[c-nsp] WebVPN Issue
Antonio Soares
amsoares at netcabo.pt
Fri Mar 26 06:19:32 EDT 2010
For those interested, here's the bug i have for this issue:
++++++++++++++++++++++++++++
CSCtf53013 Bug Details
SSLVPN-VIF route deleted if new session attempted with same client IP
Symptom:
If a user attempts to open a second AnyConnect SSLVPN session on the same IOS head-end and the AAA server assigns the same IP to
that user, the second session will fail as expected but it will also unexpectedly remove the route injected for the first session.
Conditions:
AnyConnect SSLVPN on IOS configured to use IP address assigned by AAA server.
AAA server assigning the same IP twice.
Workaround:
Allow only 1 session per-user on the AAA server or make sure that the AAA server never sends the same framed-ip-address for 2
concurrent sessions.
++++++++++++++++++++++++++++
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of Antonio Soares
Sent: quinta-feira, 11 de Fevereiro de 2010 1:14
To: 'Tyson Scott'; 'Roman Rodichev'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
Tyson,
TAC SR in progress. I will let you know what they will call this :)
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: Tyson Scott [mailto:tscott at ipexpert.com]
Sent: quinta-feira, 11 de Fevereiro de 2010 0:11
To: 'Antonio Soares'; 'Roman Rodichev'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
Antonio,
It would be plausible that you could open a case with Cisco and call it a
bug, or a feature enhancement, that if there is an IP conflict that it
disconnects both sessions or refuses/ignores the radius attribute if it
conflicts with an existing session; or gives an error message, but I
wouldn't necessarily call that a bug. Typically I would classify a bug as a
feature that does not operate as it should within normal conditions or
expected error states. But that may be just me.
More it sounds like a basic rule is being broken (assigning duplicate IP's)
and adverse effects are happening from it. Currently there may not be an
error check to handle the error state as you would hope.
Please don't take offense, I can see myself making the same mistake, but a
networking rule 101 is being broken and sometimes you will have strange
results from such. Much like spanning-tree loops or duplicate IP's on the
network. Sometimes it takes intervention to fix the basic problems.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott at ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: Antonio Soares [mailto:amsoares at netcabo.pt]
Sent: Wednesday, February 10, 2010 6:06 PM
To: 'Tyson Scott'; 'Roman Rodichev'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
The session of the 1st user remains up and the vpn routes are there. But in
the router the route back to the user is removed. So in
the user's perspective, connectivity is broken and he doesn't have an idea
why. Clearly a bug, don't you think ?
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: Tyson Scott [mailto:tscott at ipexpert.com]
Sent: quarta-feira, 10 de Fevereiro de 2010 22:33
To: 'Roman Rodichev'; 'Antonio Soares'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue
Actually it makes sense. You have duplicate IP's and the router needs to
decide which one is valid, which often will cause a network interrupt.
Although it doesn't allow the second connection it is terminating the first
to process to make a decision about the conflict. At least that is what I
interpret what you are seeing to be.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott at ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of
Roman Rodichev
Sent: Wednesday, February 10, 2010 12:28 PM
To: Antonio Soares
Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
Subject: Re: WebVPN Issue
Probably just a "feature" :)
Sent from my iPhone
On Feb 10, 2010, at 11:24 AM, "Antonio Soares" <amsoares at netcabo.pt>
wrote:
> Yes, it works fine with local pool. In this case, the AC client gets
> a message saying "no address assigned".
>
> I was able to reproduce the problem in the meanwhile. It makes sense
> that the 2nd user is not able to establish the session but it
> doesn't make sense the 1st looses his connection.
>
> This seems a bug to me.
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Roman Rodichev [mailto:romangs at iementor.com]
> Sent: quarta-feira, 10 de Fevereiro de 2010 17:03
> To: Antonio Soares
> Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
> Subject: Re: WebVPN Issue
>
> So that might be the problem. How can you assign a different IP from
> RADIUS for concurrent logins?
>
> It should work with local pool
>
> Sent from my iPhone
>
> On Feb 10, 2010, at 10:14 AM, "Antonio Soares" <amsoares at netcabo.pt>
> wrote:
>
>> Thank you both for your inputs. I still cannot share the config
>> since i saw this in a production network and i'm still trying to
>> reproduce it in the lab.
>>
>> But the "debug ip routing" says it all:
>>
>> 1) When user X connects, he gets ip=10.10.10.166
>>
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>>
>> 2) When another user tries the connection with the same user X:
>>
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>>
>> So the router deletes the route, adds it and removes it again. This
>> explains the loss of connectivity.
>>
>> We have radius authentication and the radius server assigns a pre-
>> defined ip to each user. So when the radius server sends the same
>> ip, it seems the router gets confused.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> -----Original Message-----
>> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf
>> Of Farrukh Haroon
>> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27
>> To: Antonio Soares
>> Cc: cisco-nsp at puck.nether.net; Cisco certification
>> Subject: Re: WebVPN Issue
>>
>> No it works fine for multiple users, we have it running. If you can
>> post the
>> sanitized config, I can have a look.
>>
>> Also check your 'show tcp brief' output to see if you have any stale
>> connections there. We faced a similar issue, and putting 'service
>> tcp-keepalives-in' fixed the issue (you may put 'out' as well)..
>>
>> We are running 12.4(15)Tx tough.
>>
>> Regards
>>
>> Farrukh
>>
>>
>>
>> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares
>> <amsoares at netcabo.pt> wrote:
>>
>>> Hello group,
>>>
>>> I'm facing a strange issue with IOS Based WebVPN: when user X is
>>> connected
>>> and then another user uses the same user X, the second
>>> user is not able to connect but the first user looses connectivity.
>>> I have
>>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821.
>>> This is not expected behavior, right ?
>>>
>>>
>>> Thanks.
>>>
>>> Regards,
>>>
>>> Antonio Soares, CCIE #18473 (R&S/SP)
>>> amsoares at netcabo.pt
More information about the cisco-nsp
mailing list