ASA Smart Tunnel with OS X 10.7

Hello,
   I've recently configured SSL VPN on an ASA failover pair running 8.4(2). The smart tunnel policy allows RDP clients (native MS client on Windows, MS Client and CoRD on Mac). Early testing looked good for both Windows and Mac. But then I had a mac user who reported that the "Application Access" button did not display in the navigation pane, and hence they can't get to where to launch Mac smart tunnel applications. The difference between those that worked and the one that doesn't is OS X v10.6 (works), OS X v10.7 (doesn't work).
   Doing a little research, I found that JRE isn't installed by default in OS X 10.7, and I found the following link:
http://support.apple.com/kb/DL1421. After installation, and verifying that "enable applet plug-in and Web Start applications" was checked and trying again, the same results. "Application Access" is missing from the navigation bar, and hence smart tunnel apps can't be launched.
   Does anyone have an idea on what could be going wrong here?
Thanks!
Kurt

Kurt,
I just found your thread here.
Which browser are you using on the Mac?
I have found that with Mac OS 10.7 (lion) there are issues with the smart tunnel applet with Safari and Chrome
However, it works as expected with Firefox.
I actually get a Safari Web Content crash report when I try to connect with Safari.
I have been monitoring this since 10.7 was released, I haven't opened a ticket with TAC because it appeard to be an Apple / Safari issue since the applet works with Firefox.
I installed the latest Java update for 10.7 today and there was no change in behavior.
I guess it's time to open a TAC ticket.

Similar Messages

  • ASA: Smart Tunnel and proxy problem

    Hello
    I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
    They get proxy warning when they click on a bookmark.
    If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
    Is it a common problem if so is there a soultion ?
    KR
    Daniel

    Hi Daniel,
    "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
    the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
    . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
    You can get more information from following link:-
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
    HTH!!
    Regards,
    Naresh

  • Smart tunnel used for access other than native application?

    Dear all,
    i have a question about smart tunnel. my situation is, i need to  access to the server on certain IP address that using a port (example : port 5007) that is native for the application. that application is customized application just for my company.
    Question is :
    1. can i use smart tunnel to access the application for that particular port (ex : port 5007, 8476) ?
    2. i have so many grup servers (other than group server A) with so many costumized application with native port . is there any other way for me to access to that IP without using smart tunnel? because this project requirement is
    Clientless application access using application/Agent in user's PC, such as RDP, SSH & Native Application and ohers.
    Group Server A
    IP                                     Port
    10.194.24.99
    5007, 80, 9593, 9594, 9595
    10.194.22.99
    82
    192.9.1.99
    23, 449, 8470, 8476, 9470, 9476, 992
    My ASA is 9.1.3 and my ASDM is 7.1.3
    Please kindly to help, any reponse i appreciated
    source : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

    See http://www.mozilla.org/projects/netlib/PortBanning.html
    * http://kb.mozillazine.org/network.security.ports.banned.override

  • Smart Tunnel not working correctly

    I have setup Smart Tunnelling on an ASA5505.
    Situation is PC --->  Proxy [bluecoat] ---> Internet ---> ASA
    I can connect to the front end clientless VPN side ok and I then click on start smart tunnelling.  It starts up (at least it says so) but when I access one of the programs in the list (mstsc.exe) the [Tunnel] traffic does not go via the Proxy but tries to go direct instead.  Wireshark shows traffic being sent to the ASA VPN IP instead of via the proxy (trace is filtered to ASA subnet).  Although encrypted the trace only shows traffic when I start a connection from mstsc.exe.
    ASA version is 8.4(3), Java is build 1.6.0_26-b03
    Any tips on what maybe going on?

    Automatic proxy setting or manual? Manual is supported.

  • ASA 5510 tunnel dropping

    We have two ASA 5510 firewalls with a tunnel between two sites. The tunnel works without issue until one of the sites experiences a brief outage due to the service provider. The VPN tunnel is not automatically establishing after the outage. It takes a restart of one of the ASA's before it will come back online. How do I get the devices to automatically try to restore the tunnel?
    Chris

    Chris-
    If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.
    *Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222
    securityappliance(config)#tunnel-group 10.165.205.222 ipsec-attributes
    securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
    Hope that helps.

  • How to make Forefront TMG build VPN site-to-site tunnel with reduced subnet

    I am trying to implement a Site-to-Site VPN tunnel with a supplier. We are using Forefront TMG 2010 SP2 (Site A) and they are using Cisco ASA (Site B)
    I have complete access to SITE A, but no access to Site B (suppliers end)
    We have set up the VPN tunnel, but it will only come up if it is initiated from the Site B end. We know this is because there is a mismatch in the expected network size. Site B fits within Site A, but not the other way round.
    The tunnel is set up at Site A with an allowed route of 10.0.2.60/30 and matched with a configuration at the other end. This configuration is If I look at the "Site-to-site" summary on TMG.
    However, my counterpart at site B tells me that when the TMG actually tries to build the tunning, it is not specifying 10.0.2.60/30 but 10.0.2.0/24
    I should also mention that TMG internal ip is 10.0.2.6 ,that we only 10.0.2.61 and 10.0.2.62 should be allowed through the tunnel, and that due to existing VPNs on the supplier site, they cannot increase the size of the network on their side to match the 10.0.2.0/24
    range
    I am a at a bit of a loss why this is happening. Does any one have any guidance, I don't really even know what terminology to use to effectively search for an answer

    Hi,
    Which VPN protocol you have used?
    What is the network addresses you have configure in Create Site-to-Site Connection Wizard? Did you mean that the IP range changed on site B after you created the VPN connection?Please make sure that the ranges match the internal ranges at the site B.
    In addition, I am quite sure of your IP ranges for both sites, I would appreciate it if you can tell the IP range for TMG server internal network and the site B.
    Beside, you can refer to the link below:
    Test Lab Guide: Demonstrate Site to Site VPN with Threat Management Gateway 2010 (Part 1) (Note: Microsoft
    is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
    Best regards,
    Susie

  • Os x smart tunnel for java

    We have a webpage that uses java, and we are unable to make it work on web vpn on mac os. On the windows side, we added the following to the webvpn smart tunnel and it works:
    smart-tunnel list banner WebStart javaws.exe platform windows
    smart-tunnel list banner JavaWindows javaw.exe platform windows
    Does anyone know the path for mac os x?

    The VPN client for Mac OS runs on any Power Macintosh or compatible computer with Mac OS Version 7.6 to 9.x, and Open Transport Version 1.1.1 or later.
    Have available an application that can translate a BinHex (.hqx) archive, such as StuffIt. Your web browser might perform the translation automatically for you.
    http://www.cisco.com/en/US/docs/security/vpn5000/client/windows_mac/client52/user/guide/Install.html#wp1023928

  • Ssl smart tunnel and vmware client

    Has anyone gotten the vmware client(for either server or VI) to work using a smart tunnel on webvpn? I set up a smart tunnel for vmware.exe, but it does not seem to connect. I am running 8.0.4. Also, has anyone been able to smart tunnel explorer.exe?

    The AnyConnect VPN Client is not compatible with virtualization software, such as VMWare.

  • Two tunnels with the same crypto acl

    Hi, a cloud service provider requests to setup two ipsec tunnels with the same crypto access-list, to reach the same network in cloud.
    Now I'd like to know waht's the behaviour of ASA with two "similar" crypto map on the same interface and if ASA requests a stateful path or not.
    thank you in advance
    greatings
    renato

    Hi Renato,
    Apologies, I understand what your saying is two tunnels up and running to the same service provider but with two peer addresses. You want to start a session on one tunnel and also send data from the same session down the secondary tunnel, whilst maintining session state.
    I guess what your question also needs to raise is how the asymmetrical routing would work with the applications.
    would be a great one to lab so sorry not sure enough to offer an answer..

  • Find and replace smart quotes with straight quotes?

    I understand I can turn off smart quotes so that I can type straight quotes, but I need to replace hundreds of curly smart quotes with straight quotes, is there a feature that will let me do this? I am using FM8.
    Thanx,
    Willian

    I am using FM9....so I don't know if the same shortcuts apply, but this is what I found out last week.
    Use the Find and Replace tool:
    With smart quotes turned off and the Num Lock key turned on:
    Alt0147 will give you beginning quotation marks
    Alt0148 will give you ending quotation marks
    In the Find box use ALT0147 or ALT0148 for the beginning or ending quotes. When you click in the box and type
    one of the shortcuts the correct quote will be shown in the box.
    In the replace box type the regular straight quotes on your keyboard.
    I was thrilled that it would work!...course you do have to do them separately and be careful not to replace the curly quotes
    that you want to leave in your document.
    Hope this helps using FM8....
    ls

  • Smart form with 2 different pages

    Hi Experts
    I have a requirement, I need to develop a smart form with 2 different pages, and each page has different data and presentation of the data also is different.
    In the first page I need to display the contract data with the line items and amounts and in the second page I need to display the partner details with their contact details. From second page onwards it may go further based on the partners exists for that contract.
    Plesae advice me best possible way to achive this.
    Thanks
    Praveen

    Hi Praveen,
    Create two Pages:
    First Page:
    In general Attributes section- Keep page2 as next page
    Create Main window and under that
    Keep the text elements for contract data of line item and amounts as required
    Second Page:
    In general Attributes section- Keep page2 as next page
    create main window and under that
    get all the partner details of line item into an internal table(using program lines node).
    Now use 'Tables' node which behaves as loop for this internal table (so that it continues further if it contains date more than 1 page)
    And display the values in smartform using Text node
    Regards,
    Swarna Munukoti.

  • How to copy objects from Pages (5.5.1) and paste it into Photoshop as a vector smart object with high resolution?

    I recently have bought a new Macbook Pro (Version 10.10.1) with the OS X Yosemite. The computer comes with the new Pages (version 5.5.1).
    Here is the problem: I like to create artwork using the shapes on Pages. Previously, on my old mac, I used Pages 4.3 to create objects, which I would copy then paste to Photoshop and it would become a vector smart object. However, in the new Pages (version 5.5.1), when I copy objects, they would appear on Photoshop as instead, a layer and it would not be in full resolution.
    Also, I know there is nothing wrong with the Pages file itself because I have converted the document to PDF form and it is high resolution when inserted into Photoshop that way.
    Does anyone know how I can copy individual objects from Pages (5.5.1) and paste it into Photoshop as a vector smart object with high resolution as I have done before?
    Thanks!

    ghotiz wrote:
    copy the image and have it in a high-quality PNG format that does not include the background from the Pages document.
    Oh, well if you don't actually need vector objects then it looks like this is possible. As I said earlier, Pages is putting a PNG on the clipboard. I tested it and it does paste into Photoshop as a transparent layer, because I can see the transparent background of the pasted PNG graphic if I either turn off all layers behind it in Photoshop, or if I start a new Photoshop document to paste into but make sure I choose Transparent for the Background Contents in the New Document dialog.

  • LR4.1 : "Edit-In" "Open as Smart Object with Photoshop..." feature doesn't work with 32bits

    Hi there,
    I am running LR4.1/CS5/ACR6.7 on a Win7 64bits system.
    The feature "Edit-In" > "Open as Smart Object with Photoshop..." does work Ok with raw files (.NEF).
    However, when i do try to use the same feature with 32 bits .TIFF files (which are output of the LR4.1's "Edit-In" > "Merge to HDR Pro in Photoshop..." other feature), nothing does happen (the Photoshop application windows does open but w.o the image that i've just selected).
    I've used search engines and Adobe online help to see if there was any limit preventing the usage of this feature with 32 bits .TIF files but couldn't see such note.
    Thanks for your help !
    Albert

    Thanks Rikk,
    That did work with a DNG file :-)
    I am working with very huge .TIF files (400MB), so i am wondering if size could be the main issue (although my PC has lots of HW resources).
    I will explore the DNG way, a format which seems anyways to be very promising now with LR4.
    In case anyone has an idea why it doesn't work the .TIF files, please shoot !

  • Hi, recently purchased macbook 13", I have problem with sound when connect to my LG Smart tv with sound system. When i change sounds effect on my sound system also LG its all go quiet didn't have this problem with my laptop. Any advise ?

    Hi, recently purchased macbook 13", I have problem with sound when connect to my LG Smart tv with sound system. When i change sounds effect on my sound system also LG its all go quiet didn't have this problem with my laptop. Any advise ?

    Some progess I see. To be honest, i would not waste your time with trying to connect using wireless.
    You are likely to get poor connections and dropping out.
    If its working using a cable, then there is no need to bother with giving me the network settings, bu see how it goes, because sometimes giving the TV a static IP address can give better results.
    There is an example of a couple of powerline adapters on the diagram below. Just ignore the network switch unless you want to connect other devices which are near to the TV.
    http://forumhelp.dyndns.info/networking/powerline3.jpg
    I will monitor the subject line of this thread, should you want to post any more information.
    There are some useful help pages here, for BT Broadband customers only, on my personal website.
    BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

  • Not able to form EoIP tunnel with anchor WLC

    Hi all,
    I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
    (WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
    Client MAC Address............................... 0c:3e:9f:ab:db:ed
    Client Username ................................. N/A
    AP MAC Address................................... 0c:68:03:b9:44:70
    AP Name.......................................... WOHW-LAP016
    Client State..................................... Associated
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 66
    Hotspot (802.11u)................................ Not Supported
    BSSID............................................ 0c:68:03:b9:44:72
    Connected For ................................... 1469 secs
    Channel.......................................... 6
    IP Address....................................... Unknown
    Gateway Address.................................. Unknown
    Netmask.......................................... Unknown
    IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
    Association Id................................... 3
    Authentication Algorithm......................... Open System
    Reason Code...................................... 1
    Status Code...................................... 0
    Session Timeout.................................. 0
    Client CCX version............................... No CCX support
    QoS Level........................................ Bronze
    802.1P Priority Tag.............................. disabled
    CTS Security Group Tag........................... Not Applicable
    KTS CAC Capability............................... No
    WMM Support...................................... Enabled
      APSD ACs.......................................  BK  BE  VI  VO
    Power Save....................................... ON
    Current Rate..................................... m7
    Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
        ............................................. 54.0
    Mobility State................................... None
    Mobility Move Count.............................. 0
    Security Policy Completed........................ No
    Policy Manager State............................. STATICIP_NOL3SEC
    >>> No Mobility peer IP address <<<<
    (WOHW-WC01) >show mobility anchor wlan 66
    Mobility Anchor Export List
     WLAN ID     IP Address            Status
     66          137.183.242.149       Up                              
     66          137.183.242.150       Up                              
    (WOHW-WC01) >show mobility sum           
    Mobility Architecture ........................... Flat
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... WOHW_ENT1
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0x9cbf
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 3
    Mobility Control Message DSCP Value.............. 0
    Controllers configured in the Mobility Group
     MAC Address        IP Address       Group Name                        Multicast IP     Status
     bc:16:65:f9:18:60  137.183.242.150  CIN_GUEST1                        0.0.0.0          Up
     e0:2f:6d:7c:42:20  143.27.201.52    WOHW_ENT1                         0.0.0.0          Up
     f8:72:ea:ee:a0:00  137.183.242.149  CIN_GUEST1                        0.0.0.0          Up

    It works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring. 
    (WOHW-WC01) >show wlan 66 
    WLAN Identifier.................................. 66
    Profile Name..................................... PGGuest
    Network Name (SSID).............................. PGGuest
    Status........................................... Enabled
    MAC Filtering.................................... Enabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Enabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
       DHCP ......................................... Disabled
       HTTP ......................................... Disabled
      Radius-NAC State............................... Enabled

Maybe you are looking for