IP Phone SSL VPN to ASA using AnyConnect

I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
Lastly,
I hear about Collaboration Edge in CUCM 10.x
If CUCM 10.x is deployed then how the ASA concept plays a role here.
What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
I cant find any information about the Colaboration Edge on the Internet...
Message was edited by: Sean Poure

The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
http://www.cisco.com/en/US/netsol/ns1246/index.html
PS- Jason could have found out details in advance since DiData has partner NDA status.
Please remember to rate helpful responses and identify helpful or correct answers.

Similar Messages

  • Jabber client and IP Phone SSL VPN to ASA using AnyConnect

    Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
    https://supportforums.cisco.com/docs/DOC-9124

    The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
    http://www.cisco.com/en/US/netsol/ns1246/index.html
    PS- Jason could have found out details in advance since DiData has partner NDA status.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • IP Phone SSL VPN through ASA

    Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
    Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
    Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
    What does it mean?  How can I turn on debugging to see what is going on?
    Thank you in advance!

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

    hi all,
    I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
    I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
    thanks for your input!
    Samuel

    Samuel,
    Did you ever find an answer to your question? I have a similar scenario.
    Any input would be appreciated.

  • IP Phone SSL VPN - Licenses required.

    Hi,
    Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
    Thanks
    Licensed features for this platform:
    Maximum Physical Interfaces    : Unlimited
    Maximum VLANs                  : 250
    Inside Hosts                   : Unlimited
    Failover                       : Active/Active
    VPN-DES                        : Enabled
    VPN-3DES-AES                   : Enabled
    Security Contexts              : 2
    GTP/GPRS                       : Disabled
    SSL VPN Peers                  : 2
    Total VPN Peers                : 5000
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled
    AnyConnect for Cisco VPN Phone : Disabled
    AnyConnect Essentials          : Disabled
    Advanced Endpoint Assessment   : Disabled
    UC Phone Proxy Sessions        : 2
    Total UC Proxy Sessions        : 2
    Botnet Traffic Filter          : Disabled
    This platform has an ASA 5550 VPN Premium license.

    Hi,
    You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
    You can find more details from following link:
    http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
    Regards,
    Varinder
    P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

  • IP phone SSL VPN configuration issue

    Hello,
    I am trying to configure the SSL VPN for the IP phone.
    I am using the CM8.0.2 and 7975.
    - I configured ASA and tested with my PC. PC can ping the CM.
    - I uploaded the ASA cert as a Phone-VPN-trust
    - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
    - I created a VPN gateway and typed URL and selected the cert
    - I created the VPN group and added the VPN gateway to it.
    - I created the VPN profile and added the VPN group to it.
    - I disabled the Host ID check
    - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
    When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
    What is missing? What am I doing wrong?

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • IP Phone VPN connection to ASA using Anyconnect

    Hello,
    I will be configuring my first Anyconnect VPN to allow an IP Phone to connect over the internet.  I wanted to know what the best practice is in generating a certificate on the ASA...is self generating ok or get one from a CA?  What are the cons of using a self generating certificate?  Also, I would appreciate any links to configure Anyconnect and installing/generating certificates.
    Thanks 

    The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
    http://www.cisco.com/en/US/netsol/ns1246/index.html
    PS- Jason could have found out details in advance since DiData has partner NDA status.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • Ikev2 VPN without using a SSL license? (ASA-5512)

    Hi All,
    I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".
    * Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
    * Do I have to consider 3rd party vpn clients, outside Anyconnect?
    cya
    Craig

    Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
    If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
    In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
    Sent from Cisco Technical Support iPad App

  • ASA license for Cisco IP Phone over VPN

    Hi,
    Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
    Thanks

    Hi,
    You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
    It is not mandatory to purchase this license however.
    From the ASA configuration guide:
    http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
    "The  Cisco Phone Proxy on the adaptive security  appliance bridges IP  telephony between the corporate IP telephony  network and the Internet  in a secure manner by forcing data from remote  phones on an untrusted  network to be encrypted. "
    Don't forget to rate all posts that are helpful.

  • ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's

    Hello All,
    I'm an ASA Newb. 
    I feel like I have tried everything posted and still no success.
    PROBLEM:  When connected to the SSL VPN I cannot ping any internal host's.  I cannot ping anything on this inside?
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.2(5)
    hostname MCASA01
    domain-name mydomain.org
    enable password xxbtzv6P4Hqevn4N encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.2.0 VLAN
    name 192.168.5.0 VPNPOOL
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ddns update hostname MC_DNS
    dhcp client update dns server both
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    no forward interface Vlan1
    nameif outside
    security-level 0
    ip address 11.11.11.202 255.255.255.252
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name mydomain.org
    access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    http authentication-certificate inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment terminal
    subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
    keypair digicert.key
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 00b63edadf5efa057ea49da56b179132e8
        3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
        300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
        30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
        03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
        41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
        20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
        35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
        616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
        03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
        864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
        eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
        4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
        aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
        4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
        c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
        dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
        4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
        536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
        cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
        e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
        b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
        02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
        0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
        04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
        01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
        30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
        703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
        4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
        07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
        656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
        302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
        6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
        2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
        0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
        b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
        45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
        f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
        191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
        5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
        a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
      quit
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcpd address 192.168.1.100-192.168.1.200 inside
    dhcpd dns 66.180.96.12 64.238.96.12 interface inside
    dhcpd lease 86400 interface inside
    dhcpd ping_timeout 4000 interface inside
    dhcpd domain mydomain.org interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 64.147.116.229 source outside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy VPNGP internal
    group-policy VPNGP attributes
    vpn-tunnel-protocol svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SPLIT-TUNNEL
    username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
    username GaryC attributes
    vpn-group-policy VPNGP
    tunnel-group MCVPN type remote-access
    tunnel-group MCVPN general-attributes
    address-pool VPNPOOL
    default-group-policy VPNGP
    tunnel-group MCVPN webvpn-attributes
    group-alias MCVPN enable
    group-url https://11.11.11.202/MCVPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
    : end
    My goal is to allow Remote Users to RDP(3389) through VPN.
    Thank you,
    Gary
    Message was edited by: Gary Culwell

    Hello Jon,
      Thank you so much for your response. Clients will not be connect to a specific RDP server.  I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access.  So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
    Would you say this would work:
    route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
    Do you have examples?
    Thank you,
    Gary

  • ASA 5505 SSL VPN LOG failed

    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
    %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
    %ASA-6-113012: AAA user authentication Successful : local database : user = admin
    %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
    %ASA-6-113008: AAA transaction status ACCEPT : user = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
    %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
    %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
    %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
    %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
    Red error what is the reason? Only appears in the window 2003 server.

    ciscoasa# show   activation-key 
    Serial Number:  JMX1314Z1UV
    Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
    Licensed features for this platform:
    Maximum Physical Interfaces    : 8        
    VLANs                          : 3, DMZ Restricted
    Inside Hosts                   : 10       
    Failover                       : Disabled
    VPN-DES                        : Enabled  
    VPN-3DES-AES                   : Enabled  
    SSL VPN Peers                  : 2        
    Total VPN Peers                : 10       
    Dual ISPs                      : Disabled 
    VLAN Trunk Ports               : 0        
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled 
    AnyConnect for Cisco VPN Phone : Disabled 
    AnyConnect Essentials          : Disabled 
    Advanced Endpoint Assessment   : Disabled 
    UC Phone Proxy Sessions        : 2        
    Total UC Proxy Sessions        : 2        
    Botnet Traffic Filter          : Disabled 
    This platform has a Base license.
    The flash activation key is the SAME as the running key.
    ciscoasa#
    Sure ?it was licence question?

  • Anyconnect SSL VPN States Contacting...

            I had my ssl vpn working and now the anyconnect client that I downloaded just says Contacting...  It will not give me an error at all.  If I use the Anyconnect App on my droid phone it says "Anyconnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."  I previously had the droid app work as well and I have made no changes to the VPN configuration.  Here is my config and version numbers:
    anyconnect-win-2.5.2014-k9.pkg
    c2800nm-adventerprisek9-mz.151-4.M5.bin
    webvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN" netmask 255.255.255.0
       svc default-domain "<DOMAIN>"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary <IP>
    default-group-policy policy_1
    gateway gateway_1
    inservice
    Any suggestions would be greatly appriciated.

            I had my ssl vpn working and now the anyconnect client that I downloaded just says Contacting...  It will not give me an error at all.  If I use the Anyconnect App on my droid phone it says "Anyconnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."  I previously had the droid app work as well and I have made no changes to the VPN configuration.  Here is my config and version numbers:
    anyconnect-win-2.5.2014-k9.pkg
    c2800nm-adventerprisek9-mz.151-4.M5.bin
    webvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN" netmask 255.255.255.0
       svc default-domain "<DOMAIN>"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary <IP>
    default-group-policy policy_1
    gateway gateway_1
    inservice
    Any suggestions would be greatly appriciated.

  • Anyconnect & WebVPN for ssl vpn

    I already have anyconnect running in my network, planning to use Webvpn also to let specific users access the web based applications via webvpn( i believe for this they just have to put in the url and they would be prompted by SSL VPN's login page).
    I followed some cisco documents but my ASA doesnt show any webvpn option on the left side pane.
    Please help to set this up
    Thanks.

    Hi Sunny,
    I attached our test config of the WebVPN of confirmed work for your reference.
    HTH
    Tomoyuki

  • Cisco ASA 5505 SSL VPN

    Hi Everyone,
    In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
    I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
    I need help to solve this mystery. Please find attached the ASA config: #show run
    I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
    Best regards,
    BEN

    If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
    I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

Maybe you are looking for

  • ITunes keeps creating a new folder called "Music".

    Hello. This is really bothering me. I have my music stored on a server in a folder called "Music". All of the meta data etc is perfect as i went through every track and edited them as needs be. After doing a fresh install on my Mac, i draged n droppe

  • Scanning with HP LJ M1319f MFP

    Hi, i have multi functional printer HP LJ M1319f and i can't use scan. In answer from Apple gave information about testing scan solutions of this printer: HP Mac Architect Re: HP LaserJet M1319Ff MFP won't scan     Oct 21, 2009 1:34 AM    (in respons

  • Firefox 35.0 update loses Windows desktop and user profile

    Recently updated Adobe Reader and Flash player and Firefox to 35.0 on Windows 8.1 Dell laptop. This resulted in the administrator user profile failing. Windows Event Log has: Windows cannot find the local profile and is logging you on with a temporar

  • SQL Server Reporting Services Service - missing in Central Admin

    Hi, I am following "Install Reporting Services SharePoint Mode for SharePoint 2013" at http://msdn.microsoft.com/en-us/library/jj219068(v=sql.110).aspx#bkmk_install_SSRS_sharedservice .   I have a WFE, APP and SQL server. We have SQL Server 2012 SP1.

  • FAQ's or Knowledgebase

    Hi Is there a knowledge base or faqs out on this website anywhere or on any other website for business objects questions? thanks!