Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS Clientless WebVPN not working

Hi all,

I'm having trouble getting this working....maybe someone could point out where I am going wrong.

Basically, I have a 1841 running c1841-advsecurityk9-mz.124-24.T7

The idea is to have both the AnyConnect (client) SSLVPN and the Clienteless WebVPN working from the same router.

I have configured the router as per below....and the AnyConnect side of things works absolutely fine but the Clientless WebVPN won't work at all i.e. I don't even get the loging web page up........any help will be greatly appreciated. Thanks

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TEST
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.124-24.T7.bin
boot-end-marker
!
security authentication failure rate 4 log
security passwords min-length 9
logging message-counter syslog
logging buffered 9999
no logging console
enable secret TEST
!
aaa new-model
!
!

aaa authentication login CONSOLE local-case
aaa authentication login VTY local-case
aaa authentication login SSLVPN-AUTH group radius
aaa authentication login WEBVPN-AUTH group radius
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
dot11 syslog
no ip source-route
!
!
!
!        
ip cef
no ip bootp server
no ip domain lookup
ip domain name www.local
login block-for 17 attempts 4 within 28
login delay 2
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint LOCAL

!
crypto pki certificate chain LOCAL
certificate self-signed 01
        quit
!
!
memory reserve critical 1000
memory free low-watermark processor 20000
archive
log config
  hidekeys
!
!
!
!
!
ip ssh time-out 9
ip ssh logging events
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description ## NOT IN USE ##
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
  ip address 2.2.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
ip unnumbered Loopback0
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password TEST
!
ip local pool SSLVPN-POOL 3.3.3.1 3.3.3.62
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.1.2.0 255.255.248.0 2.2.2.2
ip route 10.1.2.0 255.255.255.0 2.2.2.2
ip route 10.1.2.128 255.255.255.192 2.2.2.2
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 3600 requests 2500
!
!
!
ip access-list extended BOSS

permit tcp host 10.1.2.229 host 0.0.0.0 eq 22 log-input
deny   ip any any log-input
ip access-list extended NAT
permit ip any any
!
ip radius source-interface FastEthernet0/1
no cdp run

!
!
!
!
radius-server host 10.1.2.29 auth-port 1812 acct-port 1813 key TEST
!
control-plane
!       

line con 0
exec-timeout 9 0
logging synchronous
login authentication CONSOLE
line aux 0
exec-timeout 1 0
logging synchronous
no exec
line vty 0 4
access-class BOSS in
exec-timeout 9 0
privilege level 15
logging synchronous
login authentication VTY
transport input ssh
line vty 5 15
access-class BOSS in
exec-timeout 9 0
privilege level 15
logging synchronous
login authentication VTY
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
process cpu statistics limit entry-percentage 40 size 300
!
webvpn gateway ANYCONNECT_GATEWAY
ip address 1.1.1.1 port 443 
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint LOCAL
inservice
!
webvpn gateway WEBVPN_GATEWAY
ip address 1.1.1.1 port 4443
ssl trustpoint LOCAL
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
!
webvpn context ANYCONNECT-CONTEXT
title "TITLE"
login-photo file flash:/PHOTO.jpg
logo file flash:/PIC.gif
color blue
secondary-color #9ABEDC
ssl encryption rc4-md5
ssl authenticate verify all
!
login-message "AnyConnect VPN Service"
!
policy group ANYCONNECT-POLICY
   functions svc-required
   svc address-pool "SSLVPN-POOL"
   svc keep-client-installed
   svc homepage "http://www.TEST.uk/"
   svc split include 10.1.2.0 255.255.248.0
   svc split include 10.1.2.128 255.255.255.192
   svc split include 10.1.2.0 255.255.255.0
default-group-policy ANYCONNECT-POLICY
aaa authentication list SSLVPN-AUTH
gateway ANYCONNECT_GATEWAY
max-users 50
inservice
!
!
webvpn context WEBVPN
title "TEST"
login-photo file flash:/PHOTO.jpg
logo file flash:/PIC.gif
color blue
secondary-color #9ABEDC
ssl authenticate verify all
!
url-list "MY-URLS"
   heading "Important Links"
   url-text "Switch" url-value "http://10.1.2.2"
!
!
policy group WEBVPN-POLICY
   url-list "MY-URLS"
default-group-policy WEBVPN-POLICY
gateway WEBVPN_GATEWAY
max-users 2
inservice
!
end

sh webvpn gateway  

Gateway Name                                 Admin  Operation
------------                                           -----       ---------
ANYCONNECT_GATEWAY                  up     up 
WEBVPN_GATEWAY                          up     up 

just noticed something, if I put the ANYCONNECT_GATEWAY on port 4443 and the WEBVPN_GATEWAY on port 443 (so basically swap the ports around) then, the Clientless WebVPN starts working but the AnyConnects stops working.....so it seems that, somehow, the WebVPN side of things will only work on port 443 ??? However, it should work in whichever port I choose to put the service on??

Everyone's tags (3)
1417
Views
0
Helpful
0
Replies
CreatePlease to create content