ASA SSL VPN problem with 8.2 (2)
Hello everyone,
I have a couple of ASA 5520 image 8.2 (1) running in active failover mode / standby.
A few months ago, I downloaded the 8.2 (2) on the cisco website and charge to the ASA.
After loading the new image, they called me for problems
functioning of the application of webvpn.
The web app seems to work, but in a mode of read-only, because you could not
change the content of the files.
I couldn't find a way to make it work, so I decided to downgrade to 8.2 (1).
and as I loaded it the old image, the problem disappeared.
Now I see that it is available the image 8.2 (3).
To avoid the risk of hard work I tetsted on a piece of spare 5510, and with the disappoint, I found
the problem was the same.
Everyone is facing such a problem or can suggest me how to solve?
Thanks in advance.
Marco.
Can you please provide more details about what application does not work through WebVPN interface without client? Have you tried to activate Smart Tunneling for this application?
Tags: Cisco Security
Similar Questions
-
SSL VPN problems with Internet Explorer
Well, first of all, you need 64-bit to run Internet Explorer web based VPN devices in the SA500 series (we use SA540). After that we thought that out, we cannot always past SSL VPN Client install on client computers. It keeps reloading the Web page or simply nothing at all. Any ideas?
In addition, that the CA guys do you use SSL VPN? GoDaddy certificates are not compatible, as I just discovered the hard way.
Hi Qasim,
The question seems to be more localized with windows blocks everything. I actually spent much time working on this yesterday to finally make it work with a 64 bit vista and a window 7 64 bit machines.
The few details that I did have some success;
Tools-> Internet Options-> security-> trust Sites
- Move down
- Disable protected mode
- Click sites, and then add the SSL VPN page to become a member of trust
- When adding the trusted site, uncheck 'require a server secure for all sites in this zone.
Tools-> Internet Options-> Advanced-> Security section
- Select "Allow downloads to run or install even if the signature is not valid"
In addition, you must download Microsoft Visual C++ Distribution 2010 and ensure that you are running the latest version of Java.
These are the things I had to do to allow Windows to allow me to connect. I hope it has some help for you.
-Tom
-
ASA SSL VPN with RSA authentication
All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?
Thank you
Try this link
http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html
-
Installation of SSL VPN problem
Hi all
I am setting up a SSL VPN on our ASA 5510 using the Secure Mobility client. After working through several problems, I was able to get the test server to download and install the Linux client, and he says that it is connected. When I try to ping any server in the LAN, however, the first ping is responded to and the rest of out time. On the firewall, I see a stream of errors like this:
3 October 11, 2014 16:12:58 SRV1 172.16.40.185 Refuse icmp incoming outside CBC: SRV1 outside dst: 172.16.40.185 (type 0, code 0) split tunneling seems to work fine, I can access the Internet yet, but any attempt to reach a server in the LAN will expire.
Now I have had this before working with a Windows and a Mac client, but removed this configuration and (I thought) completely recreated when I updated the anyconnect images to include an image of linux. Now I get this same problem with all 3 platforms.
Can anyone advise me on what I may be missing or that I can provide to diagnose the problem?
ASA is running v8.2 (5)
I followed this guide to set up: http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-a...
Thank you!
Ok thank you.
If your clients are assigned addresses of:
mask 172.16.40.185 - 172.16.40.190 255.255.252.0 IP local pool VPNTestPool
You have exempted from this pool of NAT with the last entry in your acl sheep:
access-list sheep extended permits all ip 172.16.40.184 255.255.255.248
A potential problem I see is that the pool is a subnet dug into your internal network:
IP 172.16.40.2 255.255.252.0
The ASA believe hosts on this subnet to be connected, and your heart can be confused on the way forward.
In addition, I don't see where you set the
sysopt connection permit-vpn
.. .command recommended in the configuration guide you followed.
Also. in the first packet - trace, the source for client VPN traffic must be outside, not inside.
-
Same license for different ASA SSL VPN
Hello
I have run ASA5510 SSL VPN is installed with a license. I want to replace it with the new ASA5510 without SSL VPN license. Is it possible to copy the license from my old ASA? Can I order different license for my new box?
THX
Iwan
A new license is required.
License key is created based off the serial number of the device.
Gilbert
-Rate, if it helps-
-
DHCP relay for users (ASA) SSL VPN
I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:
dhcprelay Server 10.100.2.101 on the inside
dhcprelay activate vpn
dhcprelay setroute vpn
and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.
You try to assign the IP address to the SSL vpn client using the DHCP server?
If so, you don't need these commands contained in your message.
Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.
Here is an example of Ipsec client. Setup must be the same.
-
Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password
Hello
Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?
PS.
I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password
Thank you
The default password is marked as disabled after expiry
I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:
CSCtk32168: Add an option to change the password when the password expires (T + and Radius)
After you install this hotfix, you get an option to the user authentication settings is:
-Disable the user account
-Expire the password
When the expiration period is exceeded
If password is expired then user will be asked to change password next authentication
Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative
-
Enable ASA 9.1 problems with tunnel-group-list
Hello!
I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs. I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.
Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.
An excerpt from the config.
Moreover, I had the menu work previously when I used group instead of group-URL aliases. However, the phones seem to require the URL group. Now that I have those configured, the menu does not work. If I get the full URL in the AnyConnect window, both URLs work, and I can connect.
Thank you in advance for any suggestions you may have!
Deb
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
AnyConnect enable
tunnel-group-list activate
ABC Group-Policy internal
ABC Group Policy attributes
value of server WINS 10.10.16.17 10.10.16.12
value of 10.10.16.17 DNS server 10.10.16.12
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelall
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
internal strategy of group ABC - STG
ABC - STG group policy attributes
value of server DNS 8.8.8.8
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Split-Tunnel-encrypt-ACL
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
type tunnel-group Split-Tunnel-Group remote access
attributes global-tunnel-group Split-Tunnel-Group
address pool AnyConnectPool
Group Policy - by default-ABC-STG
tunnel-group Split-Tunnel-Group webvpn-attributes
allow group-url https://asa.abc.com/ABC-STG
tunnel-group ABC - Tunnel - type remote access Group
attributes global-tunnel-group ABC - Tunnel - Group
address pool AnyConnectPool
Group-ACTIVE DIRECTORY authentication server
Group Policy - by default-ABC
password-management
ABC - Tunnel tunnel-group - webvpn-attributes Group
allow group-url https://asa.abc.com/ABC
Hello
You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.
tunnel-group
webvpn-attributes
Group-aliasenable
Group-urlhelp Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ASA L2L VPN UP with incoming traffic
Hello
I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...
See the result of sh crypto ipsec his below and part of the config for both clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need access to the 10.10.10.10
Customer counterpart remote 200.200.200.200
Customer remote network 172.16.200.0 / 20
CustomerB peer remote 160.160.143.4
CustomerB remote network 10.15.160.0 / 21
---------------------------
Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".
address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAESAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001-The configuration framework
ASA Version 8.2 (1)
!
172.16.200.0 customer name
name 10.15.160.0 CustomerB
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.0 IP address 255.255.255.0
!
outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 101 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177
Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.200.200.200
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_cryptomap
peer set card crypto outside_map 3 160.160.143.4
card crypto outside_map 3 game of transformation-ESP-3DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc
internal customer group strategy
Customer group policy attributes
Protocol-tunnel-VPN IPSec svc
internal CustomerB group strategy
attributes of Group Policy CustomerB
Protocol-tunnel-VPN IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 General-attributes
Group Policy - by default-CustomerB
IPSec-attributes tunnel-group 160.160.143.4
pre-shared key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Customer by default-group-policy
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key yyy
Thank you
A.
Hello
It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).
I saw this 7.x code behaviors not on code 8.x
However you can do a test?
You can change the order of cryptographic cards?
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 160.160.143.4
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 3 match address outside_1_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 200.200.200.200
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
I just want to see if by setting the peer nonworking time to be the first, it works...
I know it should work the way you have it, I just want to see if this is the same behavior I've seen.
Thank you.
Federico.
-
ASA 5505 VPN Probs with IPhone 4
Hi all
my boss has a problem with the phone 4. When he is @Home he use his WLAN to download emails from the Exchange Server to the phone. It works without problem. When he's on the road he establish a VPN Tunnel but it cannot download, emails or something else. With the monitor of the ASDM, I see the connection, but no data flow when it use HSDPA, 3G, Edge or GPRS. Has anyone an idea to solve this problem?
The ASA config:
If the VPN works wirelessly, it should also work via GPRS, etc. This means that the configuration of the SAA is correct.
Since iPhone Client VPN is not a Cisco VPN Client, but built Apple VPN Client, please contact Apple for more support on that.
Here are the URL of Cisco, which said that for your reference:
Hope this helps your new.
-
Cisco VPN problem with security update KB3057839 for Vista
Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.
Mike
See this on the real issue:
http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html
It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!
-
Hello
I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.
Sending a link, if the scenario is possible would be appreciated.
Thank you
Mike
Yes, it is possible.
Here is the sample configuration for your reference:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml
Hope that helps.
-
SSL VPN reliable, efficient and safe option for traffic from internet users on e-commerce sites where there may be user sessions 2000 per second from all over the world.
Thank you.
In my opionon - SSL is reliable, efficient and safe if not all banks around the world would not use it for online banking.
HTH >
-
Site to cause VPN - problem with IOS 12.4 of the site?
I have a site with several VPN is configured. Sites with routers (Cisco all) running IOS 12.3 or down are fine. New routers with IOS 12.4 may establish the VPN connection and I can ping the remote networks. When I try to access the Intranet homepage from a remote site, the home page is displayed, but I am not able to access all pages. The same thing is happening with another application (SQL Server program). The clent (remote site) can connect to the SQL database and perform a task, and then get a connectivity error. Sites running IOS 12.3 not have these problems.
ANY IDEAS please?
Looks like an MTU problem.
see if you can clear the df bit in the packet encrypted using the command
Crypto ipsec df - bit clear
or
On the output interface, use the ip tcp adjust-mss command 1400.
Let me know if it helps
-
Multi frame ASA SSL VPN Question
Hello
We have a pair of firewalls, we do multiple contexts on clients. We have recently updated their and have been using the newly Anyconnect customer support. This all works fine but I feel I'm missing something. If the customer does not have the anyconnect client already how do get? Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?
Any information would be helpful.
Chris L.
Hi Chris,
The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.
There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:
https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
Maybe you are looking for
-
Strong vibration of AMD Radeon HD 6570 in HP Pavilion
I have a HP Pavilion p6-2022 with an AMD Radeon HD 6570. For 6 months, he has executed well and very discreetly, but suddenly, there is a vibration noise. I opened it and believe the fan on the 6570 comse or if not the fan then the fan vibrates again
-
Hello HP G70 - portable 212EM Vista Home Premium No previous action held to cause this problem, as far as I am aware! Since this problem which manifests, I have updated all the drivers etc. such as recommended by the techcenter Web site. PROBLEM: The
-
Pressing Repeateadly keys prevent the hideNotify() call is made on incoming calls
Good day everyone! I am currently working on a game where the user must sometimes repeateadly press on the buttons very quickly for a relatively long period (up to 20 sec). Following comment by Mark Sohm in another thread, declaring that "MIDlets are
-
Z10 LinkedIn blackBerry program
I just installed yesterday afternoon the last update for LinkedIn, but when I try to use it all I get is "connecting to BBM. I tryied to restart, restart and battery pull, and he still found in the same place I have same tryied to disable the "connec
-
I just replaced the cyan with a new genuine HP 363 cyan ink cartridge. But when I start the printer, he immediately informs me that I am low in cyan and (purple on the far right - which has not ever been notified before the replacement). I pulled the