FlexVPN Remote Access AnyConnect

At this time functionality is fully broken after a router crash.
Tried to get it running as before…

Cheers, Hannes

Hello Johann

I suggest you use the debug aaa authentication and debug aaa authorization commands to see what results you get, as @ReneMolenaar suggested in the above post. If you share those with us, we can help you further.

I hope this has been helpful!

Laz

Thank you!

At this time there is nothing with aaa!
I can’t even connect to the assigned port.
I found out, that TCP is reset on my router.
The simple test is a Telnet to the specific port number.
In this morning I will have another router to test.

Cheers, Hannes

TEST on sandlab:

csr1000v-1#sh cry ssl pol

SSL Policy: spol
  Status     : ACTIVE
  Proposal   : default
  IP Address : 10.10.20.48
  Port       : 11111
  fvrf       : 
  Trust Point: TP-self-signed-807034967
  Redundancy : none
csr1000v-1#telnet 10.10.20.48 11111 
Trying 10.10.20.48, 11111 ... Open

Test on my router:

SSL Policy: SPOL
  Status     : ACTIVE
  Proposal   : default
  IP Address : 10.255.250.1
  Port       : 11111
  fvrf       : 
  Trust Point: TP-self-signed-2984925144
  Redundancy : none
C1111#
C1111#
C1111#telnet 10.255.250.1 11111
Trying 10.255.250.1, 11111 ... 
% Connection refused by remote host

Hello Johann

Hmm, have you enabled AAA using the aaa new-model global configuration mode command? Check out this NetworkLessons note about that.

In any case, try it out, and let us know how you get along with the new router that you are testing.

I hope this has been helpful!

Laz

HI,
Put setup from your example.
So, have zero output in the console when doing this command:
show crypto ikev2 sa detailed
Why?

Hello Victor

If you have no output when you issue this command (with or without the detailed keyword) it simply means that no SA has been created. In simpler terms, the remote user has failed to connect. Some things you can check include:

  • Does the AnyConnect secure mobility client show that the user is connected to the VPN like so?
    image
  • Are you able to ping the internal IP address of the router from the remote user?

If one or both of the above are not working correctly, look again at the configuration and proceed with troubleshooting using the rest of the verification commands shown in the lesson.

I hope this has been helpful!

Laz

Does this config guide still work? I can get to the “Untrusted Certificate - Connect Anyway” window. I can type in credentials. I see IKEv2 Debugs, nothing is really standing out as the source of the problem. I see the tunnel go up and immediately back down on the Cisco logs. I am configuring this on a C1111 IOS-XE router.

Hello James

Can you let us know a little bit more about the types of error messages you are getting? What does it say exactly in your debugs? What results are you getting from the verification commands described in the lesson? Can you also do some debugging for the IPSec portion of the configuration? Also, when you say the tunnel goes up and immediately goes back down, are you referring to the ikev2 sa or the ipsec sa?

Let us know some more info so that we can help you further.

I hope this has been helpful!

Laz

Followed the tutorial to the letter; however I never reach the “untrusted certificate” popup at all; so something is not fully functional. I added the debug log for the debug crypto ikev2 output; any pointers on where to start?

Feb 21 16:50:30.301: IKEv2:Received Packet [From 10.1.1.109:37680/To 10.101.13.112:500/VRF i0:f0] 
Initiator SPI : 84BAA6670342AD84 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED) 

Feb 21 16:50:30.303: IKEv2:(SESSION ID = 10,SA ID = 1):Verify SA init message
Feb 21 16:50:30.303: IKEv2:(SESSION ID = 10,SA ID = 1):Insert SA
Feb 21 16:50:30.303: IKEv2:Searching Policy with fvrf 0, local address 10.101.13.112
Feb 21 16:50:30.303: IKEv2:Using the Default Policy for Proposal
Feb 21 16:50:30.303: IKEv2:Found Policy 'default'
Feb 21 16:50:30.304: IKEv2:(SESSION ID = 10,SA ID = 1):Processing IKE_SA_INIT message
Feb 21 16:50:30.304: IKEv2:(SESSION ID = 10,SA ID = 1):Received valid config mode data
Feb 21 16:50:30.304: IKEv2:(SESSION ID = 10,SA ID = 1):Config data recieved:
Feb 21 16:50:30.305: IKEv2:(SESSION ID = 10,SA ID = 1):Config-type: Config-request 
Feb 21 16:50:30.305: IKEv2:(SESSION ID = 10,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Feb 21 16:50:30.305: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Feb 21 16:50:30.305: IKEv2:(SESSION ID = 10,SA ID = 1):Set received config mode data
Feb 21 16:50:30.305: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Feb 21 16:50:30.305: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-3702716515'   'RTR-CLIENT'   'RTR-OIRI'   'SLA-TrustPoint'   
Feb 21 16:50:30.305: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Feb 21 16:50:30.306: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Feb 21 16:50:30.306: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Feb 21 16:50:30.306: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Feb 21 16:50:30.306: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Feb 21 16:50:30.308: IKEv2:(SESSION ID = 10,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 21 16:50:30.308: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH key
Feb 21 16:50:30.308: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Feb 21 16:50:30.316: IKEv2:(SESSION ID = 10,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 21 16:50:30.316: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH secret
Feb 21 16:50:30.316: IKEv2:(SESSION ID = 10,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Feb 21 16:50:30.317: IKEv2:(SESSION ID = 10,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Feb 21 16:50:30.317: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Feb 21 16:50:30.317: IKEv2:(SESSION ID = 10,SA ID = 1):Generating IKE_SA_INIT message
Feb 21 16:50:30.317: IKEv2:(SESSION ID = 10,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   SHA384   SHA384   DH_GROUP_256_ECP/Group 19
Feb 21 16:50:30.317: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Feb 21 16:50:30.317: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-3702716515'   'RTR-CLIENT'   'RTR-OIRI'   'SLA-TrustPoint'   
Feb 21 16:50:30.318: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Feb 21 16:50:30.318: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED 

Feb 21 16:50:30.318: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 10.1.1.109:37680/From 10.101.13.112:500/VRF i0:f0] 
Initiator SPI : 84BAA6670342AD84 - Responder SPI : 8528E542BE2AD9AA Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) 

Feb 21 16:50:30.320: IKEv2:(SESSION ID = 10,SA ID = 1):Completed SA init exchange
Feb 21 16:50:30.320: IKEv2:(SESSION ID = 10,SA ID = 1):Starting timer (30 sec) to wait for auth message 

Feb 21 16:50:30.345: IKEv2:(SESSION ID = 10,SA ID = 1):Received Packet [From 10.1.1.109:61964/To 10.101.13.112:4500/VRF i0:f0] 
Initiator SPI : 84BAA6670342AD84 - Responder SPI : 8528E542BE2AD9AA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Stopping timer to wait for auth message
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Checking NAT discovery
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):NAT OUTSIDE found
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):NAT detected float to init port 61964, resp port 4500
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
Feb 21 16:50:30.348: IKEv2:found matching IKEv2 profile 'IKEV2_PROFILE'
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Searching Policy with fvrf 0, local address 10.101.13.112
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Using the Default Policy for Proposal
Feb 21 16:50:30.348: IKEv2:(SESSION ID = 10,SA ID = 1):Found Policy 'default'
Feb 21 16:50:30.349: IKEv2:not a VPN-SIP session
Feb 21 16:50:30.349: IKEv2:(SESSION ID = 10,SA ID = 1):Verify peer's policy
Feb 21 16:50:30.349: IKEv2:(SESSION ID = 10,SA ID = 1):Peer's policy verified
Feb 21 16:50:30.349: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Feb 21 16:50:30.349: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Feb 21 16:50:30.349: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Feb 21 16:50:30.349: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint RTR-CLIENT
Feb 21 16:50:30.349: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint FAILED
Feb 21 16:50:30.350: IKEv2:(SESSION ID = 10,SA ID = 1):Verification of peer's authentication data FAILED
Feb 21 16:50:30.350: IKEv2:(SESSION ID = 10,SA ID = 1):Sending authentication failure notify
Feb 21 16:50:30.350: IKEv2:(SESSION ID = 10,SA ID = 1):Building packet for encryption.  
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED) 

Feb 21 16:50:30.350: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 10.1.1.109:61964/From 10.101.13.112:4500/VRF i0:f0] 
Initiator SPI : 84BAA6670342AD84 - Responder SPI : 8528E542BE2AD9AA Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Feb 21 16:50:30.351: IKEv2:(SESSION ID = 10,SA ID = 1):Auth exchange failed
Feb 21 16:50:30.351: IKEv2-ERROR:(SESSION ID = 10,SA ID = 1):: Auth exchange failed
Feb 21 16:50:30.351: IKEv2:(SESSION ID = 10,SA ID = 1):Abort exchange
Feb 21 16:50:30.351: IKEv2:(SESSION ID = 10,SA ID = 1):Deleting SA
Feb 21 16:50:30.351: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Feb 21 16:50:30.351: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

Thanks!

Hello Paul

Looking at your debug output I see the following:

Received cert hash is invalid, using configured trustpoints from profile for signing

This message indicates that there is an issue with the certificate being used. Now this is to be expected because it is what should cause the security warning of an untrusted server certificate. However, instead of showing you the warning, it seems it is simply failing. Do you have a configuration parameter on your anyconnect client that says don’t accept untrusted certificates?

That’s the only thing I can think of at this point. Take a look and let us know how you get along, and if not, give us more info so we can help you troubleshoot further…

I hope this has been helpful!

Laz

Hi

I am trying to configure the FlexVPN as per the lesson, after accepting the Cert Warning i get an authentication error the AAA debug is below

Anyconnect Version 4.9.030049 with IOS15.7(3)M9

Any help gratley appricated, having a nighmare trying to upgrade out VPN’s from Ikev1 to Ikev2

I dont have the Anyconnect Profile Tool but have this config

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
	<ServerList>
		<HostEntry>
			<HostName>R1-FlexVPN</HostName>
			<HostAddress>192.168.1.1</HostAddress>
			<PrimaryProtocol>IPsec
				<StandardAuthenticationOnly>true
					<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
				</StandardAuthenticationOnly>
			</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

*Apr  9 13:10:06.251: AAA/BIND(00000015): Bind i/f
*Apr  9 13:10:06.251: AAA/ACCT/HC(00000015): Register VPN IPSEC/29243784 64 bit counter support not configured
*Apr  9 13:10:06.251: AAA/ACCT/HC(00000015): Update VPN IPSEC/29243784
*Apr  9 13:10:06.251: AAA/ACCT/HC(00000015): no HC VPN IPSEC/29243784
*Apr  9 13:10:06.251: AAA/ACCT/EVENT/(00000015): CALL START
*Apr  9 13:10:06.251: Getting session id for NET(00000015) : db=2D4962A8
*Apr  9 13:10:06.251: AAA/ACCT(00000000): add node, session 8
*Apr  9 13:10:06.251: AAA/ACCT/NET(00000015): add, count 1
*Apr  9 13:10:06.255: AAA/ACCT/HC(00000015): Update VPN IPSEC/29243784
*Apr  9 13:10:06.255: AAA/ACCT/HC(00000015): no HC VPN IPSEC/29243784
*Apr  9 13:10:06.255: AAA/ACCT/EVENT/(00000015): CALL STOP
*Apr  9 13:10:06.255: AAA/ACCT/CALL STOP(00000015): Sending stop requests
*Apr  9 13:10:06.255: AAA/ACCT(00000015): Send all stops
*Apr  9 13:10:06.255: AAA/ACCT/NET(00000015): STOP
*Apr  9 13:10:06.255: AAA/ACCT/NET(00000015): Method list not found
*Apr  9 13:10:06.255: AAA/ACCT(00000015): del node, session 8
*Apr  9 13:10:06.255: AAA/ACCT/NET(00000015): free_rec, count 0
*Apr  9 13:10:06.255: /AAA/ACCTNET(00000015) reccnt 0, csr TRUE, osr 0
*Apr  9 13:10:06.255: AAA/ACCT/NET(00000015): Last rec in db, intf not enqueued
*Apr  9 13:10:06.271: AAA/BIND(00000016): Bind i/f
*Apr  9 13:10:06.271: AAA/ACCT/EVENT/(00000016): CALL START
*Apr  9 13:10:06.271: Getting session id for NET(00000016) : db=29261300
*Apr  9 13:10:06.271: AAA/ACCT(00000000): add node, session 9
*Apr  9 13:10:06.271: AAA/ACCT/NET(00000016): add, count 1
*Apr  9 13:10:06.271: AAA/AUTHOR (0x16): Pick method list 'AAA_AUTHORIZATION_NETWORK'
*Apr  9 13:10:06.275: Getting session id for NONE(00000016) : db=29261300
*Apr  9 13:10:06.279: AAA/ACCT/EVENT/(00000016): CALL STOP
*Apr  9 13:10:06.279: AAA/ACCT/CALL STOP(00000016): Sending stop requests
*Apr  9 13:10:06.279: AAA/ACCT(00000016): Send all stops
*Apr  9 13:10:06.279: AAA/ACCT/NET(00000016): STOP
*Apr  9 13:10:06.279: AAA/ACCT/NET(00000016): Method list not found
*Apr  9 13:10:06.279: AAA/ACCT(00000016): del node, session 9
*Apr  9 13:10:06.279: AAA/ACCT/NET(00000016): free_rec, count 0
*Apr  9 13:10:06.279: /AAA/ACCTNET(00000016) reccnt 0, csr TRUE, osr 0
*Apr  9 13:10:06.279: AAA/ACCT/NET(00000016): Last rec in db, intf not enqueued
*Apr  9 13:10:06.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Apr  9 13:10:06.279: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
*Apr  9 13:10:06.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Apr  9 13:10:06.299: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to upRegister VPN IPSEC/29243784 64 bit counter supp$0015): Register VPN IPSEC/29243784 64 bit counter support not configured

Michael

Hello Michael

Based on the debug output, it seems that the issue with your authentication configuration. Take a look at this error:

*Apr 9 13:10:06.271: AAA/AUTHOR (0x16): Pick method list 'AAA_AUTHORIZATION_NETWORK'

This line indicates that the router is trying to use the method list named ‘AAA_AUTHORIZATION_NETWORK’ for authorization, but it seems like it might not be configured appropriately or there’s a mismatch in the configuration. Check the current AAA authentication configuration by issuing the following command to see the authentication-related commands in the config:

show running-config | include aaa authentication

Make sure that the appropriate AAA authentication method list is configured. Also, ensure that the correct AAA authentication method list is applied to your VPN configuration. Looking at these particular configuration parameters should help you to pinpoint the specific problem being faced.

Let us know how you get along and how we can further help you out!

I hope this has been helpful!

Laz

I’ll Eli’s the config later and come back to you with the aaa debug as well

Michael Hampshire.

1 Like

Hi, I am having an issue in following this configuration guide. When I attempt to enter the command int virtual-template1 type tunnel, I receive the following output:

Error: Vtemplate1 was originally created with type Serial
Cannot change vtemplate type, create a new vtemplate

I am unsure how to fix this error, or what is causing it. Any help would be appreciated. Thank you.

Hello Alexander

The error message you’re getting means that the virtual-template1 was initially created as a Serial type and hence, it can’t be changed to a Tunnel type directly.

To resolve this issue, you need to create a new virtual template with a different number, for example, int virtual-template2 type tunnel. If you’re not using the original virtual-template1, you could also delete it and recreate it with the tunnel type. Here’s how:

  1. First, remove the original virtual template with the command: no int virtual-template1.
  2. Then, create a new one with the tunnel type with the command: int virtual-template1 type tunnel.

I hope this has been helpful!

Laz