ASA Smart Tunnel with OS X 10.7
Hello,
I've recently configured SSL VPN on an ASA failover pair running 8.4(2). The smart tunnel policy allows RDP clients (native MS client on Windows, MS Client and CoRD on Mac). Early testing looked good for both Windows and Mac. But then I had a mac user who reported that the "Application Access" button did not display in the navigation pane, and hence they can't get to where to launch Mac smart tunnel applications. The difference between those that worked and the one that doesn't is OS X v10.6 (works), OS X v10.7 (doesn't work).
Doing a little research, I found that JRE isn't installed by default in OS X 10.7, and I found the following link:
http://support.apple.com/kb/DL1421. After installation, and verifying that "enable applet plug-in and Web Start applications" was checked and trying again, the same results. "Application Access" is missing from the navigation bar, and hence smart tunnel apps can't be launched.
Does anyone have an idea on what could be going wrong here?
Thanks!
Kurt
Kurt,
I just found your thread here.
Which browser are you using on the Mac?
I have found that with Mac OS 10.7 (lion) there are issues with the smart tunnel applet with Safari and Chrome
However, it works as expected with Firefox.
I actually get a Safari Web Content crash report when I try to connect with Safari.
I have been monitoring this since 10.7 was released, I haven't opened a ticket with TAC because it appeard to be an Apple / Safari issue since the applet works with Firefox.
I installed the latest Java update for 10.7 today and there was no change in behavior.
I guess it's time to open a TAC ticket.
Similar Messages
-
ASA: Smart Tunnel and proxy problem
Hello
I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
They get proxy warning when they click on a bookmark.
If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
Is it a common problem if so is there a soultion ?
KR
DanielHi Daniel,
"Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
. If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
You can get more information from following link:-
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
HTH!!
Regards,
Naresh -
Smart tunnel used for access other than native application?
Dear all,
i have a question about smart tunnel. my situation is, i need to access to the server on certain IP address that using a port (example : port 5007) that is native for the application. that application is customized application just for my company.
Question is :
1. can i use smart tunnel to access the application for that particular port (ex : port 5007, 8476) ?
2. i have so many grup servers (other than group server A) with so many costumized application with native port . is there any other way for me to access to that IP without using smart tunnel? because this project requirement is
Clientless application access using application/Agent in user's PC, such as RDP, SSH & Native Application and ohers.
Group Server A
IP Port
10.194.24.99
5007, 80, 9593, 9594, 9595
10.194.22.99
82
192.9.1.99
23, 449, 8470, 8476, 9470, 9476, 992
My ASA is 9.1.3 and my ASDM is 7.1.3
Please kindly to help, any reponse i appreciated
source : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdfSee http://www.mozilla.org/projects/netlib/PortBanning.html
* http://kb.mozillazine.org/network.security.ports.banned.override -
Smart Tunnel not working correctly
I have setup Smart Tunnelling on an ASA5505.
Situation is PC ---> Proxy [bluecoat] ---> Internet ---> ASA
I can connect to the front end clientless VPN side ok and I then click on start smart tunnelling. It starts up (at least it says so) but when I access one of the programs in the list (mstsc.exe) the [Tunnel] traffic does not go via the Proxy but tries to go direct instead. Wireshark shows traffic being sent to the ASA VPN IP instead of via the proxy (trace is filtered to ASA subnet). Although encrypted the trace only shows traffic when I start a connection from mstsc.exe.
ASA version is 8.4(3), Java is build 1.6.0_26-b03
Any tips on what maybe going on?Automatic proxy setting or manual? Manual is supported.
-
We have two ASA 5510 firewalls with a tunnel between two sites. The tunnel works without issue until one of the sites experiences a brief outage due to the service provider. The VPN tunnel is not automatically establishing after the outage. It takes a restart of one of the ASA's before it will come back online. How do I get the devices to automatically try to restore the tunnel?
ChrisChris-
If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.
*Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222
securityappliance(config)#tunnel-group 10.165.205.222 ipsec-attributes
securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Hope that helps. -
How to make Forefront TMG build VPN site-to-site tunnel with reduced subnet
I am trying to implement a Site-to-Site VPN tunnel with a supplier. We are using Forefront TMG 2010 SP2 (Site A) and they are using Cisco ASA (Site B)
I have complete access to SITE A, but no access to Site B (suppliers end)
We have set up the VPN tunnel, but it will only come up if it is initiated from the Site B end. We know this is because there is a mismatch in the expected network size. Site B fits within Site A, but not the other way round.
The tunnel is set up at Site A with an allowed route of 10.0.2.60/30 and matched with a configuration at the other end. This configuration is If I look at the "Site-to-site" summary on TMG.
However, my counterpart at site B tells me that when the TMG actually tries to build the tunning, it is not specifying 10.0.2.60/30 but 10.0.2.0/24
I should also mention that TMG internal ip is 10.0.2.6 ,that we only 10.0.2.61 and 10.0.2.62 should be allowed through the tunnel, and that due to existing VPNs on the supplier site, they cannot increase the size of the network on their side to match the 10.0.2.0/24
range
I am a at a bit of a loss why this is happening. Does any one have any guidance, I don't really even know what terminology to use to effectively search for an answerHi,
Which VPN protocol you have used?
What is the network addresses you have configure in Create Site-to-Site Connection Wizard? Did you mean that the IP range changed on site B after you created the VPN connection?Please make sure that the ranges match the internal ranges at the site B.
In addition, I am quite sure of your IP ranges for both sites, I would appreciate it if you can tell the IP range for TMG server internal network and the site B.
Beside, you can refer to the link below:
Test Lab Guide: Demonstrate Site to Site VPN with Threat Management Gateway 2010 (Part 1) (Note: Microsoft
is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
Best regards,
Susie -
We have a webpage that uses java, and we are unable to make it work on web vpn on mac os. On the windows side, we added the following to the webvpn smart tunnel and it works:
smart-tunnel list banner WebStart javaws.exe platform windows
smart-tunnel list banner JavaWindows javaw.exe platform windows
Does anyone know the path for mac os x?The VPN client for Mac OS runs on any Power Macintosh or compatible computer with Mac OS Version 7.6 to 9.x, and Open Transport Version 1.1.1 or later.
Have available an application that can translate a BinHex (.hqx) archive, such as StuffIt. Your web browser might perform the translation automatically for you.
http://www.cisco.com/en/US/docs/security/vpn5000/client/windows_mac/client52/user/guide/Install.html#wp1023928 -
Ssl smart tunnel and vmware client
Has anyone gotten the vmware client(for either server or VI) to work using a smart tunnel on webvpn? I set up a smart tunnel for vmware.exe, but it does not seem to connect. I am running 8.0.4. Also, has anyone been able to smart tunnel explorer.exe?
The AnyConnect VPN Client is not compatible with virtualization software, such as VMWare.
-
Two tunnels with the same crypto acl
Hi, a cloud service provider requests to setup two ipsec tunnels with the same crypto access-list, to reach the same network in cloud.
Now I'd like to know waht's the behaviour of ASA with two "similar" crypto map on the same interface and if ASA requests a stateful path or not.
thank you in advance
greatings
renatoHi Renato,
Apologies, I understand what your saying is two tunnels up and running to the same service provider but with two peer addresses. You want to start a session on one tunnel and also send data from the same session down the secondary tunnel, whilst maintining session state.
I guess what your question also needs to raise is how the asymmetrical routing would work with the applications.
would be a great one to lab so sorry not sure enough to offer an answer.. -
Find and replace smart quotes with straight quotes?
I understand I can turn off smart quotes so that I can type straight quotes, but I need to replace hundreds of curly smart quotes with straight quotes, is there a feature that will let me do this? I am using FM8.
Thanx,
WillianI am using FM9....so I don't know if the same shortcuts apply, but this is what I found out last week.
Use the Find and Replace tool:
With smart quotes turned off and the Num Lock key turned on:
Alt0147 will give you beginning quotation marks
Alt0148 will give you ending quotation marks
In the Find box use ALT0147 or ALT0148 for the beginning or ending quotes. When you click in the box and type
one of the shortcuts the correct quote will be shown in the box.
In the replace box type the regular straight quotes on your keyboard.
I was thrilled that it would work!...course you do have to do them separately and be careful not to replace the curly quotes
that you want to leave in your document.
Hope this helps using FM8....
ls -
Smart form with 2 different pages
Hi Experts
I have a requirement, I need to develop a smart form with 2 different pages, and each page has different data and presentation of the data also is different.
In the first page I need to display the contract data with the line items and amounts and in the second page I need to display the partner details with their contact details. From second page onwards it may go further based on the partners exists for that contract.
Plesae advice me best possible way to achive this.
Thanks
PraveenHi Praveen,
Create two Pages:
First Page:
In general Attributes section- Keep page2 as next page
Create Main window and under that
Keep the text elements for contract data of line item and amounts as required
Second Page:
In general Attributes section- Keep page2 as next page
create main window and under that
get all the partner details of line item into an internal table(using program lines node).
Now use 'Tables' node which behaves as loop for this internal table (so that it continues further if it contains date more than 1 page)
And display the values in smartform using Text node
Regards,
Swarna Munukoti. -
I recently have bought a new Macbook Pro (Version 10.10.1) with the OS X Yosemite. The computer comes with the new Pages (version 5.5.1).
Here is the problem: I like to create artwork using the shapes on Pages. Previously, on my old mac, I used Pages 4.3 to create objects, which I would copy then paste to Photoshop and it would become a vector smart object. However, in the new Pages (version 5.5.1), when I copy objects, they would appear on Photoshop as instead, a layer and it would not be in full resolution.
Also, I know there is nothing wrong with the Pages file itself because I have converted the document to PDF form and it is high resolution when inserted into Photoshop that way.
Does anyone know how I can copy individual objects from Pages (5.5.1) and paste it into Photoshop as a vector smart object with high resolution as I have done before?
Thanks!ghotiz wrote:
copy the image and have it in a high-quality PNG format that does not include the background from the Pages document.
Oh, well if you don't actually need vector objects then it looks like this is possible. As I said earlier, Pages is putting a PNG on the clipboard. I tested it and it does paste into Photoshop as a transparent layer, because I can see the transparent background of the pasted PNG graphic if I either turn off all layers behind it in Photoshop, or if I start a new Photoshop document to paste into but make sure I choose Transparent for the Background Contents in the New Document dialog. -
Hi there,
I am running LR4.1/CS5/ACR6.7 on a Win7 64bits system.
The feature "Edit-In" > "Open as Smart Object with Photoshop..." does work Ok with raw files (.NEF).
However, when i do try to use the same feature with 32 bits .TIFF files (which are output of the LR4.1's "Edit-In" > "Merge to HDR Pro in Photoshop..." other feature), nothing does happen (the Photoshop application windows does open but w.o the image that i've just selected).
I've used search engines and Adobe online help to see if there was any limit preventing the usage of this feature with 32 bits .TIF files but couldn't see such note.
Thanks for your help !
AlbertThanks Rikk,
That did work with a DNG file :-)
I am working with very huge .TIF files (400MB), so i am wondering if size could be the main issue (although my PC has lots of HW resources).
I will explore the DNG way, a format which seems anyways to be very promising now with LR4.
In case anyone has an idea why it doesn't work the .TIF files, please shoot ! -
Hi, recently purchased macbook 13", I have problem with sound when connect to my LG Smart tv with sound system. When i change sounds effect on my sound system also LG its all go quiet didn't have this problem with my laptop. Any advise ?
Some progess I see. To be honest, i would not waste your time with trying to connect using wireless.
You are likely to get poor connections and dropping out.
If its working using a cable, then there is no need to bother with giving me the network settings, bu see how it goes, because sometimes giving the TV a static IP address can give better results.
There is an example of a couple of powerline adapters on the diagram below. Just ignore the network switch unless you want to connect other devices which are near to the TV.
http://forumhelp.dyndns.info/networking/powerline3.jpg
I will monitor the subject line of this thread, should you want to post any more information.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Not able to form EoIP tunnel with anchor WLC
Hi all,
I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
(WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
Client MAC Address............................... 0c:3e:9f:ab:db:ed
Client Username ................................. N/A
AP MAC Address................................... 0c:68:03:b9:44:70
AP Name.......................................... WOHW-LAP016
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 66
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 0c:68:03:b9:44:72
Connected For ................................... 1469 secs
Channel.......................................... 6
IP Address....................................... Unknown
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
Association Id................................... 3
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... No CCX support
QoS Level........................................ Bronze
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... None
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. STATICIP_NOL3SEC
>>> No Mobility peer IP address <<<<
(WOHW-WC01) >show mobility anchor wlan 66
Mobility Anchor Export List
WLAN ID IP Address Status
66 137.183.242.149 Up
66 137.183.242.150 Up
(WOHW-WC01) >show mobility sum
Mobility Architecture ........................... Flat
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... WOHW_ENT1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x9cbf
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
bc:16:65:f9:18:60 137.183.242.150 CIN_GUEST1 0.0.0.0 Up
e0:2f:6d:7c:42:20 143.27.201.52 WOHW_ENT1 0.0.0.0 Up
f8:72:ea:ee:a0:00 137.183.242.149 CIN_GUEST1 0.0.0.0 UpIt works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring.
(WOHW-WC01) >show wlan 66
WLAN Identifier.................................. 66
Profile Name..................................... PGGuest
Network Name (SSID).............................. PGGuest
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Enabled
Maybe you are looking for
-
How would this work, in the situation below ... Everyone has their own iCloud account (for their own syncing purposes). But we (family) ALL share the same iTunes account (for purchasing). How will this work, since we all have our own iTunes libraries
-
MB11/MB1C/MB1B post GL entry for tax for movement type 561 initial stock
Hi, We want to bring in stock into new system using movement type 561. The usual account posting is: Debit stock Credit account in OBYC GBB How can I add additional tax posting in the transaction? For e.g. Debit stock Debit input tax Credit accou
-
Sending po as pdf attachement in email at save
Hi All, If I create a purchase order and save it, then an e-mail should be triggered to my external e-mail address immediately. That e-mail should have the purchase order as pdf attachment. I really don't have any idea about configuring this
-
Can I record everything in just one slide?
Hello, I'm trying to create an 30-second flash animation of our software, with some textual callouts. Since I've got the Adobe Technical Communication Suite, I figured I'd use Captivate for the job, but I'm new to it and can't get my head around some
-
ITunes asking for username and password on XP
iTunes asking for username and password on XP