[c-nsp] AnyConnect/WebVPN issues with IOS

Atle Ørn Hardarson atle.hardarson at gmail.com
Thu Mar 18 09:10:56 EDT 2010 

Hello

Yes, the outside interface HSRP address is the same as used in the
webvpn gateway global address:

webvpn gateway vpn
 hostname vpn.xx.no
 ip address 9.9.9.9 port 443
 ssl trustpoint CA
 inservice
!
!
interface GigabitEthernet0/1
 ip address x.x.x.x 255.255.255.248
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 standby 1 ip 9.9.9.9
 standby 1 timers 1 4
 standby 1 preempt
 standby 1 name IPSEC-HA
 crypto map RASVPN redundancy IPSEC-HA stateful


Regards
Atle Hardarson

On Thu, Mar 18, 2010 at 2:01 PM, Brian Schultz <bms314 at gmail.com> wrote:
> Is your webvpn gateway using the same IP address as your outside
> interface?  I had a similar problem when I tried using a different IP
> for webvpn then what was configured on my outside int.
>
> Brian
>
>
> On 3/18/10, Atle Ørn Hardarson <atle.hardarson at gmail.com> wrote:
>> Hello
>>
>> I am having some weird issues with webvpn/anyconnect, please find the
>> relevant information below;
>>
>> ## Symptoms:
>>
>> - AnyConnect Client prompts users with the following error:
>>
>> "The secure gateway has rejected the agent's VPN connect or reconnect
>> request. A new connection requires re-authentication and must be
>> started manually. Please contact your network administrator if this
>> problem persists."
>>
>>
>> ## Debug:
>>
>> Mar  5 13:09:45:
>> Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1 Mar  5
>> 13:09:45: WV-TUNL: Allocating tunl_info Mar  5 13:09:45: WV-TUNL:
>> Allocating stc_config Mar  5 13:09:45: Inserting static route:
>> 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table Mar  5
>> 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask
>> (255.255.255.255) Mar  5 13:09:45: WV-TUNL: Tunnel entry create
>> failed:IP= 172.25.130.126 vrf=77 session=0x67234340 Mar  5 13:09:45:
>> HTTP/1.1 401 Unauthorized Mar  5 13:09:45:
>> Mar  5 13:09:45:
>> Mar  5 13:09:45:
>> Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255
>> SSLVPN-VIF36 from routing table Mar  5 13:09:45: WV-TUNL: Failed to
>> install (addr 172.25.130.126, table_id 77) to TCP Mar  5 13:09:45:
>> WV-TUNL*: Received server IP packet 0x6692EB08:
>> Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user
>> usr-test (172.25.130.126)
>> WV-TUNL:      Severity ERROR Type USER_LOGOUT
>> WV-TUNL:      Text: HTTP response contained an HTTP error code.
>> Mar  5 13:09:45: WV-TUNL: Call user logout function Mar  5 13:09:45:
>> WV-TUNL: Clean-up tunnel session (usr-test)
>>
>>
>> ## When the error occurs, the "SVCIP install TCP failed" counter increments:
>>
>> VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN [snip]
>> Tunnel Statistics:
>>     Active connections       : 1
>>     Peak connections         : 3          Peak time                :
>> 19:09:04
>>     Connect succeed          : 9          Connect failed           : 5
>>     Reconnect succeed        : 0          Reconnect failed         : 0
>>     SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0
>>     SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0
>>     SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5
>>     DPD timeout              : 0
>> [snip]
>>
>>
>> ## IOS Version Details:
>>
>> Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version
>> 15.0(1)M1, RELEASE SOFTWARE (fc1) System image file is
>> "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
>>
>>
>> ## Note that the error also has occurred in previous IOS versions,
>> specifically in 12.4(24)T1, an upgrade to 15.0(1)M1 didn't help.
>> ## The router also runs IPSEC remote access VPN in addition to the
>> webvpn/anyconnect scheme.
>>
>> Config:
>>
>> webvpn context CUSTOMER-VPN
>> title "SSL VPN for Customer"
>> ssl authenticate verify all
>> !
>> login-message "Enter username and passcode"
>> !
>> policy group CUSTOMER-VPN
>>    functions svc-required
>>    svc keep-client-installed
>>    svc split include 10.1.16.0 255.255.240.0
>>    svc split include 10.1.2.0 255.255.254.0 vrf-name CUSTOMER-VPN
>> default-group-policy CUSTOMER-VPN aaa authentication list AAA-LIST aaa
>> authentication auto aaa accounting list AAA-LIST gateway vpn
>> virtual-host customer.xx.com logging enable inservice
>>
>> ## The error happens sporadically, at least once a week, and on
>> different contexts. Does anyone have any clue on what can cause this
>> issue? Any help is appreciated!
>>
>> ## The current workaround for when the context "hangs", is to do a "no
>> inservice", "inservice", but this is not a proper solution to the
>> problem. It happens to several contexts, but not all. And it happens
>> about twice a week.
>>
>>
>> Regards,
>> Atle Hardarson
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> --
> Sent from my mobile device
>

More information about the cisco-nsp mailing list