Hi Folks,
I am quite new to crypto.
What’s absolute necessary that an IOS Router answers a TCP connect request by an AnyConnect client?
I had an running config, had a router crash and can’t get it work again.
When it worked, I was able to authenticate with username and password.
My goal is SSL VPN full tunnel.
Regards, Hannes
Hello Johann
The following documentation from Cisco details the creation of a basic SSL VPN for Cisco IOS routers using clients with AnyConnect. Take a look at this and if you have questions, please let us know!
I hope this has been helpful!
Laz
Which documentation do you mean?
Hello Johann
I’m so sorry I forgot to add the link! 
Here it is:
I hope this has been helpful!
Laz
Thanks!
Unfortunately, these examples don’t really help.
I did a lot of debugging and searching of debugging messages in the net.
At the moment I have no idea.
After the crash of the router I can not get again what has work before.
Cheers, Hannes
Hi @hannes.1967.hiller ,
WebVPN can be complex. There are many parameters you can configure.
I created a config from the link @lagapidis sent to create a config where the virtual-access interface comes up.
enable AAA:
aaa new-model
aaa authentication login SSLVPN localSet hostname and domain:
hostname R1
ip domain-name NETWORKLESSONS.COMGenerate RSA keypair:
crypto key generate rsa label my-rsa-keys modulus 1024 Set client username:
username VPN_USER secret MY_PASSWORDSet anyconnect package for Windows clients:
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.10.06079-k9.pkg sequence 1Configure trustpoint and generate self signed certificate:
R1(config)#crypto pki trustpoint MY_TRUSTPOINT
R1(ca-trustpoint)#enrollment selfsigned
R1(ca-trustpoint)#subject-name CN=WEBVPN-NETWORKLESSONS
R1(ca-trustpoint)#rsakeypair MY_RSA_KEYPAIRConfigure a webpool for clients:
ip local pool WEBVPN_POOL 192.168.10.10 192.168.10.100Configure webvpn gateway (you can also specify interface instead of ip address):
webvpn gateway WEBVPN_GATEWAY
ip address 1.2.3.4 port 443
ssl encryption aes128-sha1
ssl trustpoint MY_TRUSTPOINT
inserviceConfigure WebVPN context:
webvpn context WEBVPN_CONTEXT
title "WEBVPN NETWORKLESSONS FOR REMOTE USERS"
login-message "ONLY FOR AUTHORIZED USERS"
aaa authentication list SSLVPN
gateway WEBVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group WEBVPN_POLICY
functions svc-enabled
functions svc-required
svc address-pool "WEBVPN_POOL" netmask 255.255.255.0
svc rekey method new-tunnelOnce configured, I see this:
Line protocol on Interface Virtual-Access1, changed state to upAnd I see the port is listening:
R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:443 *:0 TCP Listener LISTENYou can use some show webvpn commands to check specifics about anyconnect.
I hope this helps.
For backups, I like to use oxidized for my Cisco devices:
Rene
Thank you very much!
I don’t know what’s the difference between versions of routers or router software.
I only have cry ssl commands, not webvpn commands.
I have already posted my configuration, I think.
Thanks for all the effort!
Cheers, Hannes
Which router do you use @hannes.1967.hiller ?
C1111#sh version
Cisco IOS XE Software, Version 17.06.04
Cisco IOS Software [Bengaluru], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Sun 14-Aug-22 08:10 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License (“GPL”) Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or “License Notice” file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: 17.5(1r)
It seems, that my configured port 44443 is not listening.
How can I check this?
Now, I try a minimum configuration to check, if TCP Port is answering.
62.178.173.16:55555
SSL Profile: spr
Status: ACTIVE
Match Criteria:
URL: none
Policy: spo
AAA accounting List : local
AAA Authentication List : none
AAA Authorization User List : none
AAA Authorization Group List : none
Authentication Mode : user credentials
Interface : SSLVPN-VIF1
Status: DISABLE
Max Users : 10000
C1111#sh cry ssl pol spo
SSL Policy: spo
Status : ACTIVE
Proposal : default
IP Address : 62.178.173.16
Port : 55555
fvrf :
Trust Point: C1111TP
Redundancy : none
Hello Johann
As stated in this post below, the WebVPN feature is approaching its end of life, and is not available in the c1111 platform. That’s why you don’t see the webvpn commands.
I hope this has been helpful!
Laz
Hello Hannes
You can check what ports a Cisco IOS router is listening on by using the following command:
show control-plane host open-ports
More about this can be found in this NetworkLessons note on the topic.
I hope this has been helpful!
Laz
Thanks!
I don’t have this commands on my router, but I can check with telnet and appropriate port number, if router is answering.
Can’t get an answer from the router interface.
No idea!
Update!!!
Now, I tested a Cisco sandbox csr Router with following config:
csr1000v-1#sh cry ssl pol
SSL Policy: spol
Status : ACTIVE
Proposal : default
IP Address : 10.10.20.48
Port : 11111
fvrf :
Trust Point: TP-self-signed-807034967
Redundancy : none
On this router it was possible to do a “telnet 10.10.20.48 11111”
On my router the connection always get refused!
Regards, Hannes
Hello Johann
It seems that your specific router and platform are causing issues. If the IOS and router model you have should be supporting these features, then you may want to open a TAC case with Cisco to see why it is behaving in this way.
I wish we could have been more help!
Laz