Cisco IP phone Anyconnect SSL VPN - failing authentication

lwisniowski · ‎11-10-2011

Hello,

I have a strange problem with the SSL VPN for the phones. It is working but the phone displays " VPN Authentication Failed". To log in I need to press retry button 2-5 times on the phone.

Setup looks as follows :

CUCM version - 8.0.3a

2801 router as a gatway - IOS 151-4.M2

Phone 7945 - firmware 9-2-1S

Gateway config:

crypto pki trustpoint test

fqdn test.com

subject-name cn=test.com

revocation-check none

rsakeypair test

!

crypto pki certificate chain test

certificate self-signed 02

308205BA 308203A2 A0030201 02020102 300D0609 2A864886 F70D0101 05050030

.....

!

ip local pool sslvpn 192.168.50.2 192.168.50.100

!

webvpn gateway sslvpn

ip address 192.168.21.50 port 443

ssl trustpoint test

inservice

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2019-k9.pkg sequence 1

!

webvpn context sslvpn

ssl authenticate verify all

!

policy group sslvpn

functions svc-enabled

svc address-pool "sslvpn"

svc default-domain "test.local"

svc keep-client-installed

svc dns-server primary 192.168.20.11

svc dns-server secondary 192.168.20.12

svc dtls

default-group-policy sslvpn

aaa authentication list default

gateway sslvpn

inservice

CUCM configuration according to :

https://supportforums.cisco.com/docs/DOC-12173

I have tried different things without any change to the problem :

- different certificates

- IOS version 151-3.T2

- changing timeouts on CUCM (Fail to Connect) and ssl vpn timeouts on the router

- changed aaa to use local database instead of RADIUS

- turned off Host ID Check on CUCM

- moved gateway to a public ip address (no static NAT)

- also tried ip address as an url instead of domain name

What really bothers me is that it is working but users need to retry connection a few times. Annyconnect client on windows is working without any problems.

I have enabled logging for the webvpn.

Unsuccessful connection log (VPN authentication failed on the phone) :

Nov 10 09:49:34.162: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:52944

Nov 10 09:49:34.386: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /

Nov 10 09:49:34.414: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:52944

Nov 10 09:49:39.570: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in

Successful connection :

Nov 10 09:51:08.607: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:53168

Nov 10 09:51:08.831: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /

Nov 10 09:51:08.859: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:53168

Nov 10 09:51:13.815: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in

Logs look excatly the same.

I will appreciate any help or guidance.

Thanks

Lukasz

resolveits · ‎06-19-2012

Hi Lukasz,

I am having the same issue, did you ever find a solution to this problem?

lwisniowski · ‎06-19-2012

Yes, I resolved that issue. It is probably related to "svc rekey method new-tunnel". Cisco routers do not support renegotiation(available on ASA) only new-tunnel. Long story short, phone was getting a wrong default gateway for VPN tunnel. Sometimes it did work, sometimes it didn't.

Log from Cisco phone :

8416: NOT 13:11:25.896568 VPNC: vpnc_tun_connect: bringing up i/f -> tun0

8417: NOT 13:11:25.897432 VPNC: vpnc_tun_connect: MTU -> 1200

8418: NOT 13:11:25.898139 VPNC: vpnc_tun_connect: IP addr -> 192.168.50.46

8419: NOT 13:11:25.898797 VPNC: vpnc_tun_connect: netmask -> 255.255.255.255

8420: NOT 13:11:25.899499 VPNC: vpnc_tun_connect: broadcast -> 192.168.50.46

8421: NOT 13:11:25.900398 VPNC: vpnc_set_dflt_route: adding default gw <192.168.50.47> via i/f

8422: ERR 13:11:25.901113 VPNC: vpnc_set_dflt_route: ioctl err 128

8423: ERR 13:11:25.901832 VPNC: vpnc_tun_connect: failed to add default route, cleaning up

8424: NOT 13:11:25.902443 VPNC: vpnc_tun_disconnect: bringing down i/f -> tun0

Clearly gateway should have been 50.46 in that case (with mask 255.255.255.255)

Resolution is to manually configure a mask for SVC address pool.

svc address-pool "sslvpn" netmask 255.255.255.0

It has been working without any problems since then, assigning :

4145: NOT 14:11:10.706340 VPNC: vpnc_tun_connect: bringing up i/f -> tun0

4146: NOT 14:11:10.707189 VPNC: vpnc_tun_connect: MTU -> 1290

4147: NOT 14:11:10.707951 VPNC: vpnc_tun_connect: IP addr -> 192.168.150.5

4148: NOT 14:11:10.708644 VPNC: vpnc_tun_connect: netmask -> 255.255.255.0

4149: NOT 14:11:10.709278 VPNC: vpnc_tun_connect: broadcast -> 192.168.150.255

4150: NOT 14:11:10.710108 VPNC: vpnc_set_dflt_route: adding default gw <192.168.150.1> via i/f

4151: NOT 14:11:10.710990 VPNC: protocol_handler: vpnc_tun_connect ok

4152: NOT 14:11:10.711616 VPNC: set_conn_state: CONN : 1 (TRYING) --> 2 (SUCCESS)

4153: NOT 14:11:10.712272 VPNC: set_conn_state: VPNC : 4 (Connecting) --> 5 (Connected)

Although it is using .1 as a gateway (it does not have to be configured on the router) it does work as expected.

Most likely an IOS problem but I had no time at that time to deal with TAC.