SSL VPN Group-Lock problem

Similar Messages

• Clientless ssl vpn homepage after login problem

  Hi all,
  I have a problem with my clientless vpn portal.
  I need to configure that when a user logs in through the portal, something that works just fine, that he ends up on the homepage.
  Right now he ends up immediatly on the anyconnect button.
  With the homepage I do mean the first button that says "Home".
  Users must be able to click on the "Web Applications", below "Home".
  Below "Web Applications" users must have their "Anyconnect" button aswell.
  First of all I wasn't able to make the portal display the "Anyconnect" button in the menu.
  Then after a while, I figured out that when de Dynamic Access Policy said "Unchanged" on the "Access Method" page.
  When changing that parameter to "Anyconnect client" the portal is no portal anymore, I immediatly end up on the anyconnect client start.
  When selecting "Web-Portal" I get the portal page, but the anyconnect menu is missing.
  When selecting "Both-Default-Web-Portal" I get the anyconnect button, and all other menus, which is good.
  But, I want the home button to be the default.
  And not the anyconnect button, after logging in you immediatly get the start anyconnect page.
  And then last but not least, when selecting "Both-Default-Anyconnect" you login to the webportal, anyconnect starts immediatly from the menu.
  Something we want the end user to do manually (Click "Start Anyconnect") I mean!
  I'm pretty sure the DAP is forcing that because of the options above.
  But when selecting unchanged or anything that doesn't include Anyconnect, then the anyconnect button is gone...
  I don't know what I can do to change that.
  Am I missing something??
  I would say DAP isn't needed, but when I set everything to default in the default DAP, then the anyconnect button is gone in the menu...
  Kind regards,
  Robin
  Here's my configuration:
  group-policy GP_company_intranet_portal attributes
  wins-server value x.x.x.x
  dns-server value x.x.x.x
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelall
  default-domain value company.local
  address-pools value IPP_SSLVPN01
  webvpn
    url-list value BML_company_intranet_portal
    http-proxy disable
    anyconnect keep-installer installed
    anyconnect ask enable default webvpn
    customization value CO_company_intranet_portal
    http-comp gzip
    hidden-shares none
    activex-relay enable
    file-entry disable
    file-browsing disable
    url-entry disable
    smart-tunnel auto-signon disable
  tunnel-group TG_company_portal_localauth type remote-access
  tunnel-group TG_company_portal_localauth webvpn-attributes
  customization CO_company_intranet_portal
  group-url https://portal.company.be enable
  username testaccount password xxxxxxxxxx encrypted privilege 0
  username testaccount attributes
  vpn-group-policy GP_company_intranet_portal
  vpn-tunnel-protocol ssl-client ssl-clientless
  password-storage disable
  group-lock value TG_company_portal_localauth
  service-type remote-access
  Troubleshooting when logged in, just to verify if the right group-policy is being used:
  FW-company# show vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : testaccount              Index        : 510
  Public IP    : x.x.x.x
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : 3DES                   Hashing      : SHA1
  Bytes Tx     : 114897                 Bytes Rx     : 16087
  Group Policy : GP_company_intranet_portal
  Tunnel Group : TG_company_portal_localauth
  Login Time   : 14:50:56 GMT+2 Thu Oct 25 2012
  Duration     : 0h:00m:03s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none

  Hi jportugu,
  I can't believe it, i serieously though I already did that... And that removed my anyconnect button from the menu.
  Which is why I started playing with the DAP function in the first place.
  I tried your suggestion and that now works..
  Thanks!
  The only new problem now is that my bookmarks aren't showing up anymore now.
  But that must be a different problem I guess.
  Might be DAP related again?
  Result: I activated under the default DAP: "Bookmarks" ==> "Enable bookmarks"
  Now everything works as it is supposed to...
  Really strange though... I thought I did that already...
  Thanks jportugu!!
  Kind regards,
  Robin

• Problem establishing SSL VPN from only 1 IP address

  Hi,
  I'm experiencing strange problem.
  I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
  Remote IP address: 10.0.0.1
  ASA's public IP address: 192.168.1.1
  Output of packet-tracer:
  1. with problematic source IP address:
  packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.1   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
          hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
          hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
          hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
          hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 6
  Type: TCP-MODULE
  Subtype: webvpn
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
          hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 7
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
          hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
          src ip/id=192.168.1.1, mask=255.255.255.255, port=0
          dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
          input_ifc=any, output_ifc=wan
  Result:
  input-interface: wan
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
  packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.1   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
          hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
          hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
          hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
          hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 6
  Type: TCP-MODULE
  Subtype: webvpn
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
          hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 7
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
          hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=any, output_ifc=wan
  Phase: 8
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 4384689, packet dispatched to next module
  Module information for forward flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_tcp_normalizer
  snp_fp_tcp_mod
  snp_fp_adjacency
  snp_fp_fragment
  snp_fp_drop
  Module information for reverse flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_tcp_normalizer
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat
  Result:
  input-interface: wan
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: allow
  I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
  I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
  The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
  Here is the configuration of the tunnel:
  group-policy GroupPolicy_10.0.0.1 internal
  group-policy GroupPolicy_10.0.0.1 attributes
  vpn-filter value VPN-ACL
  vpn-tunnel-protocol ikev1 ssl-client
  access-list VPN-ACL:
  access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
  object-group network DM_INLINE_NETWORK_83
  network-object 10.11.217.0 255.255.255.0
  network-object 192.168.201.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_84
  network-object 10.11.217.0 255.255.255.0
  network-object 192.168.201.0 255.255.255.0
  tunnel local & remote networks:
  access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
  crypto map wan_map 5 match address wan_cryptomap_5
  crypto map wan_map 5 set connection-type answer-only
  crypto map wan_map 5 set peer 10.0.0.1
  crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
  I've configured the same setup in my lab and I can't reproduce the error.
  The SW version running on ASA is asa861-12.
  I'm out of ideas.

  Just collected some other information:
  1. traceroute shows that traffic is not leaving ASA at all
  1   *  *  *
  2   *  *  *
  3   *  *  *
  I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
  2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
  IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
  IPSEC(crypto_map_check)-1: Error: No crypto map matched.
  It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
  There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
  And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
  Any idea?

• SSL VPN Problem - ACL Parse Error

  Hi there.
  Testing some features in Cisco ASA SSL VPN(Clientless).
  But when i connect to the portal, trying to login i get the following error, anybody seen this before?
  It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
  It also works if i remove my "check" in "ssl-client" box in the global_policy  (Group Policy).
  6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
  4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
  6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
  6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
  6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
  6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server =  X.X.X.X : user = [email protected]

  If you have implemented SSLVPN i18n then I think you are hitting bug.

• IOS SSL VPN problem

  I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
  The error on the router is:
  Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
  Jun 5 16:07:55.755: WV: server side not ready to send.
  The following is the configuration:
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context vpn1
  ssl authenticate verify all
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  policy group vpn1
  url-list "eng"
  default-group-policy vpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context vpn2
  ssl authenticate verify all
  policy group vpn2tunnel
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc split include 10.0.0.2 255.255.255.255
  default-group-policy vpn2tunnel
  gateway ISR2801-RM domain tunnel
  inservice

  Thanks for the reply !!!!
  the configation is the following:
  interface Ethernet 0
  ip address 10.0.0.128 255.255.255.0
  ip http secure-server
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  ssl encryption aes-sha1
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context context-sslvpn1
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn1/
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  nbns-list cifs-servers
  nbns-server 172.16.1.1 master
  nbns-server 172.16.2.2 timeout 10 retries 5
  nbns-server 172.16.3.3 timeout 10 retries 5
  login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
  this device are logged and violations of this policy may result in disciplinary action."
  port-forward "portlist"
  local-port 30019 remote-server ssh-server remote-port 22 description SSH
  local-port 30020 remote-server mailserver remote-port 143 description IMAP
  local-port 30021 remote-server mailserver remote-port 110 description POP3
  local-port 30022 remote-server mailserver remote-port 25 description SMTP
  policy group policy-sslvpn1
  url-list "eng"
  port-forward "portlist"
  nbns-list "cifs-servers"
  functions file-access
  functions file-browse
  functions file-entry
  citrix enabled
  default-group-policy policy-sslvpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context context-sslvpn2
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn2/
  policy group policy-sslvpn2
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc keep-client-installed
  svc dpd-interval gateway 30
  svc dpd-interval client 300
  svc rekey method new-tunnel
  svc rekey time 3600
  svc split include 10.0.0.0 255.255.255.0
  svc default-domain cisco.com
  svc dns-server primary 192.168.3.1
  svc dns-server secondary 192.168.4.1
  default-group-policy policy-sslvpn2
  gateway ISR2801-RM domain tunnel
  inservice
  ISR2801-RM#show webvpn install status svc
  SSLVPN Package SSL-VPN-Client version installed:
  CISCO STC win2k+
  2,2,0133
  Mon 05/19/2008 12:58:52.34 v
  ISR2801-RM#
  WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
  https://1.2.3.4/tunnel
  * the ssl client installed on the pc tell me can't connect.
  * on the router the log:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
  Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
  offset: 0, domain: 0)
  Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
  Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
  Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
  Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
  Jun 6 10:28:08.287: X-CSTP-Version: 1
  Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
  Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
  Jun 6 10:28:08.287: X-CSTP-MTU: 1406
  Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
  Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
  Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
  Jun 6 10:28:08.287:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
  Jun 6 10:28:08.291: WV: server side not ready to send.
  SSLVPN sock pid 182 sid 161: closing

• Problems when trying to surf the Internet through a SSL VPN tunnel

  Hi,
  I have a small/big problem, I have a customer who have the need for the possibility to surf the internet through the SA500W when they are connected through a SSL VPN tunnel in to their network. I am not using a Split Tunnel. What I have seen until now, when you run IPCONFIG/ALL the default gateway for the SSL VPN IP settings is 0.0.0.0. Is this the problem and if so, how can this be solved?
  Thanks in advance!
  Brg
  Niklas Eklov

  There are various causes for this error, see [[Firefox is already running but is not responding]] for details.

• Watchguard SSL VPN client on OSX 10.7 Lion TUN/TAP Kernel Problem

  I upgraded to OSX 10.7 Lion and lost the use of the Watchguard VPN client.
  I eventually found a solution at http://lesmond.net/2011/07/watchguard-ssl-vpn-client-on-osx-10-7-lion/
  I had already uninstalled Watchguard VPN and tried to reinstall to see if that worked (poor advice from another forum)
  I hadn't manually removed Watchguard icon from the dock.
  When you try to reinstall the dialog tells you to run an postupgrade script on the TUN/TAP kernel and then quits with a fail.
  If you install openVPN in this scenario you get an openVPN app and menu item, both of which do nothing.
  Click on the Watchguard dock icon and connect.
  I was then asked to upgrade and ended up with the run post upgrade script dialog and quit with a fail.
  I then clicked on the Watchguard doc icon again and connected.
  This time it connected with no problem.
  Hope this helps!

  WG has new firmware that will fix the problem, once flashed, download the new client vpn client (11.5.1) and you should be good to go.
  I had to contact WG to get the patch as it was not in the portal  Version 11.3.4 CSP6 for my device.  Hope this helps someone.

• SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

  Hi,
  Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
  some relevant config
  webvpn
  enable wan
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy vpnpolicy1 internal
  group-policy vpnpolicy1 attributes
  vpn-tunnel-protocol svc
  tunnel-group admins type remote-access
  tunnel-group admins general-attributes
  address-pool sslpool2
  default-group-policy vpnpolicy1
  username myuser password 1234567890 encrypted privilege 15
  username myuser  attributes
  vpn-group-policy vpnpolicy1
  Debug:
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
  webvpn_add_auth_handle: auth_handle = 17
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  webvpn_session.c:http_webvpn_create_session[184]
  WebVPN: error creating WebVPN session!
  webvpn_remove_auth_handle: auth_handle = 17
  webvpn_free_auth_struct: net_handle = CD5734D0
  webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_free_auth_struct: net_handle = CD5734D0

  AnyConnect says:
  "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
  The following message was received from the secure gateway: Host or network is 0"
  Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
  ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# debug http 255
  debug http enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
  webvpn_add_auth_handle: auth_handle = 22
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  HTTP: net_handle->standalone_client [0]
  webvpn_session.c:http_webvpn_create_session[184]
  webvpn_session.c:http_webvpn_find_session[159]
  WebVPN session created!
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_remove_auth_handle: auth_handle = 22
  webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CC894AA8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  Close 1043041832
  webvpn_free_auth_struct: net_handle = CC894AA8

• ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's

  Hello All,
  I'm an ASA Newb. 
  I feel like I have tried everything posted and still no success.
  PROBLEM:  When connected to the SSL VPN I cannot ping any internal host's.  I cannot ping anything on this inside?
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(5)
  hostname MCASA01
  domain-name mydomain.org
  enable password xxbtzv6P4Hqevn4N encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.2.0 VLAN
  name 192.168.5.0 VPNPOOL
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ddns update hostname MC_DNS
  dhcp client update dns server both
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  no forward interface Vlan1
  nameif outside
  security-level 0
  ip address 11.11.11.202 255.255.255.252
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name mydomain.org
  access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
  keypair digicert.key
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 00b63edadf5efa057ea49da56b179132e8
      3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
      300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
      30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
      03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
      41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
      20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
      35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
      616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
      03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
      864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
      eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
      4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
      aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
      4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
      c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
      dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
      4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
      536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
      cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
      e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
      b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
      02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
      0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
      04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
      01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
      30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
      703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
      4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
      07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
      656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
      302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
      6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
      2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
      0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
      b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
      45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
      f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
      191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
      5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
      a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
    quit
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 66.180.96.12 64.238.96.12 interface inside
  dhcpd lease 86400 interface inside
  dhcpd ping_timeout 4000 interface inside
  dhcpd domain mydomain.org interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 64.147.116.229 source outside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy VPNGP internal
  group-policy VPNGP attributes
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-TUNNEL
  username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
  username GaryC attributes
  vpn-group-policy VPNGP
  tunnel-group MCVPN type remote-access
  tunnel-group MCVPN general-attributes
  address-pool VPNPOOL
  default-group-policy VPNGP
  tunnel-group MCVPN webvpn-attributes
  group-alias MCVPN enable
  group-url https://11.11.11.202/MCVPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
  : end
  My goal is to allow Remote Users to RDP(3389) through VPN.
  Thank you,
  Gary
  Message was edited by: Gary Culwell

  Hello Jon,
    Thank you so much for your response. Clients will not be connect to a specific RDP server.  I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access.  So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
  Would you say this would work:
  route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
  Do you have examples?
  Thank you,
  Gary

• SSL VPN Connection Issue

  Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
  *************Equipment/Software
  Cisco 2851 Router Version 15.4(M9) Software
  anyconnect-win-3.1.07021-k9.pkg
  *************Configuration
  ip local pool webvpn1 172.16.100.80 172.16.100.90
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip access-list extended webvpn-acl
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
   permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
  webvpn gateway CCIELAB
   hostname Porshe_GT3
   ip interface GigabitEthernet0/0 port 443
   http-redirect port 80
   ssl trustpoint my-sslvpn-ca
   inservice
  webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
  webvpn context CCIELab
   title "Networking Lab"
   ssl authenticate verify all
   login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
   policy group Labrats
     functions svc-enabled
     banner "Success, You Made It"
     filter tunnel webvpn-acl
     svc address-pool "webvpn1" netmask 255.255.255.0
     svc keep-client-installed
     svc rekey method new-tunnel
     svc split include 172.16.100.0 255.255.255.0
   default-group-policy Labrats
   aaa authentication list webvpn
   gateway CCIELAB
   inservice
  *********************Debugs
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
  *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
  *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
  *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
  *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
  *********************Verification
  Porshe_GT3#show webvpn policy group Labrats context all
  WEBVPN: group policy = Labrats ; context = CCIELab
        banner = "Success, You Made It"
        idle timeout = 2100 sec
        session timeout = Disabled
        functions = 
                  svc-enabled 
        citrix disabled
        address pool name = "webvpn1"
        netmask = 255.255.255.0
        tunnel-mode filter = "webvpn-acl"
        dpd client timeout = 300 sec
        dpd gateway timeout = 300 sec
        keepalive interval = 30 sec
        SSLVPN Full Tunnel mtu size = 1406 bytes
        keep sslvpn client installed = enabled
        rekey interval = 3600 sec
        rekey method = new-tunnel 
        lease duration = 43200 sec
        split include = 172.16.100.0 255.255.255.0

  The problem is related to either of these issues:
  Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
  Fragmentation policy during encryption
  Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

• SSL VPN Failed to validate server certificate (cannot access https)

  Hi all,
  I have the next problem.
  I've configured in an UC520 a SSL VPN.
  I can access properly and I can see the labels, but I only can access urls which are http, not https:
  I can access the default ip of the uc520 (192.168.1.10) but
  When I try to get access to a secure url I get the msg: Failed to validate server certificate
  I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
  Does the certificate of both hardware has to be the same?
  How can I add a https?
  Here is the config of the router:
  webvpn gateway SDM_WEBVPN_GATEWAY_1
  ip address 192.168.1.254 port 443 
  ssl trustpoint TP-self-signed-2977472073
  inservice
  webvpn context SDM_WEBVPN_CONTEXT_1
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  url-list "Intranet"
     heading "Corporate Intranet"
     url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
     url-text "Impresora" url-value "http://192.168.10.100"
     url-text "DMM" url-value "https://pc.sumkio.local:8443"
     url-text "DMM 1" url-value "http://192.168.10.10:8080"
     url-text "UC520" url-value "http://192.168.10.1"
  policy group SDM_WEBVPN_POLICY_1
     url-list "Intranet"
     mask-urls
     svc dns-server primary 192.168.10.250
     svc dns-server secondary 8.8.8.8
  default-group-policy SDM_WEBVPN_POLICY_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway SDM_WEBVPN_GATEWAY_1
  max-users 10
  inservice
  Any help would be apreciatted.
  Thank you

  Hi, thanks for your advise.
  I'm trying to copy the certificate via cut and paste, but I'm getting a
  % Error in saving certificate: status = FAIL
  I dont know if I'm doing this right.
  I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
  I get a file which if I open with notepad is like
  -----BEGIN CERTIFICATE-----
  MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
  KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
  mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
  nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
  -----END CERTIFICATE-----
  If I try to authenticate the trustpoint, I get that error.
  how can I export the certificate from the DMM?
  I think that this file is not the right file.
  and then, do I have to make some changes in
  webvpn gateway SDM_WEBVPN_GATEWAY_1?
  Should I choose the new trustpoint?
  I understand that the old trustpoint is for the outside connection, no for the LAN connection.
  Dont worry about me, answer when you can but I really need to fix this.
  Thank you so much

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• Accessing Home Dir's via ASA SSL VPN

  I have an ASA 5540 and an ACS 4.0. i am configuring an SSL based VPN for users in an active directory. I want to give the users access to their Windows Home Dir and have created a CIFS link in the URL list in the tunnel group policy for those users.
  I want to give the users access to \\SERVER\Share\%username% as it is described in windows terms. how do a go about this in the ASA, as the above does not work at all? the ASA wants to use the / instead of \ in the CIFS shares. It works fine for normal shares and hidden share specified with $, but not using the %username% variable.
  The documentation on SSL VPNS on both ASA and ACS 4.0 is terrible.
  Best regards,
  Neal Lewis

  This question might be a bit outdated, yet I stumbled across it since even in times of OS 8.4(3), I've had exactly the same problem. Menawhile I've found the solution to it:
  You can work with the usual WebVPN variables which ASA offers for single sign-on (SSO) purposes. The following example works for my customer for a profile in which he applies two-factor authentication and allows his users to access their Windows home share using SSO (using the secondary WebVPN login information, which is their AD login name, accessed via LDAP):
  Bookmark URL:
  cifs:///CSCO_WEBVPN_SECONDARY_USERNAME%24 (where %24 is a code substitution for the '$' sign)
  SSO config:
  group-policy attributes
    webvpn
      auto-signon allow ip auth-type ntlm username CSCO_WEBVPN_SECONDARY_USERNAME password CSCO_WEBVPN_SECONDARY_PASSWORD
  There are two important things to consider, though:
  The share name *must* match the user's login name
  The folder effectively has to be configured to be a share (not just an ordinary folder). My tests have shown that it doesn't work even if that desired, ordinary destination folder is a subfolder of an accessible share.
  Hope that helps other people.
  Toni