AnyConnect VPN (SSL) Client on IOS Router with CCP Configuration Example Document ID: 110608 Contributed by Bratin Saha and Rahul Govindan, Cisco TAC Engineers. Jan 12, 2015 Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Preconfiguration Tasks Configurations Step 1: Set up the CCP and Discover the Cisco IOS Router Step 2: Install and Enable the Anyconnect VPN Software on the IOS Router Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Step 4: Configure the User Database for Anyconnect VPN Users Step 5. Configure the Anyconnect Tunnel CLI Configuration Establish the AnyConnect VPN Client Connection Verify Commands show webvnp session context all show webvpn session user user1 context Test show webvpn stats Troubleshoot Troubleshooting Commands Related Information Introduction This document describes how to set up a Cisco IOS® router to perform Secure Sockets Layer (SSL) VPN on a stick with Cisco AnyConnect VPN client using Cisco Configuration Professional (CCP). This setup applies to a specific case where AnyConnect on the Router is configured with split tunneling, and it allows the client secure access to corporate resources and also provides unsecured access to the Internet. SSL VPN or WebVPN technology is supported on most router platforms such as the Integrated Services Router (ISR) Generation 1, Generation 2 (Refer ISR Products for the list of ISR products). Customers are advised to refer the feature navigator guide in order to obtain a complete list of Cisco IOS platforms that support the AnyConnect VPN (SSL) client (or any other feature/ technology for that matter). This information is available in the Feature Navigator. CCP is a GUI−based device management tool that allows you to configure Cisco IOS−based access routers. CCP is installed on a PC and simplifies router, security, unified communications, wireless, WAN, and basic LAN configurations through GUI−based, easy−to−use wizards. Prerequisites Requirements Ensure that you meet these requirements before you attempt this configuration: • Suitable client operating system. Refer the AnyConnect Release Notes for the supported operating systems. • Web Browser with SUN JRE Version 1.4 or later or an ActiveX controlled browser • Local administrative privileges on the client • Cisco IOS Router with Advanced Security image −12.4(20)T or later • Cisco Configuration Professional Version 1.3 or later If the Cisco Configuration Professional is not already loaded on your computer, you can obtain a free copy of the software and install the .exe (cisco−config−pro−k9−pkg−2_8−en.zip) file from Software Download. For detailed information on the installation and configuration of CCP, refer to Cisco Configuration Professional Quick Start Guide. Components Used The information in this document is based on these software and hardware versions: • Cisco IOS Series CISCO2811 Router with Software Version 15.1(4)M8 • CCP Version 2.8 • Cisco AnyConnect SSL VPN Client Version for Windows 3.1.05160 The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Configure Network Diagram This document uses this network setup: Preconfiguration Tasks 1. Configure the router for CCP. Routers with the appropriate security bundle license already have the CCP application loaded in the Flash. Refer to Cisco Configuration Professional Quick Start Guide in order to obtain and configure the software. 2. Download a copy of the Anyconnect VPN .pkg file to your management PC. Configurations In this section, you are presented with the steps necessary in order to configure the features described in this document. This example configuration uses the CCP Wizard in order to enable the operation of the Anyconnect VPN on the IOS router. Complete these steps in order to configure Anyconnect VPN on the Cisco IOS router: 1. Set up the CCP and discover the Cisco IOS router. 2. Install and enable the Anyconnect VPN Software on the Cisco IOS Router. 3. Configure a SSL VPN Context and SSL VPN Gateway with the CCP Wizard. 4. Configure the User Database for Anyconnect VPN Users. 5. Configure the AnyConnect Full Tunnel. Each of these steps is described in more detail in the next sections of this document. Step 1: Set up the CCP and Discover the Cisco IOS Router 1. Click Router Status on the CCP window in order to view the router device information. 2. Click Configure in order to begin the configuration. Step 2: Install and Enable the Anyconnect VPN Software on the IOS Router Complete these steps in order to install and enable the Anyconnect VPN software on the IOS router: 1. Open the CCP application, navigate to Configure > Security, and then click VPN. 2. Expand SSLVPN, and choose Packages. Ensure that the SSL VPN Feature license is installed on the device, otherwise you might get the warning shown in the previous image. Refer Feature License link in order to view the Ordering Information section. 3. In the Cisco SSLVPN client software, click Browse. The Select SVC location dialog box appears. 4. Specify the location of the Cisco Anyconnect VPN client image (choose either of the two options available). ♦ If the Cisco Anyconnect VPN client image is in the router flash, click the Router File System radio button dialog box, and click Browse. ♦ If the Cisco Anyconnect VPN client image is not in the router flash, click the My Computer radio dialog box, and click Browse. 5. Select the client image that you want to install and click OK. 6. Once you specify the location of the client image, click Install. 7. Click Yes and then click OK. 8. Once the client image is successfully installed, you receive the success message. Click OK in order to continue. 9. Once installed, view the installed package details under Security > VPN > SSL VPN > Packages. Step 3: Configure a SSLVPN Context and SSLVPN Gateway with the CCP Wizard Complete these steps in order to configure a SSL VPN context and the SSL VPN gateway: 1. Go to Configure > Security > VPN, and then click SSL VPN. 2. Click the SSL VPN Manager and then click the Create SSL VPN tab. 3. Follow the prompts in order to enable Authentication, Authorization, and Accounting (AAA) if it is not already enabled. 4. Check the Create a New SSL VPN radio button and then click Launch the selected task. The SSL VPN Wizard dialog box appears. 5. Click Next. Note: If the SSL VPN is configured under the interface through which Cisco CP is invoked, it might cause Cisco CP to disconnet from the router. As a better practice, you can access the Cisco IOS router via CCP from the internal interface (in this example, 10.106.44.141) or any other interface, while the SSL VPN is configured under the external interface FastEthernet0/0 (in this example, 10.105.130.149). 6. Enter the IP address of the new SSL VPN gateway and enter a unique name for this SSL VPN context. You can create different SSL VPN contexts for the same IP address (SSL VPN gateway), but each name must be unique. This example uses this IP address: https://10.105.130.149/ 7. Click Next, and continue to the next section. Step 4: Configure the User Database for Anyconnect VPN Users For authentication, you can use an AAA Server, local users, or both. This configuration example uses locally−created users for authentication. Complete these steps in order to configure the user database for Anyconnect VPN users: 1. After you complete Step 3, click the Locally on this router radio button located in the SSL VPN Wizard User Authentication dialog box. This dialog box allows you to add users to the local database. 2. Click Add and enter user information. 3. Click OK and add additional users as necessary. 4. After you add the necessary users, click Next, and continue to the next section. Step 5. Configure the Anyconnect Tunnel Complete these steps in order to configure the Anyconnect tunnel and pool of IP addresses for the users: 1. Because Anyconnect provides the direct access to corporate intranet resources, the URL list is not needed in order to configure. Click the Next button located in the Configure Intranet Websites dialog box. 2. Verify that the Enable Full Tunnel check box is checked. 3. Create a pool of IP addresses that clients of this SSL VPN context can use. The pool of addresses must correspond to addresses available and routable on your intranet. 4. Click the ellipses (...) next to the IP Address Pool field, and choose Create a new IP Pool. 5. In the Add IP Local Pool dialog box, enter a namefor the pool (for example, new), and click Add. 6. In the Add IP address range dialog box, enter the address pool range for the Anyconnect VPN clients and click OK. Note: Before Version 12.4(20)T, the IP address pool should be in a range of an interface directly connected to the router. If you want to use a different pool range, you can create a loopback address associated with your new pool in order to satisfy this requirement. 7. Click OK. 8. Configure advanced tunnel options, such as split tunneling, split DNS, browser proxy settings, and Domain Name System (DNS) and Windows Internet Name Service (WINS) servers. Note: Cisco recommends that you configure at least DNS and WINS servers. Complete these steps in order to configure advanced tunnel options, such as split tunneling: a. Click the Advanced Tunnel Options button. b. Click the DNS and WINS Servers tab and enter the primary IP addresses for the DNS and WINS servers. c. Click the Split Tunneling tab in order to configure split tunneling. The ability to transmit both secured and unsecured traffic on the same interface is known as split tunneling. Split tunneling requires that you specify exactly which traffic is secured and what the destination of that traffic is, so that only the specified traffic enters the tunnel while the rest is transmitted unencrypted across the public network (Internet). In the example, split tunnel is configured in order to include traffic. 9. After you configure the necessary options, click Next. Choose the appropriate SSL VPN Tunnel Interface option and click Next. 10. Customize the SSL VPN Portal Page or select the default values. The Customize SSL VPN Portal Page allows you to customize how the SSL VPN Portal Page appears to your customers. 11. After you customize the SSL VPN portal page, click Next. 12. Click Finish. 13. Click Deliver in order to save your configuration and then click OK. The SSL VPN Wizard submits your commands to the router. Basically these are the commands that are delivered from CCP to the router: AAA commands: aaa new−model aaa authorization exec default local aaa authentication login default local line vty 0 4 login authentication default authorization exec default exit Remaining commands: aaa authentication login ciscocp_vpn_xauth_ml_1 local ip local pool IP_Pool 192.168.1.10 192.168.1.15 interface Virtual−Template1 exit default interface Virtual−Template1 interface Virtual−Template1 no shutdown ip unnumbered FastEthernet0/0 exit webvpn gateway gateway_1 ip address 10.105.130.149 port 443 http−redirect port 80 inservice ssl trustpoint TP−self−signed−1878971148 exit webvpn context Test aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 virtual−template 1 max−users 1000 inservice secondary−color white title−color #FF9900 text−color black policy group policy_1 svc split include 10.106.44.0 255.255.255.0 svc keep−client−installed functions svc−enabled svc address−pool IP_Pool netmask 255.255.255.255 svc default−domain cisco.com svc dns−server primary 10.106.44.10 svc wins−server primary 10.106.44.12 exit default−group−policy policy_1 exit ! IP address / user account command username user1 privilege 1 secret 0 ********* Note: If you receive an error message, the SSL VPN license might be incorrect. Complete these steps in order to correct a license issue: 1. Go to Configure > Security > VPN, and then click SSL VPN. 2. Click SSL VPN Manager and then click the Edit SSL VPN tab in the right−hand side. 3. Highlight your newly created context and click the Edit button. 4. In the Maximum Number of Users field, enter the correct number of users for your license. 5. Click OK, and then click Deliver. The commands are written to the configuration file. CLI Configuration CCP creates these command−line configurations: Router#show running−config Building configuration... Current configuration : 3590 bytes ! ! Last configuration change at 06:30:34 UTC Sat Nov 29 2014 version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password−encryption ! hostname Router ! boot−start−marker boot−end−marker ! ! ! aaa new−model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local ! ! ! ! ! aaa session−id common ! ! dot11 syslog ip source−route ! ! ip cef ! ! ! ! multilink bundle−name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP−self−signed−1878971148 enrollment selfsigned subject−name cn=IOS−Self−Signed−Certificate−1878971148 revocation−check none rsakeypair TP−self−signed−1878971148 ! ! crypto pki certificate chain TP−self−signed−1878971148 certificate self−signed 01 3082022B 30820194 31312F30 2D060355 69666963 6174652D 32355A17 0D323030 4F532D53 656C662D 37313134 3830819F 8100C77D F135BBCA DC098301 AC996CA7 8781D8A7 3BFCFCFF 03E398B0 A2DE06B6 74BD0203 010001A3 551D2304 18301680 03551D0E 04160414 2A864886 F70D0101 9211B78D 8B6A604A 1BF1A39B 46F8C88C 8B111BD6 FE82E159 8A5B022A 3003F718 quit A0030201 04031326 31383738 31303130 5369676E 300D0609 8A84DE7D BE1C6AB2 5626EF1A 2D39B122 53305130 1455F1A2 55F1A200 05050003 DA7D571F 3335F498 67E05A62 E8E1C6CC 02020101 494F532D 39373131 30303030 65642D43 2A864886 A3330085 BF4745F4 BCF73C78 32D82E1B 0F060355 00753895 75389504 81810013 6E083B78 E2CF5ABC 03BFBCA6 2EB03C 300D0609 53656C66 3438301E 305A3031 65727469 F70D0101 3694EC3B 911E9812 B07E4587 7AE55554 1D130101 04EB04BE EB04BE13 B72A05AE 279F0EB1 5D942A23 E99EA1CE 2A864886 2D536967 170D3134 312F302D 66696361 01050003 9BAE2F94 97BC1A1F 710B6F18 63D8BDD6 FF040530 13273EEF 273EEFD4 E7816FB7 95B5ADC8 7DE35239 DA52F66A F70D0101 6E65642D 31313239 06035504 74652D31 818D0030 AF19CAEC 15D1AFD0 B4E0017F 222CF884 030101FF D48D86C6 8D86C684 377FC3B3 79572616 04D509EF 8CE502C1 05050030 43657274 30353537 03132649 38373839 81890281 89A4AA6A 384878C6 807606EA C9D5570D 301F0603 84301D06 300D0609 8EE7D2AC 53B52B90 88E60201 B9FAA488 ! ! license udi pid CISCO2811 sn FHK1404F3X2 username username privilege 15 secret 5 $1$hPnV$zwQ6MMwLA7HUC/NJRCMyt1 username user1 secret 5 $1$X3Vu$h5/xHipon7Fym16G2SCrz1 ! redundancy ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address dhcp duplex auto speed auto ! interface FastEthernet0/1 ip address dhcp duplex auto speed auto ! interface Virtual−Template1 ip unnumbered FastEthernet0/0 ! ip local pool IP_Pool 192.168.1.10 192.168.1.15 ip forward−protocol nd ip http server ip http authentication local ip http secure−server ! ! ! ! ! ! ! ! ! ! control−plane ! ! ! line con 0 line aux 0 line vty 0 4 transport input all ! scheduler allocate 20000 1000 ! webvpn gateway gateway_1 ip address 10.105.130.149 port 443 http−redirect port 80 ssl trustpoint TP−self−signed−1878971148 inservice ! webvpn install svc flash:/webvpn/anyconnect−win−3.1.05160−k9.pkg sequence 1 ! webvpn context Test secondary−color white title−color #FF9900 text−color black ssl authenticate verify all ! ! policy group policy_1 functions svc−enabled svc address−pool "IP_Pool" netmask 255.255.255.255 svc default−domain "cisco.com" svc keep−client−installed svc split include 10.106.44.0 255.255.255.0 svc dns−server primary 10.106.44.10 svc wins−server primary 10.106.44.12 virtual−template 1 default−group−policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 inservice ! end Router#sh run int Virtual−Access2 Building configuration... Current configuration : 104 bytes ! interface Virtual−Access2 description ***Internally created by SSLVPN context Test*** mtu 1406 end Establish the AnyConnect VPN Client Connection Complete these steps in order to establish an AnyConnect VPN connection with the router. Note: Add a router to the list of trusted sites in Internet Explorer. For more information, refer to Adding a Security Appliance/Router to the List of Trusted Sites (IE). 1. Enter the URL or IP address of the router WebVPN interface in your web browser in the format as shown. https://<url> OR https://<IP address of the Router WebVPN interface> 2. Enter your user name and password. 3. Click Start in order to initiate the Anyconnect VPN Tunnel Connection. This window appears before the SSL VPN connection is established. Note: ActiveX software must be installed on your computer before you download the Anyconnect VPN. 4. Once the connection is successfully established, click the Statistics tab. The Statistics tab displays information about the SSL connection. The Statistics Details dialog box displays detailed connection statistical information, which includes the tunnel state and mode, the duration of the connection, the number of bytes and frames sent and received, address information, transport information, and the Cisco Secure Desktop posture assessment status. The Reset button on this tab resets the transmission statistics. The Export Stats button allows you to export the current statistics, interface, and routing table to a text file. The AnyConnect client prompts you for a name and location for the text file. The default name is AnyConnect−ExportedStats.txt and the default location is on the desktop. 5. Check the route details (based on split tunnel configuration) under the Route Details tab. 6. In the Cisco AnyConnect VPN Client dialog box, click the About tab in order to display the Cisco AnyConnect VPN Client Version information. Verify Use this section in order to confirm that your configuration works properly. Commands Note: The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Several show commands are associated with WebVPN. You can execute these commands at the CLI in order to show statistics and other information. For detailed information about show commands, refer to Verifying WebVPN Configuration. show webvnp session context all Router#show webvpn session context all WebVPN context name: Test Client_Login_Name Client_IP_Address No_of_Connections user1 10.106.42.10 1 Created Last_Used 00:01:22 00:00:01 show webvpn session user user1 context Test Router#show webvpn session user user1 context Test detail Session Type : Full Tunnel Client User−Agent : AnyConnect Windows 3.1.05160 Username Public IP Context Last−Used Nov 29 2014 Session Timeout DNS primary serve : : : : user1 10.106.42.10 Test 00:00:00 : Disabled : 10.106.44.10 Num Connection VRF Name Policy Group Created : : : : 1 None policy_1 *06:33:24.505 UTC Sat Idle Timeout : 2100 WINS primary s : 10.106.44.12 DPD GW Timeout Address Pool Rekey Time Lease Duration Tunnel IP Rx IP Packets CSTP Started CSTP DPD−Req sent Msie−ProxyServer Msie−Exception Split Include Client Ports : : : : : : : : : : : : 300 IP_Pool 3600 43200 192.168.1.10 0 00:01:22 0 None DPD CL Timeout : 300 MTU Size : 1199 Rekey Method : Netmask Tx IP Packets Last−Received Virtual Access Msie−PxyPolicy : : : : : 255.255.255.255 617 00:00:00 2 Disabled : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 617 41122 10.106.44.0 255.255.255.0 60304 Detail Session Statistics for User:: user1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− CSTP Statistics:: Rx CSTP Frames Rx CSTP Bytes Rx CSTP Data Fr Rx CSTP CNTL Fr Rx CSTP DPD Req Rx CSTP DPD Res Rx Addr Renew Req Rx CDTP Frames Rx CDTP Bytes Rx CDTP Data Fr Rx CDTP CNTL Fr Rx CDTP DPD Req Rx CDTP DPD Res Rx IP Packets Rx IP Bytes : : : : : : : : : : : : : : : CEF Statistics:: Rx CSTP Data Fr Rx CSTP Bytes : 0 : 0 618 46113 617 1 0 0 0 0 0 0 0 0 0 0 0 Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx CSTP Frames CSTP Bytes CSTP Data Fr CSTP CNTL Fr CSTP DPD Req CSTP DPD Res Address Renew CDTP Frames CDTP Bytes CDTP Data Fr CDTP CNTL Fr CSTP DPD Req CDTP DPD Res IP Packets IP Bytes Tx CSTP Data Fr Tx CSTP Bytes : 0 : 0 show webvpn stats Router#show webvpn stats User session statistics: Active user sessions : Peak user sessions : Active user TCP conns : Session alloc failures : VPN session timeout : User cleared VPN sessions: Exceeded total user limit: Client process rcvd pkts : Client process sent pkts : Client CEF received pkts : Client CEF rcv punt pkts : Client CEF sent pkts : Client CEF sent punt pkts: SSLVPN appl bufs inuse Active server TCP conns 1 1 1 0 0 0 0 57 8134 664 29 0 0 : 0 : 0 Mangling statistics: Relative urls : Non−http(s) absolute urls: Interesting tags : Interesting attributes : Embedded script statement: Inline scripts : HTML comments : 0 0 0 0 0 0 0 AAA pending reqs Peak time Terminated user sessions Authentication failures VPN idle timeout Exceeded ctx user limit Server Server Server Server Server Server : : : : : : process rcvd pkts : process sent pkts : CEF received pkts : CEF rcv punt pkts : CEF sent pkts : CEF sent punt pkts: SSLVPN eng bufs inuse Absolute urls Non−standard path urls Uninteresting tags Uninteresting attributes Embedded style statement Inline styles HTTP/1.0 requests 0 00:02:29 0 0 0 0 0 0 0 0 0 0 : 0 : : : : : : : 0 0 0 0 0 0 0 HTTP/1.1 requests : GET requests : CONNECT requests : Through requests : Pipelined requests : Processed req hdr bytes : HTTP/1.0 responses : HTML responses : XML responses : Other content type resp : Resp with encoded content: Close after response : Processed resp hdr size : Backend https response : HTTP Authentication stats : Successful NTLM Auth : Successful Basic Auth : Unsupported Auth : NTLM srv kp alive disabld: Oversize NTLM Type3 cred : Num 401 responses : Num Basic forms served : Num Basic Auth sent : CIFS statistics: SMB related Per Context: TCP VC's : Active VC's : Aborted Conns : NetBIOS related Per Context: Name Queries : NB DGM Requests : NB TCP Connect Fails : SMB related Global: Sessions in use : Mbuf Chains in use : Active Contexts : Empty Browser List : Empty Server List : NetShareEnum Errors : HTTP related Per Context: Requests : Request Packets RX : Response Packets TX : Active CIFS context : HTTP related Global: Server User data : Net Handles : Authentication Fails : Timers Expired : Net Handles Pending SMB : Browse Network Ops : Browse Domain Ops : Browse Server Ops : Browse Share Ops : Browse Dir Ops : File Read Ops : File Write Ops : Folder Create Ops : File Delete Ops : File Rename Ops : URL List Access OK : Socket statistics: Sockets in use 3 3 0 0 0 844 0 0 0 0 0 0 0 0 Unknown HTTP version : POST requests : Other request methods : Gateway requests : Req with header size >1K : Processed req body bytes : HTTP/1.1 responses : CSS responses : JS responses : Chunked encoding resp : Resp with content length : Resp with header size >1K: Processed resp body bytes: Chunked encoding requests: 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Failed NTLM Auth Failed Basic Auth Unsup Basic HTTP Method NTLM Negotiation Error Internal Error Num non−401 responses Num NTLM forms served Num NTLM Auth sent : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 UDP VC's Active Contexts : 0 : 0 0 0 0 Name Replies : 0 NB DGM Replies : 0 NB Name Resolution Fails : 0 0 0 0 0 0 0 Mbufs in use Active VC's Browse Errors NetServEnum Errors NBNS Config Errors : : : : : 0 0 0 0 0 0 0 0 0 Request Bytes RX Response Bytes TX Active Connections Requests Dropped : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 CIFS User data Active CIFS context Operations Aborted Pending Close File Open Fails Browse Network Fails Browse Domain Fails Browse Server Fails Browse Share Fails Browse Network Fails File Read Fails File Write Fails Folder Create Fails File Delete Fails File Rename Fails URL List Access Fails : : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Sock Usr Blocks in use : 1 : 1 Sock Data Buffers in use Select timers in use Sock Tx Blocked Sock Rx Blocked Sock UDP Connects Sock Premature Close Sock Select Timeout Errs : : : : : : : 0 1 150 0 0 0 0 Sock Sock Sock Sock Sock Sock Buf desc in use Select Timeouts Tx Unblocked Rx Unblocked UDP Disconnects Pipe Errors : : : : : : 0 0 150 0 0 13 Smart Tunnel statistics: Client proc pkts proc bytes cef pkts cef bytes : : : : 0 0 0 0 Server proc proc cef cef pkts bytes pkts bytes : : : : 0 0 0 0 Port Forward statistics: Client proc pkts proc bytes cef pkts cef bytes : : : : 0 0 0 0 Server proc pkts proc bytes cef pkts cef bytes : : : : 0 0 0 0 WEBVPN Citrix statistics: Packets in Packets out Bytes in Bytes out Server : 0 : 0 : 0 : 0 Client 0 0 0 0 ACL statistics: Permit web request Permit cifs request Permit without ACL Permit with match ACL : : : : 0 0 0 0 Deny Deny Deny Deny Single Sign On statistics: Auth Requests Successful Requests Retranmissions Connection Errors Unknown Responses : : : : : 0 0 0 0 0 URL−rewrite splitter statistics: Direct access request : 0 Internal request : 0 Tunnel Statistics: Active connections Peak connections Connect succeed Reconnect succeed DPD timeout Client in CSTP frames in CSTP data out CSTP frames out CSTP data in CDTP frames in CDTP data out CDTP frames out CDTP data cef in CSTP data frames cef out CSTP data frames cef in CDTP data frames cef out CDTP data frames web request cifs request without match ACL with match ACL : : : : 0 0 0 0 Pending Auth Requests Failed Requests DNS Errors Request Timeouts : : : : 0 0 0 0 Redirect request : 0 : : : : : 1 1 2 1 0 Peak time Connect failed Reconnect failed : 00:01:44 : 0 : 0 : : : : : : : : : : : : 671 670 0 0 0 0 0 0 0 0 0 0 in in out out in in out out cef cef cef cef : : : : : : : : : : : : CSTP control CSTP bytes CSTP control CSTP bytes CDTP control CDTP bytes CDTP control CDTP bytes in CSTP data out CSTP data in CDTP data out CDTP data bytes bytes bytes bytes 1 50002 0 0 0 0 0 0 0 0 0 0 Server In IP pkts Out IP pkts : 0 : 670 In IP bytes Out IP bytes : 0 : 44587 In CCP, choose Monitoring > Security > VPN Status > SSL VPN (All Contexts) in order to view the current SSL VPN user lists in the router. Troubleshoot This section provides information you can use in order to troubleshoot your configuration. Troubleshooting Commands Several clear commands are associated with WebVPN. For detailed information about these commands, refer to Using WebVPN Clear Commands. Several debug commands are associated with WebVPN. For detailed information about these commands, refer to Using WebVPN Debug Commands. Note: The use of debug commands can adversely impact your Cisco device. Before you use debug commands, refer to Important Information on Debug Commands. Related Information • Cisco IOS SSLVPN • AnyConnect VPN Client FAQ • Cisco AnyConnect VPN Client Administrator Guide • SSL VPN − WebVPN • Clientless SSL VPN (WebVPN) on Cisco IOS with SDM Configuration Example • Thin−Client SSL VPN (WebVPN) IOS Configuration Example with SDM • WebVPN and DMVPN Convergence Deployment Guide • Technical Support & Documentation − Cisco Systems Updated: Jan 12, 2015 Document ID: 110608