11-10-2011 01:57 AM - edited 03-16-2019 07:58 AM
Hello,
I have a strange problem with the SSL VPN for the phones. It is working but the phone displays " VPN Authentication Failed". To log in I need to press retry button 2-5 times on the phone.
Setup looks as follows :
CUCM version - 8.0.3a
2801 router as a gatway - IOS 151-4.M2
Phone 7945 - firmware 9-2-1S
Gateway config:
crypto pki trustpoint test
fqdn test.com
subject-name cn=test.com
revocation-check none
rsakeypair test
!
crypto pki certificate chain test
certificate self-signed 02
308205BA 308203A2 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
.....
!
ip local pool sslvpn 192.168.50.2 192.168.50.100
!
webvpn gateway sslvpn
ip address 192.168.21.50 port 443
ssl trustpoint test
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2019-k9.pkg sequence 1
!
webvpn context sslvpn
ssl authenticate verify all
!
!
policy group sslvpn
functions svc-enabled
svc address-pool "sslvpn"
svc default-domain "test.local"
svc keep-client-installed
svc dns-server primary 192.168.20.11
svc dns-server secondary 192.168.20.12
svc dtls
default-group-policy sslvpn
aaa authentication list default
gateway sslvpn
inservice
CUCM configuration according to :
https://supportforums.cisco.com/docs/DOC-12173
I have tried different things without any change to the problem :
- different certificates
- IOS version 151-3.T2
- changing timeouts on CUCM (Fail to Connect) and ssl vpn timeouts on the router
- changed aaa to use local database instead of RADIUS
- turned off Host ID Check on CUCM
- moved gateway to a public ip address (no static NAT)
- also tried ip address as an url instead of domain name
What really bothers me is that it is working but users need to retry connection a few times. Annyconnect client on windows is working without any problems.
I have enabled logging for the webvpn.
Unsuccessful connection log (VPN authentication failed on the phone) :
Nov 10 09:49:34.162: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:52944
Nov 10 09:49:34.386: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /
Nov 10 09:49:34.414: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:52944
Nov 10 09:49:39.570: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in
Successful connection :
Nov 10 09:51:08.607: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:53168
Nov 10 09:51:08.831: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 status: HTTP request without login cookie resource: /
Nov 10 09:51:08.859: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:53168
Nov 10 09:51:13.815: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in
Logs look excatly the same.
I will appreciate any help or guidance.
Thanks
Lukasz
06-19-2012 03:51 AM
Hi Lukasz,
I am having the same issue, did you ever find a solution to this problem?
06-19-2012 06:10 AM
Yes, I resolved that issue. It is probably related to "svc rekey method new-tunnel". Cisco routers do not support renegotiation(available on ASA) only new-tunnel. Long story short, phone was getting a wrong default gateway for VPN tunnel. Sometimes it did work, sometimes it didn't.
Log from Cisco phone :
8416: NOT 13:11:25.896568 VPNC: vpnc_tun_connect: bringing up i/f -> tun0
8417: NOT 13:11:25.897432 VPNC: vpnc_tun_connect: MTU -> 1200
8418: NOT 13:11:25.898139 VPNC: vpnc_tun_connect: IP addr -> 192.168.50.46
8419: NOT 13:11:25.898797 VPNC: vpnc_tun_connect: netmask -> 255.255.255.255
8420: NOT 13:11:25.899499 VPNC: vpnc_tun_connect: broadcast -> 192.168.50.46
8421: NOT 13:11:25.900398 VPNC: vpnc_set_dflt_route: adding default gw <192.168.50.47> via i/f
8422: ERR 13:11:25.901113 VPNC: vpnc_set_dflt_route: ioctl err 128
8423: ERR 13:11:25.901832 VPNC: vpnc_tun_connect: failed to add default route, cleaning up
8424: NOT 13:11:25.902443 VPNC: vpnc_tun_disconnect: bringing down i/f -> tun0
Clearly gateway should have been 50.46 in that case (with mask 255.255.255.255)
Resolution is to manually configure a mask for SVC address pool.
svc address-pool "sslvpn" netmask 255.255.255.0
It has been working without any problems since then, assigning :
4145: NOT 14:11:10.706340 VPNC: vpnc_tun_connect: bringing up i/f -> tun0
4146: NOT 14:11:10.707189 VPNC: vpnc_tun_connect: MTU -> 1290
4147: NOT 14:11:10.707951 VPNC: vpnc_tun_connect: IP addr -> 192.168.150.5
4148: NOT 14:11:10.708644 VPNC: vpnc_tun_connect: netmask -> 255.255.255.0
4149: NOT 14:11:10.709278 VPNC: vpnc_tun_connect: broadcast -> 192.168.150.255
4150: NOT 14:11:10.710108 VPNC: vpnc_set_dflt_route: adding default gw <192.168.150.1> via i/f
4151: NOT 14:11:10.710990 VPNC: protocol_handler: vpnc_tun_connect ok
4152: NOT 14:11:10.711616 VPNC: set_conn_state: CONN : 1 (TRYING) --> 2 (SUCCESS)
4153: NOT 14:11:10.712272 VPNC: set_conn_state: VPNC : 4 (Connecting) --> 5 (Connected)
Although it is using .1 as a gateway (it does not have to be configured on the router) it does work as expected.
Most likely an IOS problem but I had no time at that time to deal with TAC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: