Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
10
Helpful
6
Replies

Anyconnect Phone VPN

Go to solution
deyster94
Level 5
Level 5

‎09-26-2013 12:18 PM - last edited on ‎02-21-2020 11:54 PM by Community Manager

I am working on configuring the Anyconnect Phone VPN for a client.  I have created a separate tunnel group and group policy for the phones as well.  For the CM part, I worked with one of our voice engineers to get that part configured.  However, when we try to connect a phone to the VPN, the authentication fails.  I did a debug and can see the following:

webvpn_allocate_auth_struct: net_handle = 0x00007ffecba268a0

webvpn_portal.c:webvpn_determine_primary_username[6136]

webvpn_portal.c:webvpn_determine_secondary_username[6204]

webvpn_portal.c:ewaFormServe_webvpn_login[2258]

webvpn_portal.c:http_webvpn_kill_cookie[1053]

webvpn_free_auth_struct: net_handle = 0x00007ffecba268a0

webvpn_allocate_auth_struct: net_handle = 0x00007ffecba268a0

webvpn_free_auth_struct: net_handle = 0x00007ffecba268a0

webvpn_allocate_auth_struct: net_handle = 0x00007ffecf386600

webvpn_portal.c:ewaFormSubmit_webvpn_login[3600]

webvpn_portal.c:webvpn_login_validate_net_handle[2514]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2534]

webvpn_portal.c:webvpn_login_assign_app_next[2552]

webvpn_portal.c:webvpn_login_cookie_check[2569]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2626]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2660]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0CISCO-PHONES, tg_name =

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2722]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2774]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[2847]

webvpn_login_resolve_tunnel_group: tgCookie = 0CISCO-PHONES

webvpn_login_resolve_tunnel_group: tunnel group name from url

webvpn_login_resolve_tunnel_group: TG_BUFFER = CISCO-PHONES

webvpn_portal.c:webvpn_login_negotiate_client_cert[2937]

webvpn_portal.c:webvpn_login_check_cert_status[3035]

webvpn_portal.c:webvpn_login_cert_only[3083]

webvpn_portal.c:webvpn_login_primary_username[3105]

webvpn_portal.c:webvpn_determine_primary_username[6136]

webvpn_portal.c:webvpn_determine_secondary_username[6204]

webvpn_portal.c:ewaFormServe_webvpn_login[2258]

webvpn_portal.c:http_webvpn_kill_cookie[1053]

webvpn_free_auth_struct: net_handle = 0x00007ffecf386600

webvpn_allocate_auth_struct: net_handle = 0x00007ffecf386600

webvpn_free_auth_struct: net_handle = 0x00007ffecf386600

I can see the phone trying to connect via the real time log view in ASDM, so it's trying to connect.  I am not sure why it's failing though.

TIA for any help.  If you need more information, just let me know.

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ErickBCCNA
Level 1
Level 1

‎09-26-2013 02:03 PM

Hi deyster94

Are you licensed for "Anyconnect for Cisco VPN Phone"?

Did you load the certificate into Call Manager?

Did you load the certificate on the ASA?

Did you let the phone register once on the inside corporate network before you tried conencting to the VPN?

Do you have the tunnel group/group policy set for certificate authentication?

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ErickBCCNA
Level 1
Level 1

‎09-26-2013 02:03 PM

Hi deyster94

Are you licensed for "Anyconnect for Cisco VPN Phone"?

Did you load the certificate into Call Manager?

Did you load the certificate on the ASA?

Did you let the phone register once on the inside corporate network before you tried conencting to the VPN?

Do you have the tunnel group/group policy set for certificate authentication?

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to ErickBCCNA

‎09-26-2013 07:04 PM

Erick,

Thanks for the reply and here are the answers:

Are you licensed for "Anyconnect for Cisco VPN Phone"? - Yes

Did you load the certificate into Call Manager? - Yes

Did you load the certificate on the ASA? - Yes

Did you let the phone register once on the inside corporate network before you tried conencting to the VPN? - Yes

Do you have the tunnel group/group policy set for certificate authentication? - No, crap. 

I changed the authentication to certificate and will have the client try tomorrow. 

I will let you know if that worked.

Dan

0 Helpful

Go to solution
Jeet Kumar
Cisco Employee
Cisco Employee
In response to deyster94

‎09-26-2013 10:32 PM

Hi

Apart from the link naresh gave you, you can also try the following:

https://supportforums.cisco.com/docs/DOC-9124

https://supportforums.cisco.com/docs/DOC-21469

And one important thing, certificates are very crucial when connect VPN phones to an ASA. If you are using a self signed certificate then the Make sure you have the same on the Call Manager and you have the call Manager certificate on the ASA.

If you are using a third party certificate, may be public or an internal CA it should be binded on the outside interface.

Thanks

Jeet Kumar

Go to solution
deyster94
Level 5
Level 5

‎09-27-2013 05:45 AM

Erick, it worked this morning.  Thanks for the help.

0 Helpful

Go to solution
ErickBCCNA
Level 1
Level 1
In response to deyster94

‎09-27-2013 07:47 AM

You're welcome!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents