AnyConnect issue with Cisco 871

[Vieron82]

Hi!

I have a Cisco 871 router running C870 Software (C870-ADVSECURITYK9-M), Version 15.0(1)M (c870-advsecurityk9-mz.150-1.M.bin), and i have configured webvpn for AnyConnect and installed the client packages.
My problem is that i can connect from my Android phone and my MAC OS X laptop with anyconnect, but when i try to login with windows client, i get "Unable to process response form x.x.x.x"
I tried to install severeal pre deployment packages, as directly from the router after web login, but no client works.
Its confusing, since Android and Mac OS X client works fine, but windows client not...
Any advices?

Here is the configuration of the webvpn:

aaa new-model
!
aaa authentication login sslvpn local
!
ip local pool webvpn-pool 10.10.10.11 10.10.10.15
!
webvpn gateway Cisco-WebVPN-Gateway
ip interface Dialer0 port 443
ssl encryption rc4-md5
ssl trustpoint ssl-vpn
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-linux-2.4.1012-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 3
!
webvpn context Cisco-WebVPN
ssl authenticate verify all
!
acl "ssl-acl"
permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.224
!
!
policy group webvpnpolicy
functions svc-required
filter tunnel ssl-acl
svc address-pool "webvpn-pool"
svc rekey method new-tunnel
svc split include 192.168.2.0 255.255.255.224
default-group-policy webvpnpolicy
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
max-users 5
inservice

 

[imbadatthis]

run a debug webvpn 255 (going off memory the 255 might not be an option .. but i think it is)
and then try to login and see what happens.

last i saw that error message was on an ASA and it was because the group policy being matched was locked to a specific connection profile and end user was attempting connection to a different gateway..
post your debug and i can try to see what is going on mate..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[Vieron82]

Hi!

I turned on the webvpn debugging, but the only information i received, that there is no webvpn debug output when i try to connect with windows anyconnect client.
I tried several client versions form at least 3 computers, with windows firewall and antivirus turned off.
It still works fine under MAC OS X and Android, then i see the debug messages, but not a single line when i try windows client...
I checked the session with WireShark, only four https syn packets gone out, and four https ack+reset packets came in.

 

[imbadatthis]

the log on your 870 doesn't show anything either?

if you are getting resets, then the connection profile hasn't even hit yet... are you on the same subnet as the other machines?


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[Vieron82]

Hi!

The problem was with IE settings, after a security update, IE simply did not allow self signed sites to be opened.
I had to use certutil for enabling self signed certs.
But another problem occured, now windows clients says bad certificate, still after i imorted the cert form the router...