cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4082
Views
0
Helpful
2
Replies

Cisco IP phone Anyconnect SSL VPN - failing authentication

lwisniowski
Level 1
Level 1

Hello,

I have a strange problem with the SSL VPN for the phones. It is working but the phone displays " VPN Authentication Failed". To log in I need to press retry button 2-5 times on the phone. 

Setup looks as follows :

CUCM version - 8.0.3a

2801 router as a gatway - IOS 151-4.M2

Phone 7945 - firmware 9-2-1S

Gateway config:

crypto pki trustpoint test

fqdn test.com

subject-name cn=test.com

revocation-check none

rsakeypair test

!

crypto pki certificate chain test

  certificate self-signed 02

   308205BA 308203A2 A0030201 02020102 300D0609 2A864886 F70D0101 05050030

.....

!

ip local pool sslvpn 192.168.50.2 192.168.50.100

!

webvpn gateway sslvpn

  ip address 192.168.21.50 port 443 

  ssl trustpoint test

  inservice

  !

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2019-k9.pkg sequence 1

  !

webvpn context sslvpn

  ssl authenticate verify all

  !

  !

  policy group sslvpn

    functions svc-enabled

    svc address-pool "sslvpn"

    svc default-domain "test.local"

    svc keep-client-installed

    svc dns-server primary 192.168.20.11

    svc dns-server secondary 192.168.20.12

    svc dtls

  default-group-policy sslvpn

  aaa authentication list default

  gateway sslvpn

  inservice

CUCM configuration according to :

https://supportforums.cisco.com/docs/DOC-12173

I have tried different things without any change to the problem :

- different certificates

- IOS version 151-3.T2

- changing timeouts on CUCM (Fail to Connect) and ssl vpn timeouts on the router

- changed aaa to use local database instead of RADIUS

- turned off Host ID Check on CUCM

- moved gateway to a public ip address (no static NAT)

- also tried ip address as an url instead of domain name

What really bothers me is that it is working but users need to retry connection a few times. Annyconnect client on windows is working without any problems.

I have enabled logging for the webvpn.

Unsuccessful connection log (VPN authentication failed on the phone) :

Nov 10 09:49:34.162: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:52944

Nov 10 09:49:34.386: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155  status: HTTP request without login cookie resource: /

Nov 10 09:49:34.414: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:52944

Nov 10 09:49:39.570: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in

Successful connection :

Nov 10 09:51:08.607: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 46.64.24.155:53168

Nov 10 09:51:08.831: %SSLVPN-5-HTTP_REQUEST_NOT_AUTHORIZED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155  status: HTTP request without login cookie resource: /

Nov 10 09:51:08.859: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: sslvpn vw_gw: sslvpn i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 46.64.24.155:53168

Nov 10 09:51:13.815: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn vw_gw: sslvpn remote_ip: 46.64.24.155 user_name: lukasz, Authentication successful, user logged in

Logs look excatly the same.

I will appreciate any help or guidance.

Thanks

Lukasz

2 Replies 2

resolveits
Level 1
Level 1

Hi Lukasz,

I am having the same issue, did you ever find a solution to this problem?

Yes, I resolved that issue. It is probably related to "svc rekey method new-tunnel". Cisco routers do not support renegotiation(available on ASA) only new-tunnel. Long story short, phone was getting a wrong default gateway for VPN tunnel.  Sometimes it did work, sometimes it didn't.

Log from Cisco phone :

8416: NOT 13:11:25.896568 VPNC: vpnc_tun_connect: bringing up i/f -> tun0

8417: NOT 13:11:25.897432 VPNC: vpnc_tun_connect: MTU       -> 1200

8418: NOT 13:11:25.898139 VPNC: vpnc_tun_connect: IP addr   -> 192.168.50.46

8419: NOT 13:11:25.898797 VPNC: vpnc_tun_connect: netmask   -> 255.255.255.255

8420: NOT 13:11:25.899499 VPNC: vpnc_tun_connect: broadcast -> 192.168.50.46

8421: NOT 13:11:25.900398 VPNC: vpnc_set_dflt_route: adding default gw <192.168.50.47> via i/f

8422: ERR 13:11:25.901113 VPNC: vpnc_set_dflt_route: ioctl err 128

8423: ERR 13:11:25.901832 VPNC: vpnc_tun_connect: failed to add default route, cleaning up

8424: NOT 13:11:25.902443 VPNC: vpnc_tun_disconnect: bringing down i/f -> tun0

Clearly gateway should have been 50.46 in that case (with mask 255.255.255.255)

Resolution is to manually configure a mask for SVC address pool.

svc address-pool "sslvpn" netmask 255.255.255.0

It has been working without any problems since then, assigning :

4145: NOT 14:11:10.706340 VPNC: vpnc_tun_connect: bringing up i/f -> tun0

4146: NOT 14:11:10.707189 VPNC: vpnc_tun_connect: MTU       -> 1290

4147: NOT 14:11:10.707951 VPNC: vpnc_tun_connect: IP addr   -> 192.168.150.5

4148: NOT 14:11:10.708644 VPNC: vpnc_tun_connect: netmask   -> 255.255.255.0

4149: NOT 14:11:10.709278 VPNC: vpnc_tun_connect: broadcast -> 192.168.150.255

4150: NOT 14:11:10.710108 VPNC: vpnc_set_dflt_route: adding default gw <192.168.150.1> via i/f

4151: NOT 14:11:10.710990 VPNC: protocol_handler: vpnc_tun_connect ok

4152: NOT 14:11:10.711616 VPNC: set_conn_state: CONN : 1 (TRYING) --> 2 (SUCCESS)

4153: NOT 14:11:10.712272 VPNC: set_conn_state: VPNC : 4 (Connecting) --> 5 (Connected)

Although it is using .1 as a gateway (it does not have to be configured on the router) it does work as expected.

Most likely an IOS problem but I had no time at that time to deal with TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: