AnyConnect VPN (SSL) Client on IOS Router with CCP Configuration Example Contents

advertisement
AnyConnect VPN (SSL) Client on IOS Router with
CCP Configuration Example
Document ID: 110608
Contributed by Bratin Saha and Rahul Govindan, Cisco TAC Engineers.
Jan 12, 2015
Contents
Introduction
Prerequisites
Requirements
Components Used
Configure
Network Diagram
Preconfiguration Tasks
Configurations
Step 1: Set up the CCP and Discover the Cisco IOS Router
Step 2: Install and Enable the Anyconnect VPN Software on the IOS Router
Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard
Step 4: Configure the User Database for Anyconnect VPN Users
Step 5. Configure the Anyconnect Tunnel
CLI Configuration
Establish the AnyConnect VPN Client Connection
Verify
Commands
show webvnp session context all
show webvpn session user user1 context Test
show webvpn stats
Troubleshoot
Troubleshooting Commands
Related Information
Introduction
This document describes how to set up a Cisco IOS® router to perform Secure Sockets Layer (SSL) VPN on a
stick with Cisco AnyConnect VPN client using Cisco Configuration Professional (CCP). This setup applies to
a specific case where AnyConnect on the Router is configured with split tunneling, and it allows the client
secure access to corporate resources and also provides unsecured access to the Internet.
SSL VPN or WebVPN technology is supported on most router platforms such as the Integrated Services
Router (ISR) Generation 1, Generation 2 (Refer ISR Products for the list of ISR products). Customers are
advised to refer the feature navigator guide in order to obtain a complete list of Cisco IOS platforms that
support the AnyConnect VPN (SSL) client (or any other feature/ technology for that matter). This information
is available in the Feature Navigator.
CCP is a GUI−based device management tool that allows you to configure Cisco IOS−based access routers.
CCP is installed on a PC and simplifies router, security, unified communications, wireless, WAN, and basic
LAN configurations through GUI−based, easy−to−use wizards.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
• Suitable client operating system. Refer the AnyConnect Release Notes for the supported operating
systems.
• Web Browser with SUN JRE Version 1.4 or later or an ActiveX controlled browser
• Local administrative privileges on the client
• Cisco IOS Router with Advanced Security image −12.4(20)T or later
• Cisco Configuration Professional Version 1.3 or later
If the Cisco Configuration Professional is not already loaded on your computer, you can obtain a free copy of
the software and install the .exe (cisco−config−pro−k9−pkg−2_8−en.zip) file from Software Download. For
detailed information on the installation and configuration of CCP, refer to Cisco Configuration Professional
Quick Start Guide.
Components Used
The information in this document is based on these software and hardware versions:
• Cisco IOS Series CISCO2811 Router with Software Version 15.1(4)M8
• CCP Version 2.8
• Cisco AnyConnect SSL VPN Client Version for Windows 3.1.05160
The information in this document was created from devices in a specific lab environment. All of the devices
used in this document started with a cleared (default) configuration. If your network is live, make sure that
you understand the potential impact of any command.
Configure
Network Diagram
This document uses this network setup:
Preconfiguration Tasks
1. Configure the router for CCP.
Routers with the appropriate security bundle license already have the CCP application loaded in the
Flash. Refer to Cisco Configuration Professional Quick Start Guide in order to obtain and configure
the software.
2. Download a copy of the Anyconnect VPN .pkg file to your management PC.
Configurations
In this section, you are presented with the steps necessary in order to configure the features described in this
document. This example configuration uses the CCP Wizard in order to enable the operation of the
Anyconnect VPN on the IOS router.
Complete these steps in order to configure Anyconnect VPN on the Cisco IOS router:
1. Set up the CCP and discover the Cisco IOS router.
2. Install and enable the Anyconnect VPN Software on the Cisco IOS Router.
3. Configure a SSL VPN Context and SSL VPN Gateway with the CCP Wizard.
4. Configure the User Database for Anyconnect VPN Users.
5. Configure the AnyConnect Full Tunnel.
Each of these steps is described in more detail in the next sections of this document.
Step 1: Set up the CCP and Discover the Cisco IOS Router
1. Click Router Status on the CCP window in order to view the router device information.
2. Click Configure in order to begin the configuration.
Step 2: Install and Enable the Anyconnect VPN Software on the IOS Router
Complete these steps in order to install and enable the Anyconnect VPN software on the IOS router:
1. Open the CCP application, navigate to Configure > Security, and then click VPN.
2. Expand SSLVPN, and choose Packages.
Ensure that the SSL VPN Feature license is installed on the device, otherwise you might get the
warning shown in the previous image. Refer Feature License link in order to view the Ordering
Information section.
3. In the Cisco SSLVPN client software, click Browse.
The Select SVC location dialog box appears.
4. Specify the location of the Cisco Anyconnect VPN client image (choose either of the two options
available).
♦ If the Cisco Anyconnect VPN client image is in the router flash, click the Router File
System radio button dialog box, and click Browse.
♦ If the Cisco Anyconnect VPN client image is not in the router flash, click the My
Computer radio dialog box, and click Browse.
5. Select the client image that you want to install and click OK.
6. Once you specify the location of the client image, click Install.
7. Click Yes and then click OK.
8. Once the client image is successfully installed, you receive the success message. Click OK in order to
continue.
9. Once installed, view the installed package details under Security > VPN > SSL VPN >
Packages.
Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard
Complete these steps in order to configure a SSL VPN context and the SSL VPN gateway:
1. Go to Configure > Security > VPN, and then click SSL VPN.
2. Click the SSL VPN Manager and then click the Create SSL VPN tab.
3. Follow the prompts in order to enable Authentication, Authorization, and Accounting (AAA) if it is
not already enabled.
4. Check the Create a New SSL VPN radio button and then click Launch the selected task.
The SSL VPN Wizard dialog box appears.
5. Click Next.
Note: If the SSL VPN is configured under the interface through which Cisco CP is invoked, it might
cause Cisco CP to disconnet from the router. As a better practice, you can access the Cisco IOS router
via CCP from the internal interface (in this example, 10.106.44.141) or any other interface, while the
SSL VPN is configured under the external interface FastEthernet0/0 (in this example,
10.105.130.149).
6. Enter the IP address of the new SSL VPN gateway and enter a unique name for this SSL VPN
context.
You can create different SSL VPN contexts for the same IP address (SSL VPN gateway), but each
name must be unique. This example uses this IP address: https://10.105.130.149/
7. Click Next, and continue to the next section.
Step 4: Configure the User Database for Anyconnect VPN Users
For authentication, you can use an AAA Server, local users, or both. This configuration example uses
locally−created users for authentication.
Complete these steps in order to configure the user database for Anyconnect VPN users:
1. After you complete Step 3, click the Locally on this router radio button located in the SSL VPN
Wizard User Authentication dialog box.
This dialog box allows you to add users to the local database.
2. Click Add and enter user information.
3. Click OK and add additional users as necessary.
4. After you add the necessary users, click Next, and continue to the next section.
Step 5. Configure the Anyconnect Tunnel
Complete these steps in order to configure the Anyconnect tunnel and pool of IP addresses for the users:
1. Because Anyconnect provides the direct access to corporate intranet resources, the URL list is not
needed in order to configure. Click the Next button located in the Configure Intranet Websites dialog
box.
2. Verify that the Enable Full Tunnel check box is checked.
3. Create a pool of IP addresses that clients of this SSL VPN context can use.
The pool of addresses must correspond to addresses available and routable on your intranet.
4. Click the ellipses (...) next to the IP Address Pool field, and choose Create a new IP Pool.
5. In the Add IP Local Pool dialog box, enter a namefor the pool (for example, new), and click Add.
6. In the Add IP address range dialog box, enter the address pool range for the Anyconnect VPN clients
and click OK.
Note: Before Version 12.4(20)T, the IP address pool should be in a range of an interface directly
connected to the router. If you want to use a different pool range, you can create a loopback address
associated with your new pool in order to satisfy this requirement.
7. Click OK.
8. Configure advanced tunnel options, such as split tunneling, split DNS, browser proxy settings, and
Domain Name System (DNS) and Windows Internet Name Service (WINS) servers.
Note: Cisco recommends that you configure at least DNS and WINS servers.
Complete these steps in order to configure advanced tunnel options, such as split tunneling:
a. Click the Advanced Tunnel Options button.
b. Click the DNS and WINS Servers tab and enter the primary IP addresses for the DNS and
WINS servers.
c. Click the Split Tunneling tab in order to configure split tunneling.
The ability to transmit both secured and unsecured traffic on the same interface is known as
split tunneling. Split tunneling requires that you specify exactly which traffic is secured and
what the destination of that traffic is, so that only the specified traffic enters the tunnel while
the rest is transmitted unencrypted across the public network (Internet).
In the example, split tunnel is configured in order to include traffic.
9. After you configure the necessary options, click Next. Choose the appropriate SSL VPN Tunnel
Interface option and click Next.
10. Customize the SSL VPN Portal Page or select the default values.
The Customize SSL VPN Portal Page allows you to customize how the SSL VPN Portal Page appears
to your customers.
11. After you customize the SSL VPN portal page, click Next.
12. Click Finish.
13. Click Deliver in order to save your configuration and then click OK.
The SSL VPN Wizard submits your commands to the router.
Basically these are the commands that are delivered from CCP to the router:
AAA commands:
aaa new−model
aaa authorization exec default local
aaa authentication login default local
line vty 0 4
login authentication default
authorization exec default
exit
Remaining commands:
aaa authentication login ciscocp_vpn_xauth_ml_1 local
ip local pool IP_Pool 192.168.1.10 192.168.1.15
interface Virtual−Template1
exit
default interface Virtual−Template1
interface Virtual−Template1
no shutdown
ip unnumbered FastEthernet0/0
exit
webvpn gateway gateway_1
ip address 10.105.130.149 port 443
http−redirect port 80
inservice
ssl trustpoint TP−self−signed−1878971148
exit
webvpn context Test
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
virtual−template 1
max−users 1000
inservice
secondary−color white
title−color #FF9900
text−color black
policy group policy_1
svc split include 10.106.44.0 255.255.255.0
svc keep−client−installed
functions svc−enabled
svc address−pool IP_Pool netmask 255.255.255.255
svc default−domain cisco.com
svc dns−server primary 10.106.44.10
svc wins−server primary 10.106.44.12
exit
default−group−policy policy_1
exit
! IP address / user account command
username user1 privilege 1 secret 0 *********
Note: If you receive an error message, the SSL VPN license might be incorrect.
Complete these steps in order to correct a license issue:
1. Go to Configure > Security > VPN, and then click SSL VPN.
2. Click SSL VPN Manager and then click the Edit SSL VPN tab in the right−hand side.
3. Highlight your newly created context and click the Edit button.
4. In the Maximum Number of Users field, enter the correct number of users for your license.
5. Click OK, and then click Deliver.
The commands are written to the configuration file.
CLI Configuration
CCP creates these command−line configurations:
Router#show running−config
Building configuration...
Current configuration : 3590 bytes
!
! Last configuration change at 06:30:34 UTC Sat Nov 29 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password−encryption
!
hostname Router
!
boot−start−marker
boot−end−marker
!
!
!
aaa new−model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
!
!
!
aaa session−id common
!
!
dot11 syslog
ip source−route
!
!
ip cef
!
!
!
!
multilink bundle−name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP−self−signed−1878971148
enrollment selfsigned
subject−name cn=IOS−Self−Signed−Certificate−1878971148
revocation−check none
rsakeypair TP−self−signed−1878971148
!
!
crypto pki certificate chain TP−self−signed−1878971148
certificate self−signed 01
3082022B 30820194
31312F30 2D060355
69666963 6174652D
32355A17 0D323030
4F532D53 656C662D
37313134 3830819F
8100C77D F135BBCA
DC098301 AC996CA7
8781D8A7 3BFCFCFF
03E398B0 A2DE06B6
74BD0203 010001A3
551D2304 18301680
03551D0E 04160414
2A864886 F70D0101
9211B78D 8B6A604A
1BF1A39B 46F8C88C
8B111BD6 FE82E159
8A5B022A 3003F718
quit
A0030201
04031326
31383738
31303130
5369676E
300D0609
8A84DE7D
BE1C6AB2
5626EF1A
2D39B122
53305130
1455F1A2
55F1A200
05050003
DA7D571F
3335F498
67E05A62
E8E1C6CC
02020101
494F532D
39373131
30303030
65642D43
2A864886
A3330085
BF4745F4
BCF73C78
32D82E1B
0F060355
00753895
75389504
81810013
6E083B78
E2CF5ABC
03BFBCA6
2EB03C
300D0609
53656C66
3438301E
305A3031
65727469
F70D0101
3694EC3B
911E9812
B07E4587
7AE55554
1D130101
04EB04BE
EB04BE13
B72A05AE
279F0EB1
5D942A23
E99EA1CE
2A864886
2D536967
170D3134
312F302D
66696361
01050003
9BAE2F94
97BC1A1F
710B6F18
63D8BDD6
FF040530
13273EEF
273EEFD4
E7816FB7
95B5ADC8
7DE35239
DA52F66A
F70D0101
6E65642D
31313239
06035504
74652D31
818D0030
AF19CAEC
15D1AFD0
B4E0017F
222CF884
030101FF
D48D86C6
8D86C684
377FC3B3
79572616
04D509EF
8CE502C1
05050030
43657274
30353537
03132649
38373839
81890281
89A4AA6A
384878C6
807606EA
C9D5570D
301F0603
84301D06
300D0609
8EE7D2AC
53B52B90
88E60201
B9FAA488
!
!
license udi pid CISCO2811 sn FHK1404F3X2
username username privilege 15 secret 5 $1$hPnV$zwQ6MMwLA7HUC/NJRCMyt1
username user1 secret 5 $1$X3Vu$h5/xHipon7Fym16G2SCrz1
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
duplex auto
speed auto
!
interface Virtual−Template1
ip unnumbered FastEthernet0/0
!
ip local pool IP_Pool 192.168.1.10 192.168.1.15
ip forward−protocol nd
ip http server
ip http authentication local
ip http secure−server
!
!
!
!
!
!
!
!
!
!
control−plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 10.105.130.149 port 443
http−redirect port 80
ssl trustpoint TP−self−signed−1878971148
inservice
!
webvpn install svc flash:/webvpn/anyconnect−win−3.1.05160−k9.pkg sequence 1
!
webvpn context Test
secondary−color white
title−color #FF9900
text−color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc−enabled
svc address−pool "IP_Pool" netmask 255.255.255.255
svc default−domain "cisco.com"
svc keep−client−installed
svc split include 10.106.44.0 255.255.255.0
svc dns−server primary 10.106.44.10
svc wins−server primary 10.106.44.12
virtual−template 1
default−group−policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end
Router#sh run int Virtual−Access2
Building configuration...
Current configuration : 104 bytes
!
interface Virtual−Access2
description ***Internally created by SSLVPN context Test***
mtu 1406
end
Establish the AnyConnect VPN Client Connection
Complete these steps in order to establish an AnyConnect VPN connection with the router.
Note: Add a router to the list of trusted sites in Internet Explorer. For more information, refer to Adding a
Security Appliance/Router to the List of Trusted Sites (IE).
1. Enter the URL or IP address of the router WebVPN interface in your web browser in the format as
shown.
https://<url>
OR
https://<IP address of the Router WebVPN interface>
2. Enter your user name and password.
3. Click Start in order to initiate the Anyconnect VPN Tunnel Connection.
This window appears before the SSL VPN connection is established.
Note: ActiveX software must be installed on your computer before you download the Anyconnect
VPN.
4. Once the connection is successfully established, click the Statistics tab.
The Statistics tab displays information about the SSL connection.
The Statistics Details dialog box displays detailed connection statistical information, which includes
the tunnel state and mode, the duration of the connection, the number of bytes and frames sent and
received, address information, transport information, and the Cisco Secure Desktop posture
assessment status. The Reset button on this tab resets the transmission statistics. The Export Stats
button allows you to export the current statistics, interface, and routing table to a text file. The
AnyConnect client prompts you for a name and location for the text file. The default name
is AnyConnect−ExportedStats.txt and the default location is on the desktop.
5. Check the route details (based on split tunnel configuration) under the Route Details tab.
6. In the Cisco AnyConnect VPN Client dialog box, click the About tab in order to display the Cisco
AnyConnect VPN Client Version information.
Verify
Use this section in order to confirm that your configuration works properly.
Commands
Note: The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use
the OIT to view an analysis of show command output.
Several show commands are associated with WebVPN. You can execute these commands at the CLI in order
to show statistics and other information. For detailed information about show commands, refer to Verifying
WebVPN Configuration.
show webvnp session context all
Router#show webvpn session context all
WebVPN context name: Test
Client_Login_Name Client_IP_Address No_of_Connections
user1
10.106.42.10
1
Created Last_Used
00:01:22 00:00:01
show webvpn session user user1 context Test
Router#show webvpn session user user1 context Test detail
Session Type
: Full Tunnel
Client User−Agent : AnyConnect Windows 3.1.05160
Username
Public IP
Context
Last−Used
Nov 29 2014
Session Timeout
DNS primary serve
:
:
:
:
user1
10.106.42.10
Test
00:00:00
: Disabled
: 10.106.44.10
Num Connection
VRF Name
Policy Group
Created
:
:
:
:
1
None
policy_1
*06:33:24.505 UTC Sat
Idle Timeout
: 2100
WINS primary s : 10.106.44.12
DPD GW Timeout
Address Pool
Rekey Time
Lease Duration
Tunnel IP
Rx IP Packets
CSTP Started
CSTP DPD−Req sent
Msie−ProxyServer
Msie−Exception
Split Include
Client Ports
:
:
:
:
:
:
:
:
:
:
:
:
300
IP_Pool
3600
43200
192.168.1.10
0
00:01:22
0
None
DPD CL Timeout : 300
MTU Size
: 1199
Rekey Method
:
Netmask
Tx IP Packets
Last−Received
Virtual Access
Msie−PxyPolicy
:
:
:
:
:
255.255.255.255
617
00:00:00
2
Disabled
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
617
41122
10.106.44.0 255.255.255.0
60304
Detail Session Statistics for User:: user1
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
CSTP Statistics::
Rx CSTP Frames
Rx CSTP Bytes
Rx CSTP Data Fr
Rx CSTP CNTL Fr
Rx CSTP DPD Req
Rx CSTP DPD Res
Rx Addr Renew Req
Rx CDTP Frames
Rx CDTP Bytes
Rx CDTP Data Fr
Rx CDTP CNTL Fr
Rx CDTP DPD Req
Rx CDTP DPD Res
Rx IP Packets
Rx IP Bytes
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
CEF Statistics::
Rx CSTP Data Fr
Rx CSTP Bytes
: 0
: 0
618
46113
617
1
0
0
0
0
0
0
0
0
0
0
0
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
Tx
CSTP Frames
CSTP Bytes
CSTP Data Fr
CSTP CNTL Fr
CSTP DPD Req
CSTP DPD Res
Address Renew
CDTP Frames
CDTP Bytes
CDTP Data Fr
CDTP CNTL Fr
CSTP DPD Req
CDTP DPD Res
IP Packets
IP Bytes
Tx CSTP Data Fr
Tx CSTP Bytes
: 0
: 0
show webvpn stats
Router#show webvpn stats
User session statistics:
Active user sessions
:
Peak user sessions
:
Active user TCP conns
:
Session alloc failures
:
VPN session timeout
:
User cleared VPN sessions:
Exceeded total user limit:
Client process rcvd pkts :
Client process sent pkts :
Client CEF received pkts :
Client CEF rcv punt pkts :
Client CEF sent pkts
:
Client CEF sent punt pkts:
SSLVPN appl bufs inuse
Active server TCP conns
1
1
1
0
0
0
0
57
8134
664
29
0
0
: 0
: 0
Mangling statistics:
Relative urls
:
Non−http(s) absolute urls:
Interesting tags
:
Interesting attributes
:
Embedded script statement:
Inline scripts
:
HTML comments
:
0
0
0
0
0
0
0
AAA pending reqs
Peak time
Terminated user sessions
Authentication failures
VPN idle timeout
Exceeded ctx user limit
Server
Server
Server
Server
Server
Server
:
:
:
:
:
:
process rcvd pkts :
process sent pkts :
CEF received pkts :
CEF rcv punt pkts :
CEF sent pkts
:
CEF sent punt pkts:
SSLVPN eng
bufs inuse
Absolute urls
Non−standard path urls
Uninteresting tags
Uninteresting attributes
Embedded style statement
Inline styles
HTTP/1.0 requests
0
00:02:29
0
0
0
0
0
0
0
0
0
0
: 0
:
:
:
:
:
:
:
0
0
0
0
0
0
0
HTTP/1.1 requests
:
GET requests
:
CONNECT requests
:
Through requests
:
Pipelined requests
:
Processed req hdr bytes :
HTTP/1.0 responses
:
HTML responses
:
XML responses
:
Other content type resp :
Resp with encoded content:
Close after response
:
Processed resp hdr size :
Backend https response
:
HTTP Authentication stats :
Successful NTLM Auth
:
Successful Basic Auth
:
Unsupported Auth
:
NTLM srv kp alive disabld:
Oversize NTLM Type3 cred :
Num 401 responses
:
Num Basic forms served
:
Num Basic Auth sent
:
CIFS statistics:
SMB related Per Context:
TCP VC's
:
Active VC's
:
Aborted Conns
:
NetBIOS related Per Context:
Name Queries
:
NB DGM Requests
:
NB TCP Connect Fails
:
SMB related Global:
Sessions in use
:
Mbuf Chains in use
:
Active Contexts
:
Empty Browser List
:
Empty Server List
:
NetShareEnum Errors
:
HTTP related Per Context:
Requests
:
Request Packets RX
:
Response Packets TX
:
Active CIFS context
:
HTTP related Global:
Server User data
:
Net Handles
:
Authentication Fails
:
Timers Expired
:
Net Handles Pending SMB :
Browse Network Ops
:
Browse Domain Ops
:
Browse Server Ops
:
Browse Share Ops
:
Browse Dir Ops
:
File Read Ops
:
File Write Ops
:
Folder Create Ops
:
File Delete Ops
:
File Rename Ops
:
URL List Access OK
:
Socket statistics:
Sockets in use
3
3
0
0
0
844
0
0
0
0
0
0
0
0
Unknown HTTP version
:
POST requests
:
Other request methods
:
Gateway requests
:
Req with header size >1K :
Processed req body bytes :
HTTP/1.1 responses
:
CSS responses
:
JS responses
:
Chunked encoding resp
:
Resp with content length :
Resp with header size >1K:
Processed resp body bytes:
Chunked encoding requests:
0
0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Failed NTLM Auth
Failed Basic Auth
Unsup Basic HTTP Method
NTLM Negotiation Error
Internal Error
Num non−401 responses
Num NTLM forms served
Num NTLM Auth sent
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
UDP VC's
Active Contexts
: 0
: 0
0
0
0
Name Replies
: 0
NB DGM Replies
: 0
NB Name Resolution Fails : 0
0
0
0
0
0
0
Mbufs in use
Active VC's
Browse Errors
NetServEnum Errors
NBNS Config Errors
:
:
:
:
:
0
0
0
0
0
0
0
0
0
Request Bytes RX
Response Bytes TX
Active Connections
Requests Dropped
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
CIFS User data
Active CIFS context
Operations Aborted
Pending Close
File Open Fails
Browse Network Fails
Browse Domain Fails
Browse Server Fails
Browse Share Fails
Browse Network Fails
File Read Fails
File Write Fails
Folder Create Fails
File Delete Fails
File Rename Fails
URL List Access Fails
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Sock Usr Blocks in use
: 1
: 1
Sock Data Buffers in use
Select timers in use
Sock Tx Blocked
Sock Rx Blocked
Sock UDP Connects
Sock Premature Close
Sock Select Timeout Errs
:
:
:
:
:
:
:
0
1
150
0
0
0
0
Sock
Sock
Sock
Sock
Sock
Sock
Buf desc in use
Select Timeouts
Tx Unblocked
Rx Unblocked
UDP Disconnects
Pipe Errors
:
:
:
:
:
:
0
0
150
0
0
13
Smart Tunnel statistics:
Client
proc pkts
proc bytes
cef pkts
cef bytes
:
:
:
:
0
0
0
0
Server
proc
proc
cef
cef
pkts
bytes
pkts
bytes
:
:
:
:
0
0
0
0
Port Forward statistics:
Client
proc pkts
proc bytes
cef pkts
cef bytes
:
:
:
:
0
0
0
0
Server
proc pkts
proc bytes
cef pkts
cef bytes
:
:
:
:
0
0
0
0
WEBVPN Citrix statistics:
Packets in
Packets out
Bytes in
Bytes out
Server
: 0
: 0
: 0
: 0
Client
0
0
0
0
ACL statistics:
Permit web request
Permit cifs request
Permit without ACL
Permit with match ACL
:
:
:
:
0
0
0
0
Deny
Deny
Deny
Deny
Single Sign On statistics:
Auth Requests
Successful Requests
Retranmissions
Connection Errors
Unknown Responses
:
:
:
:
:
0
0
0
0
0
URL−rewrite splitter statistics:
Direct access request
: 0
Internal request
: 0
Tunnel Statistics:
Active connections
Peak connections
Connect succeed
Reconnect succeed
DPD timeout
Client
in CSTP frames
in CSTP data
out CSTP frames
out CSTP data
in CDTP frames
in CDTP data
out CDTP frames
out CDTP data
cef in CSTP data frames
cef out CSTP data frames
cef in CDTP data frames
cef out CDTP data frames
web request
cifs request
without match ACL
with match ACL
:
:
:
:
0
0
0
0
Pending Auth Requests
Failed Requests
DNS Errors
Request Timeouts
:
:
:
:
0
0
0
0
Redirect request
: 0
:
:
:
:
:
1
1
2
1
0
Peak time
Connect failed
Reconnect failed
: 00:01:44
: 0
: 0
:
:
:
:
:
:
:
:
:
:
:
:
671
670
0
0
0
0
0
0
0
0
0
0
in
in
out
out
in
in
out
out
cef
cef
cef
cef
:
:
:
:
:
:
:
:
:
:
:
:
CSTP control
CSTP bytes
CSTP control
CSTP bytes
CDTP control
CDTP bytes
CDTP control
CDTP bytes
in CSTP data
out CSTP data
in CDTP data
out CDTP data
bytes
bytes
bytes
bytes
1
50002
0
0
0
0
0
0
0
0
0
0
Server
In IP pkts
Out IP pkts
: 0
: 670
In IP bytes
Out IP bytes
: 0
: 44587
In CCP, choose Monitoring > Security > VPN Status > SSL VPN (All Contexts) in order to view the current
SSL VPN user lists in the router.
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
Troubleshooting Commands
Several clear commands are associated with WebVPN. For detailed information about these commands, refer
to Using WebVPN Clear Commands.
Several debug commands are associated with WebVPN. For detailed information about these commands,
refer to Using WebVPN Debug Commands.
Note: The use of debug commands can adversely impact your Cisco device. Before you
use debug commands, refer to Important Information on Debug Commands.
Related Information
• Cisco IOS SSLVPN
• AnyConnect VPN Client FAQ
• Cisco AnyConnect VPN Client Administrator Guide
• SSL VPN − WebVPN
• Clientless SSL VPN (WebVPN) on Cisco IOS with SDM Configuration Example
• Thin−Client SSL VPN (WebVPN) IOS Configuration Example with SDM
• WebVPN and DMVPN Convergence Deployment Guide
• Technical Support & Documentation − Cisco Systems
Updated: Jan 12, 2015
Document ID: 110608
Related documents
Download