[c-nsp] AnyConnect/WebVPN issues with IOS

Atle Ørn Hardarson atle.hardarson at gmail.com
Thu Mar 18 06:09:36 EDT 2010 

Hello

I am having some weird issues with webvpn/anyconnect, please find the
relevant information below;

## Symptoms:

- AnyConnect Client prompts users with the following error:

"The secure gateway has rejected the agent's VPN connect or reconnect
request. A new connection requires re-authentication and must be
started manually. Please contact your network administrator if this
problem persists."


## Debug:

Mar  5 13:09:45:
Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1 Mar  5
13:09:45: WV-TUNL: Allocating tunl_info Mar  5 13:09:45: WV-TUNL:
Allocating stc_config Mar  5 13:09:45: Inserting static route:
172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table Mar  5
13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask
(255.255.255.255) Mar  5 13:09:45: WV-TUNL: Tunnel entry create
failed:IP= 172.25.130.126 vrf=77 session=0x67234340 Mar  5 13:09:45:
HTTP/1.1 401 Unauthorized Mar  5 13:09:45:
Mar  5 13:09:45:
Mar  5 13:09:45:
Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255
SSLVPN-VIF36 from routing table Mar  5 13:09:45: WV-TUNL: Failed to
install (addr 172.25.130.126, table_id 77) to TCP Mar  5 13:09:45:
WV-TUNL*: Received server IP packet 0x6692EB08:
Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user
usr-test (172.25.130.126)
WV-TUNL:      Severity ERROR Type USER_LOGOUT
WV-TUNL:      Text: HTTP response contained an HTTP error code.
Mar  5 13:09:45: WV-TUNL: Call user logout function Mar  5 13:09:45:
WV-TUNL: Clean-up tunnel session (usr-test)


## When the error occurs, the "SVCIP install TCP failed" counter increments:

VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN [snip]
Tunnel Statistics:
    Active connections       : 1
    Peak connections         : 3          Peak time                : 19:09:04
    Connect succeed          : 9          Connect failed           : 5
    Reconnect succeed        : 0          Reconnect failed         : 0
    SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0
    SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0
    SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5
    DPD timeout              : 0
[snip]


## IOS Version Details:

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version
15.0(1)M1, RELEASE SOFTWARE (fc1) System image file is
"disk2:c7200-advipservicesk9-mz.150-1.M1.bin"


## Note that the error also has occurred in previous IOS versions,
specifically in 12.4(24)T1, an upgrade to 15.0(1)M1 didn't help.
## The router also runs IPSEC remote access VPN in addition to the
webvpn/anyconnect scheme.

Config:

webvpn context CUSTOMER-VPN
title "SSL VPN for Customer"
ssl authenticate verify all
!
login-message "Enter username and passcode"
!
policy group CUSTOMER-VPN
   functions svc-required
   svc keep-client-installed
   svc split include 10.1.16.0 255.255.240.0
   svc split include 10.1.2.0 255.255.254.0 vrf-name CUSTOMER-VPN
default-group-policy CUSTOMER-VPN aaa authentication list AAA-LIST aaa
authentication auto aaa accounting list AAA-LIST gateway vpn
virtual-host customer.xx.com logging enable inservice

## The error happens sporadically, at least once a week, and on
different contexts. Does anyone have any clue on what can cause this
issue? Any help is appreciated!

## The current workaround for when the context "hangs", is to do a "no
inservice", "inservice", but this is not a proper solution to the
problem. It happens to several contexts, but not all. And it happens
about twice a week.


Regards,
Atle Hardarson

More information about the cisco-nsp mailing list