Jabber client and IP Phone SSL VPN to ASA using AnyConnect

Similar Messages

• IP Phone SSL VPN to ASA using AnyConnect

  I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
  I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
  However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
  Lastly,
  I hear about Collaboration Edge in CUCM 10.x
  If CUCM 10.x is deployed then how the ASA concept plays a role here.
  What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
  I cant find any information about the Colaboration Edge on the Internet...
  Message was edited by: Sean Poure

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

  hi all,
  I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
  I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
  thanks for your input!
  Samuel

  Samuel,
  Did you ever find an answer to your question? I have a similar scenario.
  Any input would be appreciated.

• No Jabber client for Windows Phone 8.1

  Can you advise on when a Jabber client for Windows Phone 8.1 will be released?

  Roadmap questions cannot be addressed here, either ask in a partner forum, or reach your SE/AM for this.

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone SSL VPN - Licenses required.

  Hi,
  Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
  Thanks
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 5000
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5550 VPN Premium license.

  Hi,
  You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
  You can find more details from following link:
  http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
  Regards,
  Varinder
  P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

• Jabber clients and phone control

  Hello All
  This may be a stupid question but I was speaking with a Cisco pre-sales engineer about a POC.
  Basically the client wants to try out unified comms with jabber. The currently have a cucm cluster and are going to connect
  to a new POC cluster consisting of cucm 9.0 and presence.
  They will be call forwarding all on their current devices to the device on the new poc.
  The bit that has confused me is that when I asked the engineer if they will have new devices on the POC cluster he said
  "no" they will register the current devices to the new cluster.
  How will this work as you can't have the same device registered to two seperate clusters?
  Will the original cluster just have a DN of the users original number that is CFA to the new cluster?
  Proper confused ???
  Thanks

  As I suggested yesterday, you would be better served by integrating the IM&P cluster to the existing CUCM cluster. Each IM&P product is intended to service only a single CUCM cluster and it actually joins the Informix database replication mesh of CUCM. If you're deadset on a separate CUCM cluster you really want to move the entire phone/DN over. You can use route patterns with an Inter-Cluster Trunk on the existing CUCM trunk to forward calls over to the new cluster.
  If you don't do this you are going to run into a bunch of snags, all of which are untested/charted territory:
  For deskphone control you would have to set the CTI Gateway to be the existing CUCM cluster since that's the CTI Manager service that would be capable of controlling the user's DN and device.
  The CSF device would also need to be on the existing CUCM cluster which means the TFTP setting in IM&P needto be pointed at the existing cluster. This in turn means that your jabber-config.xml file will need to be loaded to the existing cluster.
  If you want the "on the phone" status to work you need a SIP PUBLISH trunk from CUCM to the IM&P server. Here again this would need to be from the old cluster. This gets even more iffy since the System Troubleshooter does a bunch of AXL-based tests, including on that SIP PUBLISH trunk. It won't be able to test since the feed will be coming from a different cluster. I'm skeptical if this would even work but if you have any chance at it happening the usernames in the two CUCM clusters would have to match.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Configure a VPN client and Site to Site VPN tunnel

  Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
  SiteA config with working VPN tunnel to SiteB:
  SITE A
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.x.x.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.x.x.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.x.x.0.0 201.201.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  SiteA-pix(config)#
  Lines I add for Cisco VPN clients is attached
  I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
  Anyone any ideas what this can be?
  Thanks

  Heres my config:
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.11.11.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.255.255.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool pix_inside 200.x.x.100-200.220.200.150
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.0 0.0.0.x.x.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
  crypto dynamic-map DYNOMAP 10 match address 80
  crypto dynamic-map DYNOMAP 10 set transform-set AAADES
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup Remote address-pool pix_inside
  vpngroup Remote dns-server 200.200.200.20
  vpngroup Remote wins-server 200.200.200.20
  vpngroup Remote default-domain mycorp.co.uk
  vpngroup Remote idle-time 1800
  vpngroup Remote password password
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  I will attach debug output later today.
  Thanks

• IP Phone VPN connection to ASA using Anyconnect

  Hello,
  I will be configuring my first Anyconnect VPN to allow an IP Phone to connect over the internet.  I wanted to know what the best practice is in generating a certificate on the ASA...is self generating ok or get one from a CA?  What are the cons of using a self generating certificate?  Also, I would appreciate any links to configure Anyconnect and installing/generating certificates.
  Thanks 

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Jabber and Desk Phone Integration

  When stting up "Desk Phone Integration" on cisco Jabber on a test iPhone, Jabber loops forever when verifying account information saying just "verifying...". It never display an error message. It will eventually stop, the "Desk Phone Integration" staying "Not Configured"
  CUCM version : 8.6(2)
  iPhone iOS : 6.0.1
  Jabber client : 9.0.2.20078
  I followed the instructions in the "Administration Guide for Cisco Jabber for iPhone Release 9.0.1" to setup the call manager.
  I created a dedicated SIP profile,
  created the TCTTEST "Cisco Dual Mode for iPhone" phone according to the documentation
  and edit my phone and user settings according to the "Enable Active Call Transfer Between Cisco Jabber and Desk Phone" section of the documentation
  despite all that, it doesn't work
  I tried with other accounts/mobiles and the result is the same.
  Jabber does register to the CUCM and I can get my extension on the Jabber client and place/receive calls using my desk extension. But the "desk phone integration" doesn't work
  What I noticed is that :
  on the TCTXXXX "Cisco Dual Mode for iPhone" phone device setting page, there is no "Sign In Feature" option as described in the documentation
  because we use Extension mobility the "Owner User ID" feature is disable on the desk phone device settings. I temporarily uncecked the "extension mobility" checkbox on the device, setup my ID as the "Owner User ID" and re-checked the "extension mobility" checkbox but the result is the same.
  I searched the web and couldn't find anyone with similar issue...help will be appreciated

  Aaron,
  Thanks for you answer.
  I have followed all the requirements explained in the "Administration Guide for Cisco Jabber for iPhone Release 9.0.1" including the one you mentioned :
  the user is a member of  'Standard CTI Enabled'
  CTI Controlled is allowed on the DN, the end user account and the desk phone
  the end user is associated to both the desk phone and the TCT phone
  And 'Allow End User Configuration Editing' is set to disable on the TCTxxxx device
  Despite all that the "desk phone integration" doesn't work

• A list of supported Android Phones for Cisco Jabber Client.

  Hi there,
  I opened a discussion before about the Cisco Jabber Client for Android phones.
  This product from Cisco is only official support bij a several mobile Android telephones. (very poor)
  As everyone knows is that the mobile market is continious in development. Since a half year the official support phone list is still the same, but a lot of new Adroid phones are now on the market.
  It's even so worse that some of the Cisco supported phones, are not available anymore in the market.
  - Samsung Galaxy S2 becomes a Samsung Galaxy S3
  - Samsung Galaxy TAB is still there
  - Samsung Galaxy S (are not available anymore) The S1 or S Plus are now becoming the Samsung Galaxy S Advanced.
  At what are the alternatives?
  Still the list on the documentation is out-dated.
  See:
  Samsung Galaxy S International (GT-I9000) with Android operating system (OS) Version 2.2.1 or 2.3
  Samsung Galaxy Tab International (GT-P1000) with Android 2.2.1 or 2.3
  Samsung Galaxy S II (AT&T) with Android 2.3
  To use Cisco Jabber for Android on the Samsung Galaxy S device, it is important that you upgrade your handset OS to Android Version 2.2.1 or 2.3. See the manufacturer/carrier site for more information about how to update the OS on your device. Minor voice quality issues may be experienced depending on the device used.
  So hopefully Cisco is still working on the Cisco Jabber solution, and a lot of mobile Android phones will be supported so the road to success will be open.
  Hopefully someone can help me to list of tested and supported phones (Official bij Cisco)
  Kind regards,
  Edgar

  The official list of tested Android phones is what you've already discovered.  With the next release of Cisco Jabber for Android, I'm sure it will be updated.
  While the official list of what we tested is short, the client will work on many Android devices and TAC will provide support if you run into technical issues; provided the issue is with the Cisco Jabber client itself, and not with the OS of the manufacturer.
  If there is a specific Android phone you are looking to have officially tested by Cisco, PM me with that information and I'll work with you to see what we can do to get it added.

• SSL VPN Client Error

  I setup a Cisco ASA 5510 SSL VPN with the folowing;
  IOS 7.2
  SSL VPN CLient sslclient-win-1.1.1.164.pkg
  Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
  IBM Thinkpad T40
  Windows XP SP 2
  Internet Explorer 7
  All patches up-to-date
  All drivers up-to-date
  SSL VPN Client connection process;
  - User login with valid account and password
  - The SSL VPN Client package will automatically download and installed.
  - User will then be connected to SSL VPN
  The ERRORS;
  1. GUI (Cisco SSL VPN Client installation process)
  "The SSL VPN Client driver has Encountered an Error"
  2. Event Viewer
  The only error in this user event viewer that differs from other users who successfully connected are;
  a)
  Function: EnableVA
  Return code: 0
  File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
  Line: 310
  Description: unknown
  b)
  Function: EnableVA
  Return code: 0xFE080007
  File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
  Line: 1145
  Description: VAMGR_ERROR_ENABLE_VA_FAILED
  Anyone know what thus the error means?
  BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
  Thanks

  The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

• Why does SSL VPN require client for full functionality?So What's the point?

  I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
  However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
  Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
  "...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

  Hi,
  Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
  Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
  1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
  Dandy