Ssl smart tunnel and vmware client

Similar Messages

• SSL VPN Tunnel and Windows 7

  Hi
  I have a SA520W with firmware 2.1.18 and are having huge trouble getting windows 7 clients to connect using the SSL VPN Tunnel in Split mode. I've tested the registered users using an XP machine, and they are able to log in just fine and I can ping servers on the inside of the network. On windows 7, however, the VPN tunnel is created, but no IP trafic flows over the virtual network adapter and I'm not able to ping resources on the inside of the network. For the XP clients, the SSL VPN tunnel works like a charm, but not not 7.
  Are there any consideration to be taken on windows 7 to enable trafic over the SSL VPN virtual network adapter?
  Windows firewall?
  SSL service?

  Hi skcisco11,
  You can alternatively use Cisco VPN Client if your SA520 has firmware version 2.1.18 and above. Here is a document how to set it up:
  http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_vpnclient_appnote.pdf
  Alternatively, please use the following document on how to setup SSL VPN.  If you are using a local database on the SA520 to authenticate users,, then ignore the references to Active Directory.
  http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/active_directory.pdf
  Hope this helps,
  Julio

• ASA: Smart Tunnel and proxy problem

  Hello
  I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
  They get proxy warning when they click on a bookmark.
  If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
  Is it a common problem if so is there a soultion ?
  KR
  Daniel

  Hi Daniel,
  "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
  the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
  . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
  You can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
  HTH!!
  Regards,
  Naresh

• Os x smart tunnel for java

  We have a webpage that uses java, and we are unable to make it work on web vpn on mac os. On the windows side, we added the following to the webvpn smart tunnel and it works:
  smart-tunnel list banner WebStart javaws.exe platform windows
  smart-tunnel list banner JavaWindows javaw.exe platform windows
  Does anyone know the path for mac os x?

  The VPN client for Mac OS runs on any Power Macintosh or compatible computer with Mac OS Version 7.6 to 9.x, and Open Transport Version 1.1.1 or later.
  Have available an application that can translate a BinHex (.hqx) archive, such as StuffIt. Your web browser might perform the translation automatically for you.
  http://www.cisco.com/en/US/docs/security/vpn5000/client/windows_mac/client52/user/guide/Install.html#wp1023928

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• Transparent Tunneling and Local Lan Access via VPN Client

  Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
  Mike Bowyer

  Hi Mike,
  "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
  What do you mean exactly with "disabled once the connection is made" ?
  You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
  Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
  Are any local LAN routes displayed when your are connected ?
  And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
  1: This feature works only on one NIC card, the same NIC card as the tunnel.
  2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
  Carsten
  PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

• Does ACI support a VXLAN Tunnel between Leaf(Leaves) and VMware-vDS, and MS-vSwtich?

  Hi Experts,
  I have a quick question about Normalized Forwarding of ACI Fabric.
  Does ACI support a VXLAN Tunnel between Leaf(Leaves) and VMware-vDS, and MS-vSwtich? Otherwise any plan to provide that function in the future?
  If there is no function and plan How is Normalized Forwarding possible with VXLAN headers that are generated by each Hypervisor? Of course I know it's possible for a VM on ESXi to communicate with another VMs on Hper-V without VXLAN but I just focus on Normalized Forwarding between Multi-Hypervisor.
  Or If AVSs are implemented on ESXi and Hyper-V repectively, is it possible to make a VXLAN Tunnel between Leaf(Leaves) and AVSs on ESXi and Hyper-V? And what is a example of that usage?
  Thanks in advance.
  Paul 

  Hi Paul,
  As I understand, ACI Leaf to the VMware-vDS is still vlan so no tunnel for VXLAN. When we integrate Vcenter with the ACI, We define the vlan range for the traffic from VM-ware-vDS to map EPG to a VMware ESXi port group. 
  For the MS-vSwitch, As It support OpFlex agent could act as VTEP but not part of the fabric. But I am not sure about this. 
  As AVS is part of the fabric so It will act as a VTEP (VXLAN Tunnel between Leaf(Leaves) and AVSs)
  But what is the benefit are you looking? Traffic normalization is still there because Traffic within the fabric is encapsulated as VXLAN. External VLAN/VXLAN/NVGRE tags are mapped at ingress to an internal VXLAN tag.
  Note:the VLAN ID has local significance for the leaf node
  Regards,
  Anser

• SSL and Unified client

  We're planning on going with the Unified Client using Messaging SSO (rather than Identity SSO). Of course we're required to have secure auth. I know I can set the UWC to Secure auth only, but then everything else is in plain text, and then a nice window pops up warning users this. Can it be confiugred to use SSL throughout? I saw this in the docs and thought otherwise:
  *Messenger Express will not run in SSL mode when messaging SSO is enabled
  I'm thinking that I'd need to SSL enable Calendar and Messaging to get it througout, but looking at the above statement I'm not sure.
  We'll be running Messaging 6.1p02 and the latest Calendar and Web Server as well.

  Here is example of mysterious entries from Identity Debug log for Webmail (msg/JESQ42004). There parameters don't match with contents of /opt/SUNam/lib/AMconfig.properties. What gives?? When I watch attempted Web SSO with established AMServer session -- I see additional errors that would related to params below not set correctly.
  /opt/SUNWmsgsr/log/http_sso
  2005-02-06 14:12:15.511 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDbPrefix, using default value.
  2005-02-06 14:12:15.511 Debug 21959:1387f8 all: Connection::initialize() calling NSS_Initialize() with directory = "/opt/SUNWmsgsr/config" and prefix = ""
  2005-02-06 14:12:15.512 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.512 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.512 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.trustServerCerts, using default value.
  2005-02-06 14:12:15.512 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.log.remoteBufferSize, using default value.
  2005-02-06 14:12:15.512 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.trustServerCerts, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.513 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.trustServerCerts, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.certDBPassword, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.auth.certificateAlias, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.defaultSessionURL, using default value.
  2005-02-06 14:12:15.514 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.hashBucketSize, using default value.
  2005-02-06 14:12:15.515 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.cookieName, using default value.
  2005-02-06 14:12:15.516 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.loadBalancer_enable, using default value.
  2005-02-06 14:12:15.516 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.hashBucketSize, using default value.
  2005-02-06 14:12:15.516 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.cacheEntryLifeTime, using default value.
  2005-02-06 14:12:15.517 Info 21959:1387f8 AM_SSO_SERVICE_NAME: SSOTokenService::SSOTokenService(): SSOTokenService notification enabled, URL = http://xxx.xxx.com:8000/am_listener.
  2005-02-06 14:12:15.517 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.maxThreads, using default value.
  2005-02-06 14:12:15.517 MaxDebug 21959:1387f8 all: No value specified for key com.sun.am.sso.checkCacheInterval, using default value.

• DPS and NativeLDAP clients over SSL

  We wish to use Directory Proxy Server (DPS) to load balance two Directory Server (DS) 6.3 servers.
  The DS 6.3 servers authenticate Solaris and Linux native ldap clients.
  The native ldap clients login using TLS:simple.
  Question:
  Where do we terminate SSL ? At the DPS or at each instance of DS?
  In other words is the client configured to authenticate to the DPS or the backend DS?

  The DPS is negotiating the ssl or tls with the client, and the authentication is with the DS. In the DSCC you can go to security tab and there is a protocols/ciphers button where you can choose what you want the DPS to support. I havent tried this myself but something to mention if you missed it. If you leave ssl on does that cause an issue? From what I recall tls starts its connection on non-secure port then switches to secure port.

• ASA Smart Tunnel with OS X 10.7

  Hello,
     I've recently configured SSL VPN on an ASA failover pair running 8.4(2). The smart tunnel policy allows RDP clients (native MS client on Windows, MS Client and CoRD on Mac). Early testing looked good for both Windows and Mac. But then I had a mac user who reported that the "Application Access" button did not display in the navigation pane, and hence they can't get to where to launch Mac smart tunnel applications. The difference between those that worked and the one that doesn't is OS X v10.6 (works), OS X v10.7 (doesn't work).
     Doing a little research, I found that JRE isn't installed by default in OS X 10.7, and I found the following link:
  http://support.apple.com/kb/DL1421. After installation, and verifying that "enable applet plug-in and Web Start applications" was checked and trying again, the same results. "Application Access" is missing from the navigation bar, and hence smart tunnel apps can't be launched.
     Does anyone have an idea on what could be going wrong here?
  Thanks!
  Kurt

  Kurt,
  I just found your thread here.
  Which browser are you using on the Mac?
  I have found that with Mac OS 10.7 (lion) there are issues with the smart tunnel applet with Safari and Chrome
  However, it works as expected with Firefox.
  I actually get a Safari Web Content crash report when I try to connect with Safari.
  I have been monitoring this since 10.7 was released, I haven't opened a ticket with TAC because it appeard to be an Apple / Safari issue since the applet works with Firefox.
  I installed the latest Java update for 10.7 today and there was no change in behavior.
  I guess it's time to open a TAC ticket.

• ISE EAP SSL/TLS Tunneling Certificates

  Hi,
  I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...
  Authentication failed :
  12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?
  Cheers

  Hello,
  This error means that the supplicant does not trust the ISE PSN certificate.
  Resolution:
  Check whether the proper server certificate is installed and configured for EAP
  by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).
  Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more
  information.

• Tunneling and problem with unknown host exception

  hello! i've got a problem with https. i use jdk 1.5.0, jboss-4.0.4.ga-patch1, soap.
  and i'm going crasy.. i've testet my client code at our network and it works fine. but if i want to get jobs from the server of our customer, my client throw an "unknown host exception: firm".
  i wonder why it hasn't the full host. the url may look like this: https://firm.sub.com:443/ and while the client connects to the server, i depugged it and the host is correct: firm.sub.
  but after the connection, when the client want to get something from the server (when it wants to communicate with the server over soap) it crashs.
  my client code looks like this:
  private ClientInterfaceEndpoint getClientInterface() throws ServiceException {
  QName serviceQName = new QName(DOCSERVER_NAMESPACE, CLIENT_INTERFACE_SERVICENAME);
  URL wsdlUrl = getClientInterfaceWsdlUrl();
  log.info("*******WSDLURL host: " + wsdlUrl.getHost()); // out: firm.sub
  log.info("*******WSDLURL port: " + wsdlUrl.getPort()); // out: 443
  URL mapping = getClass().getClassLoader().getResource("META-INF/DocumentServer_Mapping.xml");
  log.info("*******MappingURL path: " + mapping.getPath());
  if (wsdlUrl.toString().toLowerCase().contains("https")) {
  if (null == getConfig().getTruststore() || getConfig().getTruststore().equalsIgnoreCase("")) {
  throw new RuntimeException("No or incorrect TruststorePath in the docclient-config");
  File tmp = new File(getConfig().getTruststore());
  if (!tmp.isFile() || !tmp.canRead()) {
  throw new RuntimeException("The truststore at the 'TruststorePath' isn't a file or can't be read.");
  System.setProperty(SYS_PROPERTY_KEY_TRUST, getConfig().getTruststore());
  System.setProperty(SYS_PROPERTY_KEY_TRUST_PW, config.getTruststorePass());
  ServiceFactoryImpl factory = null;
  factory = (ServiceFactoryImpl) ServiceFactory.newInstance();
  Service clientInterfaceService = null;
  try {// create the service for the ClientInterface
  clientInterfaceService = factory.createService(wsdlUrl, serviceQName, mapping, new URL(config.getServerURL())); //, new URL(config.getServerURL())
  log.info("*******ClientInterFaceService WSDL URL Host: " + clientInterfaceService.getWSDLDocumentLocation().getHost()); // out:firm.sub
  log.info("*******ClientInterFaceService WSDL URL Port: " + clientInterfaceService.getWSDLDocumentLocation().getPort()); // out: 443
  } catch (ServiceException e) {
  log.error(e.getMessage());
  throw new RuntimeException(e.getMessage());
  } catch (MalformedURLException e) {
  log.error(e.getMessage());
  throw new RuntimeException(e.getMessage());
  } catch (Exception e) {
  log.error(e.getMessage());
  throw new RuntimeException(e.getMessage());
  }// getting the ClientInterfaceEndpoint
  ClientInterfaceEndpoint clientInterface = (ClientInterfaceEndpoint) clientInterfaceService.getPort(ClientInterfaceEndpoint.class);
  return clientInterface;
  protected URL getClientInterfaceWsdlUrl() {
  URL url = null;
  String urlString = getConfig().getServerURL() + CLIENT_INTERFACE_URI + "?wsdl";
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  Properties properties = System.getProperties();
  String handlers = System.getProperty(SYS_PROPERTY_KEY_PKGS);
  if (handlers == null) {
  properties.put(SYS_PROPERTY_KEY_PKGS, SYS_PROPERTY_VALUE_PKGS);
  else {
  properties.put(SYS_PROPERTY_KEY_PKGS, SYS_PROPERTY_VALUE_PKGS.concat("|").concat(handlers));
  try {
  url = new URL(urlString);
  log.info("*******URL host: " + url.getHost());
  log.info("*******URL port: " + url.getPort());
  log.info("*******URL path: " + url.getPath());
  } catch (MalformedURLException e) {
  log.fatal("DocumentProvider SOAP configured incorrectly. DocServer URL malformed: " + urlString);
  throw new RuntimeException("DocumentProvider SOAP configured incorrectly. DocServer URL malformed: " + urlString, e);
  System.setProperties(properties);
  return url;
  }if it's usefull: the customer use a apache server (not tomcat) where a the server is and the client at another system the jboss.
  The customer told me: if i want to connect the client via http i have to tunnel.. maybe i have to tunnel using https too?
  have i to generate the endpoint classes a second time, extra for https?
  or doesn't soap like host like "firm.sub"?
  can anyone help me please?!
  sorry, my english isn't very well...

  sorry, it's not the same error. The output is: Unable to connect to any host due to exception: java.net.socket.exception: java.net.socket.exception: Unregcognized windows socket error: 10106: create.

• Direct Access 2012 R2 - Problems with Force Tunneling and other questions

  I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients. 
  Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
  1.  When I enable Force Tunneling the clients no longer are able to access the external internet.  Is there anything I need to add to make this work?
  2.  I am having trouble with our Remote Desktop Session Hosts.  I can only assume it has something to do with the DNS  as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
  Contoso.com domain (RDWA etc).  DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup.  Should I add the external contoso.com Name Suffix in there too?
  3.  I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA.  Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
  setup.   Does that list allow those servers to access the DA clients?

  Hi,
  Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
  internet again.
  RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
  Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• Problems when trying to surf the Internet through a SSL VPN tunnel

  Hi,
  I have a small/big problem, I have a customer who have the need for the possibility to surf the internet through the SA500W when they are connected through a SSL VPN tunnel in to their network. I am not using a Split Tunnel. What I have seen until now, when you run IPCONFIG/ALL the default gateway for the SSL VPN IP settings is 0.0.0.0. Is this the problem and if so, how can this be solved?
  Thanks in advance!
  Brg
  Niklas Eklov

  There are various causes for this error, see [[Firefox is already running but is not responding]] for details.