Client SSL Vpn question`

Similar Messages

• Clientless SSL VPN and ActiveX question

  Hey All,
  First post for me here, so be gentle.  I'll try to be as detailed as possible.
  With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
  First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
  Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
  I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
    match ip inside any outside any
      NAT exempt
      translate_hits = 8915, untranslate_hits = 6574
  access-list nonat extended permit ip any any log notifications
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
  access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
  access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
  access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
  access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
  access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
  access-list outside_in extended permit icmp any any log notifications
  access-list outside_in extended permit tcp any any log notifications
  pager lines 24
  logging enable
  logging asdm informational
  logging ftp-server 192.168.16.34 / syslog *****
  mtu inside 1500
  mtu outside 1500
  ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.16.32 255.255.255.224
  nat (inside) 1 192.168.17.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  192.168.2.0 is my corp network range
  192.168.2.171 is my internal IP for corp ASA5510
  97.x.x.x is the external interface for my corp ASA5510
  192.168.16.34 is the internal interface for the remote ASA5505
  64.x.x.x is the external interface for the remote ASA5505
  192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
  As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
  I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
  Thanks much for any and all ideas!

  Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

• SSL VPN Client Error

  I setup a Cisco ASA 5510 SSL VPN with the folowing;
  IOS 7.2
  SSL VPN CLient sslclient-win-1.1.1.164.pkg
  Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
  IBM Thinkpad T40
  Windows XP SP 2
  Internet Explorer 7
  All patches up-to-date
  All drivers up-to-date
  SSL VPN Client connection process;
  - User login with valid account and password
  - The SSL VPN Client package will automatically download and installed.
  - User will then be connected to SSL VPN
  The ERRORS;
  1. GUI (Cisco SSL VPN Client installation process)
  "The SSL VPN Client driver has Encountered an Error"
  2. Event Viewer
  The only error in this user event viewer that differs from other users who successfully connected are;
  a)
  Function: EnableVA
  Return code: 0
  File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
  Line: 310
  Description: unknown
  b)
  Function: EnableVA
  Return code: 0xFE080007
  File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
  Line: 1145
  Description: VAMGR_ERROR_ENABLE_VA_FAILED
  Anyone know what thus the error means?
  BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
  Thanks

  The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

• SSL VPN with client, anyconnect.

  I've set up a simple test on SSL VPN with client on a 3800.
  It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
  but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
  The underlying routing is fine.
  Could you tell me where it is configured wrong?
  Config is copied below.
  thanks,
  Han
  =======
  Current configuration : 3340 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password cisco
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  no network-clock-participate slot 1
  crypto pki trustpoint TP-self-signed-3551041125
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3551041125
  revocation-check none
  rsakeypair TP-self-signed-3551041125
  crypto pki certificate chain TP-self-signed-3551041125
  certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
  34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
  29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
  6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
  23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
  53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
  301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
  5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
  300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
  73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
  CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
  B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
  CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
  quit
  dot11 syslog
  ip cef
  multilink bundle-name authenticated
  voice-card 0
  no dspfarm
  username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
  archive
  log config
  hidekeys
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  end
  interface Loopback1
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  ip local pool svc-poll 1.1.1.50 1.1.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip http server
  no ip http secure-server
  control-plane
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface GigabitEthernet0/0 port 443
  ssl trustpoint local
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSLVPN
  ssl authenticate verify all
  policy group default
     functions svc-required
     svc default-domain "test.org"
     svc keep-client-installed
     svc split dns "primary"
  default-group-policy default
  gateway SSLVPN
  inservice
  end

  Using the SDM follow the below config example
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
  The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
  HTH>

• SSL VPN message "This (client) machine does not have the web access privilege."

  Hello!
  I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
  enable password xxxxxxxx
  aaa new-model
  aaa authentication login userAuthen local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization network groupauthor local
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1279712955
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1279712955
  revocation-check none
  rsakeypair TP-self-signed-1279712955
  crypto pki certificate chain TP-self-signed-1279712955
  certificate self-signed 01
    3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
    33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
    31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
    A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
    649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
    9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
    B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
    551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
    11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
    ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
    48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
    265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
    7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
    495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
     quit
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.0.1 192.168.0.10
  ip dhcp pool myPOOL
     network 192.168.0.0 255.255.255.0
     default-router 192.168.0.1
     dns-server 87.216.1.65 87.216.1.66
  ip cef
  ip name-server 87.216.1.65
  ip name-server 87.216.1.66
  ip ddns update method mydyndnsupdate
  HTTP
    add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  interval maximum 1 0 0 0
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group pppoe
  request-dialin
    protocol pppoe
  username cisco privilege 15 password 0 xxxxxxxx
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp fragmentation
  crypto isakmp client configuration group vpnclient
  key cisco123
  domain selfip.net
  pool ippool
  acl 110
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map clientmap client authentication list userAuthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive
  log config
    hidekeys
  interface Loopback0
  ip address 10.11.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Loopback2
  description SSL VPN Website IP address
  ip address 10.10.10.1 255.255.255.0
  interface Loopback1
  description SSL DHCP Pool Gateway Address
  ip address 192.168.250.1 255.255.255.0
  interface FastEthernet0
  description $ES_LAN$
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 2
  interface FastEthernet3
  interface FastEthernet4
  interface FastEthernet5
  interface FastEthernet6
  interface FastEthernet7
  interface FastEthernet8
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  bundle-enable
  dsl operating-mode auto
  interface Vlan1
  no ip address
  interface Dialer1
  ip ddns update hostname myserver.selfip.net
  ip ddns update mydyndnsupdate host members.dyndns.org
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip policy route-map VPN-Client
  dialer pool 1
  ppp chap hostname xxx
  ppp chap password 0 xxxx
  ppp pap sent-username xxx password 0 xxxx
  crypto map clientmap
  ip local pool ippool 192.168.50.100 192.168.50.200
  ip local pool sslvpnpool 192.168.250.2 192.168.250.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
  ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
  ip nat inside source list 102 interface Dialer1 overload
  ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
  ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
  access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 102 permit ip 192.168.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 144 permit ip 192.168.50.0 0.0.0.255 any
  route-map VPN-Client permit 10
  match ip address 144
  set ip next-hop 10.11.0.2
  control-plane
  banner motd ^C
  ================================================================
                  UNAUTHORISED ACCESS IS PROHIBITED!!!
  =================================================================
  ^C
  line con 0
  line aux 0
  line vty 0 4
  password mypassword
  transport input telnet ssh
  webvpn gateway MyGateway
  ip address 10.10.10.1 port 443 
  http-redirect port 80
  ssl trustpoint TP-self-signed-1279712955
  inservice
  webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context SecureMeContext
  title "My SSL VPN Service"
  secondary-color #C0C0C0
  title-color #808080
  ssl authenticate verify all
  url-list "MyServers"
     heading "My Intranet"
     url-text "Cisco" url-value "http://192.168.0.2"
     url-text "NetGear" url-value "http://192.168.0.3"
  login-message "Welcome to My VPN"
  policy group MyDefaultPolicy
     url-list "MyServers"
     functions svc-enabled
     svc address-pool "sslvpnpool"
     svc keep-client-installed
  default-group-policy MyDefaultPolicy
  aaa authentication list userAuthen
  gateway MyGateway domain testvpn
  max-users 100
  csd enable
  inservice
  end
  Thank you!

  Hi,
  Please check SAP note:
  2004579 - You cannot create a FR company from a Package
  Thanks & Regards,
  Nagarajan

• Jabber client and IP Phone SSL VPN to ASA using AnyConnect

  Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
  https://supportforums.cisco.com/docs/DOC-9124

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• SA540 SSL VPN Client will not install on Windows 7

  I had the SSL VPN Client working on my Windows 7 laptop.  I tried to use the SSL VPN through Firefox and now my client does not work on IE anymore.
  The install process beings and the progress bar makes it halfway before I get an error saying the install failed.
  I tried everything I could to remove the SSL VPN client manually.  I even followed the instructions posted at the end of this forum posting:  https://cisco-support.hosted.jivesoftware.com/thread/2018716?decorator=print&displayFullThread=true
  Nothing has worked.
  The best I can find is the VPN Client is crashing during install.  I saw this in the Event Log.
  Fault bucket 177244756, type 5
  Event Name: PnPDriverInstallError
  Response: Not available
  Cab Id: 0
  Problem signature:
  P1: x64
  P2: E0000234
  P3: ssldrv.inf
  P4: 93775c2b0faa616bc11a47d4ff617aa8d00cd56f
  P5: SSLDrv.Ndi
  P6:
  P7:
  P8:
  P9:
  P10:
  Attached files:
  C:\Users\shudson\AppData\Local\Temp\DMIE984.tmp.log.xml
  C:\Windows\inf\oem54.inf
  These files may be available here:
  C:\Users\shudson\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_d317f66069d2e3b17f6bc1e7306afd9085494a_1020fe2c
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 75c67e96-1882-11e0-8e4d-5c260a0235ed
  Report Status: 0
  I then used AppCrashView to see the crash report and I get this:
  Version=1
  EventType=APPCRASH
  EventTime=129386443518175301
  ReportType=2
  Consent=1
  UploadTime=129386443518799293
  ReportIdentifier=2a4c4f0a-183c-11e0-aac2-5c260a0235ed
  IntegratorReportIdentifier=2a4c4f09-183c-11e0-aac2-5c260a0235ed
  WOW64=1
  Response.BucketId=2007535968
  Response.BucketTable=1
  Response.type=4
  Sig[0].Name=Application Name
  Sig[0].Value=VirtualPassageExe.exe
  Sig[1].Name=Application Version
  Sig[1].Value=1.7.3.1
  Sig[2].Name=Application Timestamp
  Sig[2].Value=4b20cf25
  Sig[3].Name=Fault Module Name
  Sig[3].Value=OLEAUT32.dll
  Sig[4].Name=Fault Module Version
  Sig[4].Value=6.1.7600.16567
  Sig[5].Name=Fault Module Timestamp
  Sig[5].Value=4bbc2f3d
  Sig[6].Name=Exception Code
  Sig[6].Value=c0000005
  Sig[7].Name=Exception Offset
  Sig[7].Value=00004660
  DynamicSig[1].Name=OS Version
  DynamicSig[1].Value=6.1.7600.2.0.0.256.48
  DynamicSig[2].Name=Locale ID
  DynamicSig[2].Value=1033
  DynamicSig[22].Name=Additional Information 1
  DynamicSig[22].Value=0a9e
  DynamicSig[23].Name=Additional Information 2
  DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
  DynamicSig[24].Name=Additional Information 3
  DynamicSig[24].Value=0a9e
  DynamicSig[25].Name=Additional Information 4
  DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
  UI[2]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  UI[3]=VirtualPassageExe MFC Application has stopped working
  UI[4]=Windows can check online for a solution to the problem.
  UI[5]=Check online for a solution and close the program
  UI[6]=Check online for a solution later and close the program
  UI[7]=Close the program
  LoadedModule[0]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
  LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
  LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
  LoadedModule[4]=C:\Windows\system32\MFC42.DLL
  LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
  LoadedModule[6]=C:\Windows\syswow64\USER32.dll
  LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
  LoadedModule[8]=C:\Windows\syswow64\LPK.dll
  LoadedModule[9]=C:\Windows\syswow64\USP10.dll
  LoadedModule[10]=C:\Windows\syswow64\ADVAPI32.dll
  LoadedModule[11]=C:\Windows\SysWOW64\sechost.dll
  LoadedModule[12]=C:\Windows\syswow64\RPCRT4.dll
  LoadedModule[13]=C:\Windows\syswow64\SspiCli.dll
  LoadedModule[14]=C:\Windows\syswow64\CRYPTBASE.dll
  LoadedModule[15]=C:\Windows\syswow64\ole32.dll
  LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
  LoadedModule[17]=C:\Windows\system32\ODBC32.dll
  LoadedModule[18]=C:\Windows\syswow64\SHELL32.dll
  LoadedModule[19]=C:\Windows\syswow64\SHLWAPI.dll
  LoadedModule[20]=C:\Windows\system32\apphelp.dll
  LoadedModule[21]=C:\Windows\AppPatch\AcLayers.DLL
  LoadedModule[22]=C:\Windows\system32\USERENV.dll
  LoadedModule[23]=C:\Windows\system32\profapi.dll
  LoadedModule[24]=C:\Windows\system32\WINSPOOL.DRV
  LoadedModule[25]=C:\Windows\system32\MPR.dll
  LoadedModule[26]=C:\Windows\system32\IMM32.DLL
  LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
  LoadedModule[28]=C:\Windows\system32\odbcint.dll
  LoadedModule[29]=C:\Windows\system32\uxtheme.dll
  LoadedModule[30]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\COMCTL32.DLL
  LoadedModule[31]=C:\Windows\system32\dwmapi.dll
  State[0].Key=Transport.DoneStage1
  State[0].Value=1
  FriendlyEventName=Stopped working
  ConsentKey=APPCRASH
  AppName=VirtualPassageExe MFC Application
  AppPath=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  None of this makes any sense to me, but may someone can tell me why the install is failing?
  Thanks,
  Scott

  Mario,
  I tried everything you mentioned.  I cleared cookies and temporary files.  I enabled SSL 3.0. I restarted IE.
  I get the same thing.  The install process starts and then ends at suddenly saying the install failed.
  Scott

• Disconnecting WEB SSL VPN client windows 7 to remote windows 7 virtual machine

  Good morning,
            my problem, common to other colleagues who use Windows machines 7 Professional is this:
  I connect to WEB SSL VPN Cisco from Client Windows 7 Home Premium Explorer-9 to a virtual machine Windows 7 Professional using a specific professional audience and vpn user. I access the Terminal Services window (attached JPG) with a list of links to virtual machines.I connect to the virtual machine in Remote Desktop Full Screen mode and log in with the same user and password. For the connection is installed an add-type control ActiveX CISCO Portforwarder Control version 3.1.0.1, file name -> cscopf.ocx.
  Problem: The session window once inside the virtual machine disappears and disconnect from the virtual machine back in the window of choice of Terminal services available. This always happens and there is no way to maintain a stable connection.With modality not FULL SCREEN, the session window would seem to remain stable but however is impossible to work in a small window.
  This problem is raised after the update windows 7 to SP1 both Home premium and Professional. In fact before the update the connection is stable. The update to SP1 update the RDP client microsoft to version 6.1.7601.17154 from version 6.1.7600 but i do not know if this the cause of the problem.
  Have you an update of CISCO active-x to fix the problem? I cancelled the file and download the last version but the problem remains.
  Workaround: Use local virtual machine with xp or windos 2003 and access form this operating system but I consider absurd to use a local   
                      virtual machine to access a service which should be directed
  Note: This problem does not occur if the VPN session to the virtual machine Windows 7 is launched from a host machine running Vista Home Premium with RDP Client 6.0. My previous PC had this OS and I was working in an absolutely stable by performing the same type of connection.
  Host Operating System: OS Name Microsoft Windows 7 Home Premium Version 6.1.7601 Service Pack 1 Build 7601
  OS virtual machine accessed via ssl web vpn: OS Name Microsoft Windows 7 Professional Version 6.1.7601 Service Pack 1 Build 7601
  Can you help?Thank you.
  Carmelo Orlando
  No

  The same problem here as well.
  I am using a Win7 PC to connect to an Win Vista PC via SSLVPN. Once i logged into the remote PC, the session is disconnected.
  Do we have any corrections from Cisco for the moment?

• Why does SSL VPN require client for full functionality?So What's the point?

  I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
  However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
  Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
  "...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

  Hi,
  Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
  Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
  1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
  Dandy

• FortiClient SSL VPN Client Not Functioning Correctly

  Hello,
  I use the FortiClient SSL application to connect to work. In Windows 7 x64 it works without issue. In Windows 8 Build 9200 it exhibits and odd behaviour.
  I can connect using FortiClient version 4.4.3.445. Once connected my sent bytes continues to increase which is correct. However received bytes stays at 0.
  If I try to Remote Desktop it fails.  This is obviously due to no inbound packets coming back from the Fortigate appliance being allowed back to Windows 8.
  Disabling the Firewall doesn't have any affect on the condition. Received bytes stays at 0. 
  This is a clean install with no 3rd party applications, other than the Forticlient software. This is only the SSL VPN portion of  the the FortiClient software and does not included AV or Firewall options.
  Doing some Googling, I've seen some other people with the same problem but no resolution. Another FortiClient user and Sophos & Juniper SSL VPN clients having the same problem.
  Does anybody have any idea what would be causing the SSL VPN to only send bytes but not receive.
  Thanks!
  UPDATE 2:
  In the built in MSTSC.exe "Remote Desktop" I went into Options/Advanced/Server Authentication. I switched the setting to "Connect and don't warn me" and that fixed the problem. The default was "Warn Me' However the warning screen was not coming up.
  Just for the heck of it I switched it back to the default settings and saved. Strangely I now get the "Warning" screen that you would normally see. So now both the built-in and App Store Remote Desktop applications are working. FortiClient still shows Bytes
  received as 0.....which is odd.
  UPDATE: Solved Workaround
  I was using the built-in Remote Desktop Application without success. I went into the APP Store and saw their was an APP called "Remote Desktop" I installed that and connected my FortiClient SSL to work. Still no received bytes like I would get in
  Win7. I then launched the "APP" Remote Desktop, punched in my PC name at work and creds and boom I can login to my work PC. FortiClient SSL still showing no received bytes, but the "Remote Desktop" from the APP store does work. Not sure why MSTSC.exe will
  not work, and why FortiClient shows no received bytes is still unsolved. At least the APP Store Remote Desktop works with the SSL Client.

  Hello Everyone,
  I finally able to track down the issue .
  After spending 3 days i found that VPN Client may bind some setting with user. I tried to install the same on my personal laptop and another machine where the user bind with same account
  (hotmail).
  Then I realize may be this is user issue so I follow below steps and it work fine.
  1. Uninstall Client from Machine
  2. Remove same from IE ( Options =>> Connections)
  3. Restart System
  4. Create Local user and provide administrator rights.
  5. Login with new user and logoff all other.
  6. Install Client.

• How to enable SCCM 2012 clients to get Windows Updates through SSL VPN

  I would like my SCCM 2012 client laptops to get Windows Updates through SSL VPN.
  I suppose I need to add VPN Subnet in my boundary and boundary group.
  What other setting I need to enable?
  At this moment, on the 'Software Update Point Component Properties' "Allow intranet-only client connections" radio button is active. Do I neeed to select "Allow both intranet and internet client connections" and Enable SSL communications
  for the WSUS server?
  or are there something else I need to check?

  No, a VPN client is no different than a client connected internally as far as the network is concerned and as far as ConfigMgr is concerned there is no way to explicitly know any different. Internet clients literally are those that connect via the Internet
  using IBCM.
  Jason | http://blog.configmgrftw.com

• Watchguard SSL VPN client on OSX 10.7 Lion TUN/TAP Kernel Problem

  I upgraded to OSX 10.7 Lion and lost the use of the Watchguard VPN client.
  I eventually found a solution at http://lesmond.net/2011/07/watchguard-ssl-vpn-client-on-osx-10-7-lion/
  I had already uninstalled Watchguard VPN and tried to reinstall to see if that worked (poor advice from another forum)
  I hadn't manually removed Watchguard icon from the dock.
  When you try to reinstall the dialog tells you to run an postupgrade script on the TUN/TAP kernel and then quits with a fail.
  If you install openVPN in this scenario you get an openVPN app and menu item, both of which do nothing.
  Click on the Watchguard dock icon and connect.
  I was then asked to upgrade and ended up with the run post upgrade script dialog and quit with a fail.
  I then clicked on the Watchguard doc icon again and connected.
  This time it connected with no problem.
  Hope this helps!

  WG has new firmware that will fix the problem, once flashed, download the new client vpn client (11.5.1) and you should be good to go.
  I had to contact WG to get the patch as it was not in the portal  Version 11.3.4 CSP6 for my device.  Hope this helps someone.

• SSL VPN Connection Issue

  Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
  *************Equipment/Software
  Cisco 2851 Router Version 15.4(M9) Software
  anyconnect-win-3.1.07021-k9.pkg
  *************Configuration
  ip local pool webvpn1 172.16.100.80 172.16.100.90
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip access-list extended webvpn-acl
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
  webvpn gateway CCIELAB
   hostname Porshe_GT3
   ip interface GigabitEthernet0/0 port 443
   http-redirect port 80
   ssl trustpoint my-sslvpn-ca
   inservice
  webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
  webvpn context CCIELab
   title "Networking Lab"
   ssl authenticate verify all
   login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
   policy group Labrats
     functions svc-enabled
     banner "Success, You Made It"
     filter tunnel webvpn-acl
     svc address-pool "webvpn1" netmask 255.255.255.0
     svc keep-client-installed
     svc rekey method new-tunnel
     svc split include 172.16.100.0 255.255.255.0
   default-group-policy Labrats
   aaa authentication list webvpn
   gateway CCIELAB
   inservice
  *********************Debugs
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
  *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
  *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *********************Verification
  Porshe_GT3#show webvpn policy group Labrats context all
  WEBVPN: group policy = Labrats ; context = CCIELab
        banner = "Success, You Made It"
        idle timeout = 2100 sec
        session timeout = Disabled
        functions = 
                  svc-enabled 
        citrix disabled
        address pool name = "webvpn1"
        netmask = 255.255.255.0
        tunnel-mode filter = "webvpn-acl"
        dpd client timeout = 300 sec
        dpd gateway timeout = 300 sec
        keepalive interval = 30 sec
        SSLVPN Full Tunnel mtu size = 1406 bytes
        keep sslvpn client installed = enabled
        rekey interval = 3600 sec
        rekey method = new-tunnel 
        lease duration = 43200 sec
        split include = 172.16.100.0 255.255.255.0

  The problem is related to either of these issues:
  Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  Fragmentation policy during encryption
  Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

• ASA 5505 SSL VPN LOG failed

  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
  %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
  %ASA-6-113012: AAA user authentication Successful : local database : user = admin
  %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
  %ASA-6-113008: AAA transaction status ACCEPT : user = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
  %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
  %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
  %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
  %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
  Red error what is the reason? Only appears in the window 2003 server.

  ciscoasa# show   activation-key 
  Serial Number:  JMX1314Z1UV
  Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 10       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  The flash activation key is the SAME as the running key.
  ciscoasa#
  Sure ？it was licence question？