04-24-2012 01:40 AM
Hello,
I've got C2901SEC/K9 and SSL-VPN licence. I've got problem with connectin to SSL-VPN from iPad via AnyConnect Secure Mobility Client 2.5.5112. In log II've got message:
Apr 24 2012 10:27:55.563: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: UNKNOWN vw_gw: SSL_GW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 178.180.86.42:56562
It looks like context is unknown??? It's strange because sh webvpn context returns:
WABAGRTGW001#sh webvpn context
Context Name: SSL_USER
Admin Status: up
Operation Status: up
Error and Event Logging: Enabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorization List not configured
AAA Accounting List not configured
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy: SSL_POL
Associated WebVPN Gateway: SSL_GW
Domain Name and Virtual Host not configured
Maximum Users Allowed: 10
NAT Address not configured
VRF Name not configured
Virtual Template: 10
Virtual Access : 2
If I'm trying login via browser I've got login page to SSL-VPN.
VPn config
WABAGRTGW001#srs webvpn
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 2
crypto vpn csd flash0:/webvpn/sdesktop.pkg
webvpn gateway SSL_GW
ip interface GigabitEthernet0/0 port 443
http-redirect port 80
ssl trustpoint local
logging enable
inservice
!
webvpn context SSL_USER
title "Centrum Medyczne MML SSL-VPN"
login-photo file flash:/webvpn/mml_o-nas01.jpg
logo file flash:/webvpn/logo.jpg
secondary-color white
title-color #6060FF
text-color black
login-message "Authorized users only!"
!
policy group SSL_POL
functions svc-enabled
timeout idle 600
timeout session 43200
svc dns-server primary 10.1.1.81
svc wins-server primary 10.1.1.81
virtual-template 10
default-group-policy SSL_POL
aaa authentication list default
gateway SSL_GW
max-users 10
logging enable
!
ssl authenticate verify all
!
url rewrite
unmatched-action redirect
inservice
For me it's confusing. It works before IOS upgrade. Currently I'm using :
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T, RELEASE SOFTWARE (fc1)
Thanks for help
Marcin
04-24-2012 07:28 AM
Marcin,
Anyconnect from mobile devices to IOS headend (unlike ASA) is not something that Cisco supports (yet). Some people have reported it to work, but we have never claimed that it would.
We're tracking this under following enhancement request:
You can get in touch with your account team to discuss this, for now it's due for March 2013 (tentative).
M.
04-24-2012 10:46 AM
Hello,
Yes, I found that. BTW. in IOS 15.2(1)T1, Apple's devices are working fine.
BR,
MK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide