06-29-2012 08:46 AM - edited 03-21-2019 05:59 AM
Hi everyone,
I have recently upgraded UC560 to 8.6 software pack and since then I started to have issues with SSL VPN from SPA525G, it does not want to connect.
This is the errors I am getting:
008103: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Forwarding the pak 882CEA48
008104: Jun 29 15:56:38.138: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008105: Jun 29 15:56:38.138: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008106: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Failed to fwd Pak 882CEA48 in interrupt path
008107: Jun 29 15:56:38.138: [WV-TUNL-PAK]:[8B43B058] TxServer, Pak 882CEA48 punted
008108: Jun 29 15:56:38.138: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008109: Jun 29 15:56:38.138: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008110: Jun 29 15:56:38.138: WV: Tunneled data packet was sent
008111: Jun 29 15:56:38.390: WV: Tunneled data packet was copied!
008112: Jun 29 15:56:38.390: [WV-TUNL-PAK]:[8B43B058] RxClient, CSTP Data, recvd from (jmalone, 172.16.1.4)
008113: Jun 29 15:56:38.390: [WV-TUNL-PAK]:CSTP version: 1, Data Len: 36 bytes
1E601C00: 535446 STF
1E601C10: 01002400 00450000 24000040 00011143 ..$..E..$..@...C
1E601C20: 64AC1001 04E0A8A8 A8D43117 AD0010AC d,...`(((T1.-..,
1E601C30: 1B3FA2F0 CB000001 00 .?"pK....
008114: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Forwarding the pak 86C0C178
008115: Jun 29 15:56:38.398: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008116: Jun 29 15:56:38.398: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008117: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Failed to fwd Pak 86C0C178 in interrupt path
008118: Jun 29 15:56:38.398: [WV-TUNL-PAK]:[8B43B058] TxServer, Pak 86C0C178 punted
008119: Jun 29 15:56:38.398: [WV-TUNL-PAK]: IP4 Len =36 Src =172.16.1.4 Dst =224.168.168.168 Prot =17 CEF
008120: Jun 29 15:56:38.398: [WV-TUNL-PAK]:UDP sport=54321, dport=6061, chsum=AC1B, len=16, data0=1067643083
008121: Jun 29 15:56:38.398: WV: Tunneled data packet was sent
My config of the VPN:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.4.250 port 443
ssl trustpoint TP-self-signed-171782247
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.6005-k9.pkg sequence 1
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SDM_WEBVPN_POLICY_1
functions svc-enabled
svc address-pool "SDM_WEBVPN_POOL_1" netmask 255.255.255.0
svc dns-server primary 192.168.2.1
svc dns-server secondary 192.168.2.50
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 20
inservice
Outside IP address is mapped to 192.168.4.250:443. I can browse to that IP and I can connect to VPN fine without any problems, just does not work the phone and it does not give me an error either.
Any ideas?
Thank you
06-29-2012 11:37 AM
Hello,
You may try to disable dtls from the ssl vpn. From CCA it is under the Configure->security->SSL VPN settings, in CLI - no svc dtls - under webvpn group policy.
HTH,
Alex
*Please rate helpful posts.
01-16-2014 09:29 AM
Hello Alexander,
first of all I would like to confirm, that disabling DTLS as you proposed is definitely could solve the weird problem with WEBVPN on 2921 IOS 15.3(3)M that I met this week.
Strange, because I found this thread on the forum by googling on phrase I saw in debug webvpn output while pinging internal host from VPN client: "WV: Tunneled data packet was copied!" - because, this message appeared each time I didn't get a reply for icmp echo-request.
So, this is second thing, could you please explain what is the root cause behind the scenes that could be solved using your advice?
And thank you very very much for your help! It's really priceless.
Best regards,
Ivan
06-29-2012 12:46 PM
Hi,
One thing I noticed is you don't have a virtual-template in your webvpn configuration. What version of IOS are you using? The virtual-template will be needed for this to work correctly.
For example:
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
Then your policy group would look like this:
policy group SDM_WEBVPN_POLICY_1
functions svc-enabled
svc address-pool "SDM_WEBVPN_POOL_1" netmask 255.255.255.0
svc dns-server primary 192.168.2.1
svc dns-server secondary 192.168.2.50
virtual-template 1
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 20
inservice
Also, you mentioned that your outside address is mapped to 192.168.4.250:443. I just want to confirm that 192.168.4.250 is the ip address of an actual interface (real or virtual).
Let me know if adding the virtual-template helps.
Thanks,
Brandon
07-02-2012 12:48 AM
Hi there,
Thank you but I get this when I try to add Virtual-Template. The 192.168.4.250 is a VLAN 4 IP for the UC560.
%ERROR: Please make context out of service before applying VT.
Also, here is the version number:
Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(4)M4b, CIBU Special
Many thanks
Message was edited by: Dmitry
07-02-2012 08:00 AM
HI Dmitry,
That means that you need to do 'no inservice' in the context before adding the virtual-template. Just make sure you put it back in service with 'inservice' after adding the virtual-template.
Example:
conf t
webvpn context SDM_WEBVPN_CONTEXT_1
no inservice
virtual-template 1
inservice
end
Let me know if that helps.
Thanks,
Brandon
07-02-2012 08:27 AM
Hi Brandon,
All sorted now. The problem was just down to the end-user's router, not sure what exactly but when we added Alternative TFTP then it all worked.
Many thanks!
P.S. Please mark this as answered.
07-02-2012 08:46 AM
Hi,
That's good that it's now working. Enabling the Alternate TFTP and configuring TFTP Server 1 is needed so the phone knows where to go to get its config.
Regarding marking this as answered, I believe that is something you do.
Thanks,
Brandon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: