Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WebVPN - no connectivity from outside interface

Hello,

I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.

Thanks!

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: WebVPN - no connectivity from outside interface

This is you main route

ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123

This is you backup route

ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124

If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.

You need do "Local PBR" for correction...

25 REPLIES
Cisco Employee

Re: WebVPN - no connectivity from outside interface

do a

'show tcp brief all num'

And that will show you what ports the router is listening on. If you see an IPADDRESS:443 vs *:443, then it's listening on that IP address.

Please post your configuration for more assistance.

New Member

Re: WebVPN - no connectivity from outside interface

The command returned the ip address assigned by the ISP followed by ".443" and (state) as "LISTEN". I have attached my current config for reference.

Cisco Employee

Re: WebVPN - no connectivity from outside interface

Does the 'show webvpn context' show the context as up?

New Member

Re: WebVPN - no connectivity from outside interface

Yes, the context is up (AS/up, OS/up) and I can access the portal from the inside interface by using the public ip address. It's only when I try to connect from the Internet that the router fails to respond.

It's like the router is blocking all connections to itself from the outside interfaces based on some default rule/policy/ACl/etc., but I have no idea what that may be or how it can be altered.

The only way I was able to open port 443 was by forwarding it to some computer behind the router, which obviously is of no help.

New Member

Re: WebVPN - no connectivity from outside interface

After analyzing the problem in more detail I came to the conclusion that the port is indeed open on the outside interface, but the tcp connections are dropped during the initial handshake. Here is what actually happens:

TCB84E12BD4 created

Reserved port 443 in Transport Port Agent for TCP IP type 1

TCP0: state was LISTEN -> SYNRCVD [443 -> y.y.y.y(4718)]

TCP: tcb 84E12BD4 connection to y.y.y.y:4718, peer MSS 1460, MSS is 516

TCP: sending SYN, seq 2578099390, ack 3152674293

TCP0: Connection to y.y.y.y:4718, advertising MSS 536

x.x.x.x:3 <---> y.y.y.y:4718 congestion window changes

cwnd from 536 to 536, ssthresh from 65535 to 1072

TCP0: timeout #1 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

TCP0: timeout #2 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

connection attempt to port 36109

TCP: sending RST, seq 0, ack 2677520110

TCP: sent RST to 92.84.106.222:2777 from x.x.x.x:36109

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

Released port 443 in Transport Port Agent for TCP IP type 1 delay 240000

TCP0: state was SYNRCVD -> CLOSED [443 -> y.y.y.y(4718)]

TCB 0x84E12BD4 destroyed

where x.x.x.x is the address of the router and y.y.y.y is the address of the remote client (a 2003 server machine)

I would very much appreciate any ideas on how to solve this problem!

New Member

Re: WebVPN - no connectivity from outside interface

I am having the same issues. How was this condition resolved?

New Member

Re: WebVPN - no connectivity from outside interface

Unfortunately, I am still trying to find a solution for this problem. Maybe you could post your configuration, so we can try to at least rule out what is not causing this behavior.

Re: WebVPN - no connectivity from outside interface

Exclude ip address of the local interface from the NAT.

[Pls RATE if HELPS]

New Member

Re: WebVPN - no connectivity from outside interface

Please elaborate a bit more on your solution, because I'm not sure that I understand what I'm supposed to do. The ip address of the virtual interface (BVI1) is not being natted directly, but several computers behind the router (sharing the same IP class) are. Is this the problem?

344
Views
4
Helpful
25
Replies
This widget could not be displayed.