security image on Cisco IOS Software Release 12.4(6)T or higher. You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com ordering tool.

License SKU's:

FL-WEBVPN-10-K9=

FL-WEBVPN-25-K9=

FL-WEBVPN-100-K9=

Details on the platform user support and the licensing SKU's are available at: http://www.cisco.com/en/US/products/ps6657/prod_bulletin0900aecd80501bb7.html

Additional Whitepapers and Datasheet can be found at: www.cisco.com/go/iossslvpn

Hope this helps,

Rgds,

Aamir Waheed

Product Manager

IOS SSLVPN

CCIE #8933

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

hi thanks for ur reply. do we get any included number of ssl vpn license in 1841 by default. i read somewhere in the documentation it supports 2 ssl vpn license by default. pls reply back. thanks once again.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Sebastan,

We provide 2 free users on both the ISR's and the ASA but anything beyond that we have to buy the feature license. The license is a one time cost and enables all the SSLVPN functionality including Endpoint Security, Full network access, Port forwarding & Clientless feature sets.

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

hi aamir thanks a lot. can u pls provide me any link or information on comparision between ssl vpn and ipsec remote access vpns. i mean which is more scalable and more secure.will wait for ur reply aamir. thanks again.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Sebastan,

We believe in providing complementary IPSec & SSLVPN remote-access solutions for our customers. We provide support for both solutions on both our ASA firewall and our IOS Routers. IPSec VPN is the preferred method for users with "All day connection requirements" while SSLVPN provides anytime, anywhere access to our mobile users.

Depending upon the platform models used, we can scale well for both IPSec or SSLVPN solutions, you can find more details below

Cisco Remote access Platform choices:

ASA:

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd80402e3f.html

IOS Routers:

http://www.cisco.com/en/US/products/ps6657/products_data_sheet0900aecd804ff58a.html

Hope this helps,

Rgds,

Aamir

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Jill,

Thanks for your question. There are two kinds of messages you can expect to receive back from the Authentication server in case of the CVPN3000. The first one is "Authentication failed" which means that the SSLVPN gateway (IOS, VPN3000 or ASA) was not able to contact the Authentication server due to connectivity issues. Other is "Authentication rejected" which means that the request was received by the authentication server but was incorrect login or password or server is expecting additional details from the client. In any case this needs further live troubleshooting to figure out what the server side log states and the best avenue to persue would be to open up a TAC case and provide them access to the Concentrator with the additional Auth server logs aswell so they can figure out whats going on.

Hope this helps,

Rgds,

Aamir Waheed

Product Manager

IOS SSLVPN

CCIE #8933

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hello,

I have a problem with OWA 2003 through WebVPN. Precisely, when finalizing the owa session and without closing the window of browser, does not exist way to return to webvpn main menu because session SSL was closed by same owa apparently. Exists some way to continue in webVPN?

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi March,

Thanks for your question. Which platform are you running this on? Whats the IOS version you are running? Their should always be a toolbar which would let you go back to the Main Portal page within Clientless, I will provide you more detailed answer after getting the relevent information

Rgds,

Aamir Waheed

Product Manager

IOS SSLVPN

CCIE #8933

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Aamir, thank you for your attention. Owa is running on Windows 2003 Server, and about the vpn, the host is VPN 3000 Concentrator Version 4.7.2.I Aug 03 2006 18:52:24.

The strange thing is that at the time of entering to owa, the webvpn toolbar disappears, in addition, when finish the owa session, it also closes then SSL session. Some idea? Thank you very much

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Gonzalez,

Unfortunately thats the default CVPN300 mechanism. On the newer ASA device we have implemented a brand new GUI infrastructure and this issue doesn't exist there. So while you use the CVPN3000 you will have to open up a new browser and authenticate to the CVPN3000

Once you transition to the newer ASA you will definately be pleasantly surprised.

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Ok, I supposed that. So, we will wait for the transition to ASA. Thanks, Aamir!!

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Sure thing Gonzalez. Check www.cisco.com/go/asa or www.cisco.com/go/iossslvpn for more details on the latest SSLVPN offerings by Cisco. Both products have SSLVPN as a licensed feature.

Best of luck to you,

Rgds,

Aamir

Bronze

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

I've deployed SSL VPN on a 871 router (soon to be an 1811) for a small company that I consult for. Its running 12.4.9T1 Advanced Security, and is -only- configured for the SSL VPN Client (SVC version 1.1.1.164) (i.e. no web-only or thin-client VPN access; its all or nothing). All of the laptops that VPN in are running Windows XP SP2, and are members of the internal Windows 2003 SP1 Active Directory Domain. Users log into their laptops with domain credentials , and they're also local admins on their laptop. I've installed a third-party (Thawte) certificate on the router that's trusted by the laptop users' web browser.

I created user accounts on that 871 that match the Active Directory acounts (i.e. same username, same password). This was the only way I could solve the problem that's the purpose of this email:

When the user connected to the SSL VPN with a non-Active Directory username/password (i.e. a generic WebVPN account configured on the router), and then tried to connect to their previously-mapped shared drives (i.e. their H: drive maps to \\servername\sharename) they were getting "Error 5: Access is Denied" and "Device name is already in use" messages. The VPN tunnel is there, though; the users can check their POP3 email, ping, etc. Its not a tunnel issue per se.

Is the SVC acting as a proxy of some sort for the XP system? Is it using the domain credentials that are already cached on the XP system, or does it use what was provided to inititate the SSL VPN session?

Also, my guess is that I should configure the Win2k3 server with the IAS Radius service, and then configure the router to pass VPN authentication attempts right to the server via RADIUS (instead of creating local accounts on the router) Do you agree with this?

The release notes for 12.4.9T indicate that WebVPN now supports NTLM (Active Directory) authentication; could you please elaborate? Does this apply to SVC sessions, or is it more for the web-only or thin-client sessions.

SVC version 1.1.2.169 was released on 29-Sep-2006, but I can't find any Release Notes on this. Can you post them please? (I'm a sucker for the latest-and-greatest.)

Overall I'm -very- happy with the solution, and have recommended to my primary employer that we deploy it company-wide. I'm just hung up on some of the internals and making sure I'm able to support the SVC for 3000+ end users.

Thanks!!!

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi,

Thanks for the positive feedback. Answering your questions inline

1. I will get back to you on the non-Active Directory username/password question

2. Radius authentication is supported and if its already deployed within the network then it would help you when you move to the 1800 or 2800 platform for doing SSLVPN as otherwise you will have to maintain the user database seperately on each of the routers.

3. NTLM authentication only works for clientless users and not for SSLVPN client users.

4. The release notes should be posted at: http://www.cisco.com/cgi-bin/tablebuild.pl/sslvpnclient shortly otherwise I will provide you the details soon.

Also I wanted to mention that the 871 only supports two free users and as you are already looking at the 1800, I wanted to let you know that we have recently introduced the AIM-VPN/SSL module for the ISR's which accelerate the SSLVPN traffic. Also for you to really use anything beyond the two free users you should look at the one-time SSLVPN 10 or 25 user license pack which turns on all your SSLVPN features and functionality, details at: http://www.cisco.com/en/US/products/ps6657/prod_bulletin0900aecd80501bb7.html

Hope this helps and I will get back to you on the specific questions soon.

Rgds,

Aamir

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi,

The Release notes for SVC version 1.1.2.169 are now posted on CCO on the download page for the SSLVPN client

http://www.cisco.com/cgi-bin/tablebuild.pl/sslvpnclient

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi,

The error is continuing after setting up the command:

crypto isakmp invalid-spi-recovery

002636: Oct 10 11:30:10.183 : %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=A.B.C.D, prot=50, spi=0xD6B88819(3602417689), srcaddr=W.X.Y.Z

Why is it so? Why the command invalid-spi-recovery is not recoverying the error?

My IOS is 12.4(5) ADVSEC-K9.

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Is the bug CSCsc44660 is same problem for me too?

The other end VPN device is not cisco device.

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi,

The bug CSCsc44660 is specifically for EasyVPN while we are looking at Plain Site-to-Site IPSec VPN's as its a third party (which won't support EasyVPN or DMVPN solutions).

After reviewing the feature documentation, it looks like 'invalid-spi-recovery' has to be configured on both the routers for it to function as required. You can check the configs on both the sides as shown:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7a76.html

You can try with another Cisco router on the other side for this to work as required as the third party device has to have a similar mechanism for them to clear out the ISAKMP SA's on their side

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi,

what is source based routing?im preparing for R&S CCIE,how to prepare is better?

Sutha.

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Sutha,

Unfortunately I am not familiar with that technology so you might want to ask this question on a routing forum

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi, I have a query regarding Cisco SSL VPN Client operating through Corporate / Enterprise proxies.

Having read the release notes for the SSL VPN CLient they say make sure you tick the HTTP1.1 through proxy, which has been done.

The SSL VPN connection failes when it tries to establish the actual tunnel, after user authentication and client download have completed.

In traces I can see connect messages sent to the proxy. One thing I notice is the messages seem to be version 1.0.

I would very much appreciate some more detailed information to be made available for getting this solution to work.

Due to the proxies often being under seperate mgmt control and change control required to do any troubleshooting on the proxies it really would make life a lot easier during deployment if we had a good understanding of exactly what was going on and what nees to be enabled / supported on the proxy device.

For example if the proxy requires user authentication is this catered for by the SSL Client?

Many thanks

Steve C

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Steve,

Which headend are you connecting to and what version of VPN client and server code are you running? Additionally can you mention the error message you see when you connect

Rgds,

Aamir

New Member

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Thanks for the response.

It's currently on a VPN 3005 but if implemented will move to a number of 3060s and then perhaps onto another more recent platform down the line.

SSL Client Code is latest code, downloaded / installed last week. 1.1.2.169.pkg.

Error message is 'The SSL VPN connection to the remote peer was disrupted and could not automatically re-establish. A new connection requires re-authentication and must be started manually. Close all sensative network applications'

This message appears as the tunnel is initaited. The tunnel is never actually established.

Many thanks Steve

Cisco Employee

Re: ASK THE EXPERT- SSL VPN ON ROUTERS

Hi Steve,

This should work as long as you are using IE as the browser as this would not work for other browsers. Make sure you are on the latest CVPN3000 code and open up a TAC case for them to review the necessary debugs to troubleshoot this issue with you.

Rgds,

Aamir

167
Views
0
Helpful
73
Replies