I have created a SSL VPN on a 1841 router. When I enter the IP address of the router in browser I get prompted to enter username and password. I get logged in however the SSL VPN Client does not download to the client. Does anyone know what can be missing? I really appreciate your help.
I have done the implementation of ISR1841 with anyconnect last week. I almost cried...
First of all, please chech the IOS and other requirements.
You have to choose T train, IOS 12.4(6) T or higher.
If these are satisfied, then you have to put the pkg file of anyconnect to be donwloaded in advance.
Also check the number of max-users, "max-users 10 " for 1841.
If you can put the configuration on line or the situation in detail,
I think I could be your help. (or other experts who knows more)
The link that you provided was the first doc that I used. However I had to change the version of JAVA that I had for CCP to work. Then CCP would stop working in the middle of the process. So I then change back to using my SDM. What version of the JAVA do you have?
Version 6 Upddate 17. The only issue I really ran into was getting the SSLVPN package on the router since I did it over the interent. What I did was simply tftp it to the router then do the install with CCP. I find the CCP a lot cleaner and easier to use than the SDM but I do wish it could be done from the command line easier. Unfrotunately Cisco's documentation seems to use gui a lot these days. Also make sure you have 12.4(24)T, it's very important to have one of the new IOS's as the standalone won't even run on the older version IOS.
Here is the final config on the 1841
aaa authentication login ciscocp_vpn_xauth_ml_1 local
crypto pki trustpoint TP-self-signed-2208354296
crypto pki certificate chain TP-self-signed-2208354296
certificate self-signed 01
3082025F 308201C8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323038 33353432 3936301E 170D3039 30383139 31393039
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32303833
35343239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B5E1 244856DB B1AEA753 47F69F40 78E3390D 856E3869 6DE50226 BBC0ED6D
B98C0C25 D7780AF2 815B904B E07B581E 880662E3 D2C5CAC5 5599BC01 2D368F1A
2054CC70 5DACD33D 785E224F E7ECDADA 5F478DCA 2C15F5B5 E2A2E7C0 4263D227
5AF6D83F B376C691 2A8760BB 9FBCA2E0 0C774709 61C2FE6B 8F651237 D0348743
F19B0203 010001A3 81863081 83300F06 03551D13 0101FF04 05300301 01FF3030
0603551D 11042930 2782254C 616E6361 73746572 4D756C74 694C696E 6B2E6375
73746F6D 6572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14229D6B
8C7D1334 51CA8058 0BF6F8A1 41A43A70 75301D06 03551D0E 04160414 229D6B8C
7D133451 CA80580B F6F8A141 A43A7075 300D0609 2A864886 F70D0101 04050003
8181006C 597E1D87 78E72E6B E2371699 DC65BCF6 65693CD6 1BA37D95 7BA5C270
6D701C96 8EA4D868 63DB7286 81A99D08 0AC30662 A1346F26 D7782A07 0CAB190A
437A2244 BCFB145F 7CDEA9FF 2FC148D9 FCA2ADC7 F25759DF 65832716 1CCA5865
BD8D3874 AFBC0F79 DBE316AC E9564AEF 3CF25212 A71AD6E4 6B57FFE3 6F64205E 28B874
ip local pool SSLVPNPOOL 172.16.3.1 172.16.3.254
ip http server
ip http authentication local
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2208354296
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
webvpn context lansslvpn
ssl authenticate verify all
policy group policy_1
svc address-pool "SSLVPNPOOL"
svc split include x.x.x.x 255.255.255.0
svc dns-server primary x.x.x.x
aaa authentication list ciscocp_vpn_xauth_ml_1
Okay guys. I made some changes. I actually had a recent IOS version 12.4(24) T. no when I log on I get the following error " The installer was not able to start the CIsco SSL VPN CLient. PLease contact your IT administrator for mor information" I have attached the configs. thanks again for your assistance.
"no ip http secure-server" via command line and test, maybe the routers trying to respond to the CP on the outside instead of pushing it to the AnyConnect
I tried that but it did not work. However in my browser I get a red X saying Certificate Error. Is there are way I can regenerage the cert?
You could try rebuilding it, removing the key manually then enable the https it should automatically rebuild the cert I think. Then no out the https again. I might try downloading the stand alone version of the vpn client from cisco's site with a valid COO and see if you get the same error or even try it on another pc to rule out browser errors
I used SDM to configure it because CCP did not work correctly.
With SDM, you can delete and rebuild the SSL's Self-Signed Certificate in VPN menu.
→please reload !
And this might sound like "Cheat"or "Bug" , in my case,
modifying and creating additional remote access group profile, name and DHCP pool and so on,
changed the situation like you and it worked fine finally.
(I could not choose the latest IOS as Flash does not have enough space.)
I will try your suggestion. The install actuall goes all the way through but ofcourse we get a few messages about the cert. So this weekend I will recreate the profile etc and also try another IOS version remotely. I should be able to get this working by Monday. I am really close, I can actually taste it. The SSL VPN is an alternative solution for my remote users. They all currently use IPSec trhough the VPN concentrator. Thanks everyone for all you help. I really do appreciate this.