0

We have a Cisco 881 router hosting a SSL webvpn gateway. This gateway is used by mobile users to connect through AnyConnect 4.4. This system was correctly configured and working perfectly. (Certificates, trustpoints, SSL gateway, SSL context, ...)

Yesterday, we made a "bad" modif in the router config. So we have reloaded the previous good configuration that was working correctly. (copy tftp start and router reloaded)

Now, AnyConnect says :

Could not connect to server. Please verify Internet connectivity and server address.

The web page https://fqdn:port is unavailable.

I've telneted publicip:port. No error In the router "show webvpn gateway SSL1" says the gateway is up and "show webvpn context SSL" says also context is up.

What could be damaged in the router config despite good config reload and multiple reboots ?

ROMANIA_engineer
  • 107
  • 5
Guy at Mercator
  • 111
  • 1
  • 4
  • One thing that comes to mind is that you may have removed the private key of your certificate? Can you connect to the https url with a browser? Further troubleshooting tips: check anyconnect logs, wireshark capture. – hertitu Feb 03 '17 at 22:28
  • you may have removed the private key of your certificate? Answer : no – Guy at Mercator Feb 04 '17 at 13:46
  • It was nevertheless a good hint. I've reimported the RSA key pair. I've reinstalled the certificates chain. It works again. Thanks a lot. – Guy at Mercator Feb 04 '17 at 19:39
  • Glad to hear that. Please add an Answer and then accept it as solution, this way the question does not stay in the "unanswered" list. Thanks! – hertitu Feb 06 '17 at 11:27

1 Answers1

1

As stated in the third comment above, the solution was to recreate the full certificate chain :

  • Import the RSA key pair
  • Recreate the trustpoint for this RSA key pair
  • Import CA root and intermediate certificates and recreate the corresponding trustpoints
  • Import the final SSL certificate

Not sure that the first step (normally impossible if the RSA keypair has not been previously exported or is not exportable) was really necessary. But it works.

Best regards,

Guy

Guy at Mercator
  • 111
  • 1
  • 4