Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
0
Helpful
2
Replies

C2901, SSL_VPN and iPad/iPhone problem

mkrajewski
Level 1
Level 1

‎04-24-2012 01:40 AM

Hello,

I've got C2901SEC/K9 and SSL-VPN licence. I've got problem with connectin to SSL-VPN from iPad via AnyConnect Secure Mobility Client 2.5.5112. In log II've got message:

Apr 24 2012 10:27:55.563: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: UNKNOWN vw_gw: SSL_GW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 178.180.86.42:56562

It looks like context is unknown??? It's strange because sh webvpn context returns:

WABAGRTGW001#sh webvpn context

Context Name: SSL_USER

Admin Status: up

Operation Status: up

Error and Event Logging: Enabled

CSD Status: Disabled

Certificate authentication type: All attributes (like CRL) are verified

AAA Authentication List: default

AAA Authorization List not configured

AAA Accounting List not configured

AAA Authentication Domain not configured

Authentication mode: AAA authentication

Default Group Policy: SSL_POL

Associated WebVPN Gateway: SSL_GW

Domain Name and Virtual Host not configured

Maximum Users Allowed: 10

NAT Address not configured

VRF Name not configured

Virtual Template: 10

Virtual Access  : 2

If I'm trying login via browser I've got login page to SSL-VPN.

VPn config

WABAGRTGW001#srs webvpn

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 2

crypto vpn csd flash0:/webvpn/sdesktop.pkg

webvpn gateway SSL_GW

ip interface GigabitEthernet0/0 port 443

http-redirect port 80

ssl trustpoint local

logging enable

inservice

!

webvpn context SSL_USER

title "Centrum Medyczne MML SSL-VPN"

login-photo file flash:/webvpn/mml_o-nas01.jpg

logo file flash:/webvpn/logo.jpg

secondary-color white

title-color #6060FF

text-color black

login-message "Authorized users only!"

!

policy group SSL_POL

   functions svc-enabled

   timeout idle 600

   timeout session 43200

   svc dns-server primary 10.1.1.81

   svc wins-server primary 10.1.1.81

virtual-template 10

default-group-policy SSL_POL

aaa authentication list default

gateway SSL_GW

max-users 10

logging enable

!

ssl authenticate verify all

!

url rewrite

   unmatched-action redirect

inservice

For me it's confusing. It works before IOS upgrade. Currently I'm using :

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T, RELEASE SOFTWARE (fc1)

Thanks for help

Marcin

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-24-2012 07:28 AM

Marcin,

Anyconnect from mobile devices to IOS headend (unlike ASA) is not something that Cisco supports (yet). Some people have reported it to work, but we have never claimed that it would.

We're tracking this under following enhancement request:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx24822

You can get in touch with your account team to discuss this, for now it's due for March 2013 (tentative).

M.

0 Helpful

mkrajewski
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-24-2012 10:46 AM

Hello,

Yes, I found that. BTW. in IOS 15.2(1)T1, Apple's devices are working fine.

BR,

MK

0 Helpful
Customers Also Viewed These Support Documents