Problem SSL VPN Portal

I have 2 Configuration of the SAA for AnyConnect, both are running 8.4 (2) 9. The issue I'm having is one of them opens the SSL Portal when the user passes the URL of the Group and the other does not. I don't want the portal to open the connection.

I have a group policy configuration that inherits the AnyConnect of DfltGrpPolicy connection parameters. Connection parameter DfltGrpPolicy are

Connection setting post "do not ask a user to choose" and

'Download AnyConnect Client' default Post Login selection

On the page of connection profiles AnyConnect I unchecked "allow the user to select the connection profile...". »

and under the profile itself, I created a URL group which seems to work.

When a user accesses the URL the portal opens and the client starts downloading immediately. On the other ASA when a user accesses the URL the gate does not open, but the client still downloads as expected.

I know I'm missing a setting but I can't.

Is there one setting other than the Post Login of group policy that would cause the VPN portal open?

I'm looking at the same question.  I know it is something we are looking.  I had to go into the profiles Clientless and disable all tunneling protocols, except the SSL Client.

It is under Clientless, group, general policy, more options, tunnelling protocols

Tags: Cisco Security

Similar Questions

  • NSX API: Download ESG SSL VPN Portal logo

    I currently use the NSX API to supply an edge on our device of NSX Manager.  I was able to do everything with the exception of downloading a custom portal logo, I have included the information from the documents below, but it does not contain what the body of the request should look like.  I feel with this information, I would be able to complete the request.  Someone had to work with it before, or anyone is VMware be able to answer this question?

    Would also be nice to see the updated documentation with how to upload files to the REST API a bit more in detail...

    Configure Portal layouts

    You can configure the web page related to the SSL VPN client layout.

    Download Logo Portal

    Download the logo of Portal from the given local path.

    Example 8-150. Download logo Portal

    Request: POST https:///API/4.0/edges//sslvpn/config/layout/images/portallogo/

    Download the Phat banner

    Download the banner of the given local path phat client. Phat banner image should in bmp format.

    Example 8-151. Download the banner phat request: POST https:///api/4.0/edges//sslvpn/config/layout/images/phatbanner

    I have tried different methods... including base64 encoded image as a body and mulipart of form data but all fail with the error below.

    HTTP status 400-

    type of Status report

    Message

    Description The request sent by the client is syntactically incorrect.

    Sorry for the delay on this one there... replace layoutFile by banner.

  • SSL VPN Portal Page - frequent disconnects

    Hi all

    I've implemented two firewalls to two DCs - London and Swindon. Now, I'm traffic to these two firewalls by using a URL to load balancing. When users try to connect to the URL (which indeed resolves to the IP address of the two firewalls Internet oriented interface), they faced frequent disconnects. The portal will be open for a few minutes, and as they are by clicking on the bookmarks on the page they get automatically disconnected. It is completely random and there is no model it.

    However, I wrote the following:

    1 if I clear my cache and Temp files and then try to access to the portal by using the URL, it works fine for a little longer (maybe 15-20 minutes) and then the same disconnect start all over again

    2. If I try to access all the IP addresses of the firewall (do not use Uruguay Round), it seems to work fine.

    Can someone let me know what could be causing the problem?

    Thank you!

    Hey riri,.

    You can check the activation of the ASA connects and debugs, a 'see the connection' and ' debug webvpn 255 "will be useful to check if the SAA is disconnect the session.»

    Alternative, you can run wireshark on a computer and make sure the IP reset is coming,

    See you soon,.

    -Randy-

  • Questions about clientless SSL VPN portals

    If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?

    Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?

    Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?

    If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?

    You will need to use the RDP plugin.  If you want to use the normal application of the RDP, then you must use the AnyConnect VPN client.

    Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?

    It supports certificate authentication.  Regarding controls field of membership, do you want to say in what concerns the client authentication when you use RADIUS or GANYMEDE +? I don't think the MAC authentication is supported.

    Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?

    For the VPN without client operating system is irrelevant, but the browser is.  I think that the supported browser is Internet Explorer, Firefox and Safari.  Java is required.

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/configuration_guide/config/vpn_proc.html

    --

    Please do not forget to select a correct answer and rate useful posts

  • After Windows Update ActiveX RDP through SSL VPN KB2675157 stops working

    We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found out that after installing the latest Microsoft Updates, bookmarks RDP has stopped working. He continues to ask that I should install Cisco Portforwarder control and then returns to the home page. I changed all the security settings, tried to install control manually, but nothing works. Finally, I found that after you uninstall Internet Explorer 8 update KB2675157 it works again.

    Is this a known issue?

    I just tested it on Windows XP with IE 8, I don't know if the problem occurs in other platforms.

    Good afternoon

    The issue you are running into is not caused by KB2675157.  This behavior was deliberately introduced by KB

    2695962.

    As stated in:

    http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/Cisco-SA-20120314-AsaClient

    The Cisco PSIRT asked Microsoft to set the global Kill Bit for the control of redirector Port Cisco ActiveX on March 14, 2012.    Microsoft pushed the bit kill for the vulnerable control in may, 2012 batch of patches Microsoft Tuesday (May 8, 2012).

    Clients must go to one of the recommendations listed or such later versions listed below.  The recommended versions include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 series Adaptive Security Appliance Clientless VPN ActiveX control Remote Code execution vulnerability of as well as those identified in the notice to Client of ASA.

    Affected version First version fixed Recommended version
    Cisco ASA 7.0 Not vulnerable Migrate to 7.2 or later
    Cisco ASA 7.1 Vulnerable Vulnerable people; Migrate to 7.2 or later
    Cisco ASA 7.2 7.2 (5.6) 7.2 (5.7)
    Cisco ASA 8.0 8.0 (5.26) Migrate to 8.2 (5.26) or later version
    Cisco ASA 8.1 8.1 (2.53) Migrate to 8.2 (5.26) or later version
    Cisco ASA 8.2 8.2 (5.18) 8.2 (5.26)
    Cisco ASA 8.3 8.3 (2.28) Migrate to 8.4 (3.8) or later version
    Cisco ASA 8.4 8.4 (2.16) 8.4 (3.8)
    Cisco ASA 8.5 Not vulnerable 8.5 (1.7)
    Cisco ASA 8.6 8.6 (1.1) 8.6 (1.1)

    Once the affected control has been improved by starting a VPN session without client on an ASA that contains the fixed software, it will be used in all sessions.  This including those with ASA devices that cannot run the software updated.

    See you soon,.

    -Troy

  • CSCun53913 ISA500: SSL VPN stops accepting connections.

    Since the beginning when put into production ISA570 had this problem (SSL VPN stops and the solution is to reboot the device) used 3 new firmwares and none of them has solved this problem.
    I don't understand the company like CISCO not solving this problem in an acceptable time.
    When I bought the ISA570, the cisco to the Portugal told me it was ideal solution to use SSL VPN AnyConnect, omitted this question.

    And now, I request this is a serious company?
    Who is responsible?

    Thank you

    JL

    I have the same problem.

    But I do not restart the unit. I changed the service (such as 444) ssl port, I stop the service; I starts the service and in replace port 443.

    A few days later, the problem is back.

    Thanks for solving the problem.

  • Groups without SSL VPN client

    Greetings. I currently have an ASA5520 in place running 8.0 (2) IOS. We have configured a clientless SSL VPN portal that we currently use as a 'test '. We try to solve the question deals with the use of the SSL VPN connection page groups. Currently, the ASA is set to authenicate names of username/password to a Microsoft Windows 2003 using IAS (RADIUS) server. It works very well.

    What we want to do, is to "lock" the user account to a group alias in the VPN SSL ASA login page. For example, our SSL VPN connection page displays two options for 'Group', 'sales and 'tech'. In its current form, a sales user can select one of the displayed groups and always be authenicated. Anyway is to deny the login information if a user does not select the appropriate menu GROUP drop-down? It would certainly help to ensure that users choose the right GROUP in the menu dropdown.

    Any information would be greatly appreciated.

    Joe

    In order to put the user in the appropriate group, set the attribute RADIUS 25 as OU = ASAGroupPolicyName. then try the locking of group control to lock the users.

    http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/gh_72.html

  • UTM50 SSL VPN IE11 problem

    I use the SSL VPN in time. I just noticed that when I tried to pass by I logged in and tap on connect, but now I get the error: virtual failure of execution of the Passage. I tried another computer that is already running IE9 and I had no problem getting in and using my office remotely over SSL.

    IE11 isn't working? or what should I be looking at.
    router is the latest firmware.

    64-bit is IE only.

    IE10 and 11 are disasters, when it comes to compatibility and how it manages Active-X controls. I'm not aware of any SSL VPN with IE10/11 suppliers.

    You can try Firefox. I can get the java applet to install, but the roads do not work for me.

    Contact support directly and express your concerns.

    You can always use IPsec client software.

  • SSL VPN using ASA 5520 mode cluster - several problems

    I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

    The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

    The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

    Any suggestions?

    To disable the drop-down menu, you can turn it off with the command

    WebVPN

    no activation of tunnel-group-list

    This will take care of your last issue.

    ***************************

    You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

    **************************

    Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

    *****************************

  • Installation of SSL VPN problem

    Hi all

    I am setting up a SSL VPN on our ASA 5510 using the Secure Mobility client.  After working through several problems, I was able to get the test server to download and install the Linux client, and he says that it is connected.  When I try to ping any server in the LAN, however, the first ping is responded to and the rest of out time.  On the firewall, I see a stream of errors like this:

    3 October 11, 2014 16:12:58   SRV1   172.16.40.185   Refuse icmp incoming outside CBC: SRV1 outside dst: 172.16.40.185 (type 0, code 0)

    split tunneling seems to work fine, I can access the Internet yet, but any attempt to reach a server in the LAN will expire.

    Now I have had this before working with a Windows and a Mac client, but removed this configuration and (I thought) completely recreated when I updated the anyconnect images to include an image of linux.  Now I get this same problem with all 3 platforms.

    Can anyone advise me on what I may be missing or that I can provide to diagnose the problem?

    ASA is running v8.2 (5)

    I followed this guide to set up: http://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-a...

    Thank you!

    Ok thank you.

    If your clients are assigned addresses of:

    mask 172.16.40.185 - 172.16.40.190 255.255.252.0 IP local pool VPNTestPool

    You have exempted from this pool of NAT with the last entry in your acl sheep:

    access-list sheep extended permits all ip 172.16.40.184 255.255.255.248

    A potential problem I see is that the pool is a subnet dug into your internal network:

    IP 172.16.40.2 255.255.252.0

    The ASA believe hosts on this subnet to be connected, and your heart can be confused on the way forward.

    In addition, I don't see where you set the

     sysopt connection permit-vpn

    .. .command recommended in the configuration guide you followed.

    Also. in the first packet - trace, the source for client VPN traffic must be outside, not inside.

  • SSL VPN and routing problem

    Hi all

    I have a strange architecture including VPN and I have a few problems that I am not able to solve:

    -J' use the ssl vpn gateway to allocate internal IP addresses of the local network described in the schema (8.8.2.0 or 8.8.3.0 according to the tunnel-group network.

    -The purpose is for vpn clients directly access the internal network.

    This works very well if there are strictly internal communications within the network. But recently, we have installed an application that needs to access both networks. No problem, I thought, but I was wrong, there seems to be a problem of routing inherent in the architecture in place.

    Let me explain the problem:

    -When I access the VPN, for example I will gave the 8.8.3.5 ip address.

    -Im running the application that needs to open a page on the web server, located at 8.8.2.120

    -l'asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)

    -the web server returns the response, but he sends on its default gateway which is the cisco 6509.

    -6509 it sends its vlan svi 2000

    - and finally the ASA it receives on its interface fa0/2 but seems he falls as she opened a tcp on fa0/1 connection and receives the response on fa0/2.

    I want it's traffic by tunnel to bypass the connected roads and transmit it to a default gateway of tunnel. This would ensure that the path for the request and the response would be the same.

    I would like to know if there are orders of debugging for routing decisions validate my theory?

    Do you know of any response to solve this problem?

    Thanks a lot for your help.

    When you configure the TCP State derivation always think ' which way is the SYN package coming?

    Routing failed messages always have source and destination, are of course copied the entire message?

    BTW, instead of letting clients SSL addresses attributed to vlan2000? Why not give them a separate subnet and the road back via correct interface?

    I would also check your config and the routing :-) table

    Marcin

  • SSL VPN problems with Internet Explorer

    Well, first of all, you need 64-bit to run Internet Explorer web based VPN devices in the SA500 series (we use SA540). After that we thought that out, we cannot always past SSL VPN Client install on client computers. It keeps reloading the Web page or simply nothing at all. Any ideas?

    In addition, that the CA guys do you use SSL VPN? GoDaddy certificates are not compatible, as I just discovered the hard way.

    Hi Qasim,

    The question seems to be more localized with windows blocks everything. I actually spent much time working on this yesterday to finally make it work with a 64 bit vista and a window 7 64 bit machines.

    The few details that I did have some success;

    Tools-> Internet Options-> security-> trust Sites

    • Move down
    • Disable protected mode
    • Click sites, and then add the SSL VPN page to become a member of trust
    • When adding the trusted site, uncheck 'require a server secure for all sites in this zone.

    Tools-> Internet Options-> Advanced-> Security section

    • Select "Allow downloads to run or install even if the signature is not valid"

    In addition, you must download Microsoft Visual C++ Distribution 2010 and ensure that you are running the latest version of Java.

    These are the things I had to do to allow Windows to allow me to connect. I hope it has some help for you.

    -Tom

  • AnyConnect SSL VPN Split tunneling problem

    Hello

    We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources.  Is there a way to activate the split for all remote users VPN tunneling?  It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management.  I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.

    I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '.  Can I use?

    Thanks in advance.

    Hello

    According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.

    You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.

    Please find the link below: -.

    https://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg

    I hope it helps.

    Thank you

    Shilpa

  • 9.1 ASA + ACS 5.4 SSL Web portal bookmarks according to the ad group.

    Hello.

    Having some problems with ssl vpn on ASA 5515-X.

    I have ASA (9.1) connected to the web portal without client ssl ACS (5.4) and set up mobile client anyconnect. ACS also have connection to Active Directory.

    So he has set up this group AD users, for example, the VPN_clients connect via the anyconnect client or no client via SSL web page. And it works very well.

    My goal is to make different bookmarks portals SSL (in terms of strategies of different group ASA) according to the users AD Group.

    For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that the users in the group after authentication to SSL web portal would see only their own bookmarks available only for their group.

    As I inderstand once ACS authentication process must respond to ASA which the user consist of ad groups and ASA should choose the group policy right for the user, but I have no experience how to do that?

    Hello Ivan,.

    You're right, ACS can leave the ASA what group policy is to assign based on the RADIUS of the 25 attribute.

    Measures on the ACS:

    1 - definition of ad groups:

    2 set the authorization profile tab elements of the policy:

    3. create the policy and authorization access criteria:

    Then, on the ASA:

    1 create a group policy and name it.

    2. through the ASDM, create and assign bookmarks to this group policy.

    3 - once a user authenticates, the ACS sends 25 attribute, which contains the string 'OU = it'.

    4 - ASA seeks group it strategy and assigns it to the user's session.

    Let me know if you have any questions.

    HTH.

    Please note all useful messages.

  • Change the prompt 'Password required' SSL VPN

    Someone knows how to change the prompt 'Password required' SSL VPN? If it is editable via ASDM I can't! I've been everywhere set it up-> remote access VPN-> clientless SSL VPN access-> Portal-> section of personalization but cannot find where this particular part of the text is changed. The problem is that the text that exists doesn't accurately reflect strategy of password of my organization.

    See the image file as an attachment to the exact section of the text, I would like to change.

    Thank you

    Ben Posner

    Hi Ben,

    ASDM > Configuration > VPN remote access > location of language

    Expand models--> select webvpn--> export--> save the file

    Now find the msgid you want to edit and write your own string under msgdtr as follows:

    #: Mummy.c:5758

    #, c-format

    msgid "password expired in %s day (s), if you want to change now enter a new password with length minimum %s. '.

    msgstr "insert your string here."

    Now import it to the same page of the ASDM
    Language: en

    Translation: webvpn

    You should now see your custom string.

    Ivan

Maybe you are looking for

  • Open a library in a new tab

    Hello I wonder if there is a way to open the library (Ctrl + Shift + B) in a new tab within the window, I already opened. If someone uses the addon 'Downloads in tab', that's what I would do, but now with the library window. For many reasons, I don't

  • Mac Pro 2013 does not connect to the hard G technology drive

    Hello I recently bought a Mac Pro and I am trying to transfer files from my hard drive mini 1 TB of G technology itself. The files came from a backup who was recently transferred to my 2011 macbook pro. I tried using cord USB 3.0 for the Mac Pro does

  • (Corrupt) 12.3 without updating iTunes library

    Today when I opened my iTunes library it saids me that iTunes library was damaged and about 2500 titles and almost all of my missing playlist (it seems that iTunes uses a previous library of mine, like 6 months ago or not). I tried with the last iTun

  • OfficeJet 7612: 7612 officejet ink type

    On a special project that I am working on I need to know if the ink in my officejet pigment or dye (933xl and 932xl.

  • Win 7 update, blocked the installation of 30%

    After following the recommendations and install the recommended patches, update my computer started working. 222 dates have been recommended. After letting this update process to go through, a "re-boot" was necessary. My system started and everything