Ssl vpn

Hi,
We have ASA 5505 and working ok with remote VPN as well. but one of our user bought windows8 laptop and said Ciscp VPN does not work and need SSL VPN.
We only had two anyconnect license so I configured anyconnect as well for him to use but he gets error Login Denied , unauthorized connection mechanism , contact your administrator 
I looked on the net and found one of the suggestion to add
vpn-tunnel-protocol svc webvpn
I am not sure whether it would fix the problem or not. Plus I do not know how to inform the user to connect on the web to download the client.
Please help.
Thanks

Have you gone through the troubleshooting section on this link? I would start making assesment, for example update the machines Java or at least that the machine meets Java requirements listed in link bellow troubleshooting section , also try using the latest rdp-plugin release 080506.
Go over this
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml
Some more info here
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1292863
Rgds
Jorge

Similar Messages

  • SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

    Hi,
    Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
    some relevant config
    webvpn
    enable wan
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    group-policy vpnpolicy1 internal
    group-policy vpnpolicy1 attributes
    vpn-tunnel-protocol svc
    tunnel-group admins type remote-access
    tunnel-group admins general-attributes
    address-pool sslpool2
    default-group-policy vpnpolicy1
    username myuser password 1234567890 encrypted privilege 15
    username myuser  attributes
    vpn-group-policy vpnpolicy1
    Debug:
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
    webvpn_add_auth_handle: auth_handle = 17
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    webvpn_session.c:http_webvpn_create_session[184]
    WebVPN: error creating WebVPN session!
    webvpn_remove_auth_handle: auth_handle = 17
    webvpn_free_auth_struct: net_handle = CD5734D0
    webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_free_auth_struct: net_handle = CD5734D0

    AnyConnect says:
    "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
    The following message was received from the secure gateway: Host or network is 0"
    Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
    ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# debug http 255
    debug http enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
    webvpn_add_auth_handle: auth_handle = 22
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    HTTP: net_handle->standalone_client [0]
    webvpn_session.c:http_webvpn_create_session[184]
    webvpn_session.c:http_webvpn_find_session[159]
    WebVPN session created!
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_remove_auth_handle: auth_handle = 22
    webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CC894AA8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    Close 1043041832
    webvpn_free_auth_struct: net_handle = CC894AA8

  • ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

    Hi there, please forgive if I have missed any forum protocols as this is my first post.
    I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
    Inside              192.168.1.254/24
    Outside           dhcp
    VPN Pool        192.168.250.1-50/24
    Inside LAN     192.168.1.0/24
    : Saved
    ASA Version 8.4(4)1
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface GigabitEthernet0/1
    nameif inside
    security-level 99
    ip address 192.168.1.254 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 99
    ip address 192.168.100.1 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
    domain-name dock.local
    same-security-traffic permit inter-interface
    object network inside-network-object
    subnet 192.168.1.0 255.255.255.0
    object network management-network-object
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.250.0_25
    subnet 192.168.250.0 255.255.255.128
    object-group network AllInside-networks
    network-object object inside-network-object
    network-object object management-network-object
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic AllInside-networks interface
    nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable 4433
    http 192.168.100.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.100.0 255.255.255.0 management
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_anyconnect internal
    group-policy GroupPolicy_anyconnect attributes
    wins-server none
    dns-server value 8.8.8.8
    vpn-tunnel-protocol ssl-client ssl-clientless
    split-tunnel-policy tunnelall
    split-tunnel-network-list value split_tunnel
    default-domain value dock.local
    username test password JAasdf434ey521ZCT encrypted privilege 15
    tunnel-group anyconnect type remote-access
    tunnel-group anyconnect general-attributes
    address-pool vpn_pool
    default-group-policy GroupPolicy_anyconnect
    tunnel-group anyconnect webvpn-attributes
    group-alias anyconnect enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:24bcba3c4124ab371297d52260135924
    : end :

    : Saved
    ASA Version 8.4(4)1
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface GigabitEthernet0/1
    nameif inside
    security-level 99
    ip address 192.168.1.254 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 99
    ip address 192.168.100.1 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
    domain-name dock.local
    same-security-traffic permit inter-interface
    object network inside-network-object
    subnet 192.168.1.0 255.255.255.0
    object network management-network-object
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.250.0_25
    subnet 192.168.250.0 255.255.255.0
    object-group network AllInside-networks
    network-object object inside-network-object
    network-object object management-network-object
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic AllInside-networks interface
    nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
    nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.100.2 255.255.255.255 management
    http 192.168.100.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.100.0 255.255.255.0 management
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_Anyconnect_VPN internal
    group-policy GroupPolicy_Anyconnect_VPN attributes
    wins-server none
    dns-server value 8.8.8.8
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelall
    split-tunnel-network-list value split_tunnel
    default-domain value dock.local
    username sander password f/J.5nLef/EqyPfy encrypted
    username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
    tunnel-group Anyconnect_VPN type remote-access
    tunnel-group Anyconnect_VPN general-attributes
    address-pool Anyconnect-pool
    default-group-policy GroupPolicy_Anyconnect_VPN
    tunnel-group Anyconnect_VPN webvpn-attributes
    group-alias Anyconnect_VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
    : end:

  • ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's

    Hello All,
    I'm an ASA Newb. 
    I feel like I have tried everything posted and still no success.
    PROBLEM:  When connected to the SSL VPN I cannot ping any internal host's.  I cannot ping anything on this inside?
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.2(5)
    hostname MCASA01
    domain-name mydomain.org
    enable password xxbtzv6P4Hqevn4N encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.2.0 VLAN
    name 192.168.5.0 VPNPOOL
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ddns update hostname MC_DNS
    dhcp client update dns server both
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    no forward interface Vlan1
    nameif outside
    security-level 0
    ip address 11.11.11.202 255.255.255.252
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name mydomain.org
    access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    http authentication-certificate inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment terminal
    subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
    keypair digicert.key
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 00b63edadf5efa057ea49da56b179132e8
        3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
        300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
        30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
        03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
        41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
        20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
        35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
        616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
        03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
        864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
        eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
        4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
        aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
        4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
        c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
        dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
        4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
        536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
        cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
        e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
        b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
        02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
        0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
        04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
        01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
        30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
        703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
        4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
        07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
        656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
        302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
        6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
        2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
        0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
        b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
        45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
        f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
        191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
        5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
        a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
      quit
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcpd address 192.168.1.100-192.168.1.200 inside
    dhcpd dns 66.180.96.12 64.238.96.12 interface inside
    dhcpd lease 86400 interface inside
    dhcpd ping_timeout 4000 interface inside
    dhcpd domain mydomain.org interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 64.147.116.229 source outside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy VPNGP internal
    group-policy VPNGP attributes
    vpn-tunnel-protocol svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SPLIT-TUNNEL
    username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
    username GaryC attributes
    vpn-group-policy VPNGP
    tunnel-group MCVPN type remote-access
    tunnel-group MCVPN general-attributes
    address-pool VPNPOOL
    default-group-policy VPNGP
    tunnel-group MCVPN webvpn-attributes
    group-alias MCVPN enable
    group-url https://11.11.11.202/MCVPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
    : end
    My goal is to allow Remote Users to RDP(3389) through VPN.
    Thank you,
    Gary
    Message was edited by: Gary Culwell

    Hello Jon,
      Thank you so much for your response. Clients will not be connect to a specific RDP server.  I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access.  So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
    Would you say this would work:
    route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
    Do you have examples?
    Thank you,
    Gary

  • ASA 5505 WebVPN - It has taken a while for SSL VPN Relay to load. You need to verify Java is enabled in your browser

    ASA 5505
    ASA Version 9.0.(2)
    Suddently on the webvpn Interface when i click on my web bookmarks (and java launches in browser) i get this fail in Chrome and FF 'It has take a while for SSL VPN Relay til load. You need to verify Java is enabled in your browser' and nothing happens...
    Java IS enabled and running. Tried this in both 7.45 and 7.51
    No problem in IE 11 and java 7.45 and 7.51
    I've googled alot but have not been able to find any suggetions
    Hope you have a solution
    Best Regards.

    Any resolution on this?  Firefox/Chrome my cifs work but smart tunnel RDP doesn't, and in IE my shares don't work but RDP smart tunnel does....
    Cisco, if you're not going to do something good, just don't do it.  The SSL VPN is a hack job.

  • SSL VPN Connection Issue

    Having an Issue with an SSL VPN I can't seem to get past. Using Anyconnect software on PC or android phone I am not able to send any traffic thru the tunnel. The Client is able to authenticate beforehand successfully and assigns a private ip via the pool configured as its supposed to but nothing there. I have listed the configuration below along with the debugs. I have omitted any public ip information. The debugs say there is any issue w/ an ACL but everything appears correct. Any help would be most appreciated.
    *************Equipment/Software
    Cisco 2851 Router Version 15.4(M9) Software
    anyconnect-win-3.1.07021-k9.pkg
    *************Configuration
    ip local pool webvpn1 172.16.100.80 172.16.100.90
    ip forward-protocol nd
    no ip http server
    ip http secure-server
    ip access-list extended webvpn-acl
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.60 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.70 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq telnet
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 22
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq www
     permit tcp 172.16.100.0 0.0.0.255 host 172.16.100.8 eq 443
    webvpn gateway CCIELAB
     hostname Porshe_GT3
     ip interface GigabitEthernet0/0 port 443
     http-redirect port 80
     ssl trustpoint my-sslvpn-ca
     inservice
    webvpn install svc flash:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
    webvpn context CCIELab
     title "Networking Lab"
     ssl authenticate verify all
     login-message "All Sessions are logged and monitored.Please be respectful and if any questions contact [email protected]"
     policy group Labrats
       functions svc-enabled
       banner "Success, You Made It"
       filter tunnel webvpn-acl
       svc address-pool "webvpn1" netmask 255.255.255.0
       svc keep-client-installed
       svc rekey method new-tunnel
       svc split include 172.16.100.0 255.255.255.0
     default-group-policy Labrats
     aaa authentication list webvpn
     gateway CCIELAB
     inservice
    *********************Debugs
    *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Forwarding the pak 4A2D3B94
    *May  2 09:12:50.601: [WV-TUNL-PAK]: IP4 Len =60 Src =172.16.100.87 Dst =172.16.100.8 Prot =6 
    *May  2 09:12:50.601: [WV-TUNL-PAK]:TCP sport=53571, dport=2001, seq=4091902471 ack=0, bits=SYN 
    *May  2 09:12:50.601: [WV-TUNL-PAK]:[4BB44B08] TxServer, Pak 4A2D3B94 failed ACL webvpn-acl
    *May  2 09:13:19.841: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Recd DPD Req frame (User RemzRR, IP 172.16.100.87)
    *May  2 09:19:57.757: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, Sending DPD Res frame (User RemzRR, IP 172.16.100.87)
    *May  2 09:25:27.925: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:25:58.025: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:26:28.509: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *May  2 09:27:00.381: [WV-TUNL-EVT]:[4BB44B08] CSTP Control, KeepAlive Detected. Dropped
    *********************Verification
    Porshe_GT3#show webvpn policy group Labrats context all
    WEBVPN: group policy = Labrats ; context = CCIELab
          banner = "Success, You Made It"
          idle timeout = 2100 sec
          session timeout = Disabled
          functions = 
                    svc-enabled 
          citrix disabled
          address pool name = "webvpn1"
          netmask = 255.255.255.0
          tunnel-mode filter = "webvpn-acl"
          dpd client timeout = 300 sec
          dpd gateway timeout = 300 sec
          keepalive interval = 30 sec
          SSLVPN Full Tunnel mtu size = 1406 bytes
          keep sslvpn client installed = enabled
          rekey interval = 3600 sec
          rekey method = new-tunnel 
          lease duration = 43200 sec
          split include = 172.16.100.0 255.255.255.0

    The problem is related to either of these issues:
    Maximum Transmission Unit (MTU)/Maximum Segment Size (MSS) size
    Fragmentation policy during encryption
    Perform a sniffer trace from the client to the server side in order to find out which is the best MTU to use.Continue to reduce the value of 1400 by 20 until there is a reply

  • SSL VPN Problem - ACL Parse Error

    Hi there.
    Testing some features in Cisco ASA SSL VPN(Clientless).
    But when i connect to the portal, trying to login i get the following error, anybody seen this before?
    It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
    It also works if i remove my "check" in "ssl-client" box in the global_policy  (Group Policy).
    6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
    7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
    4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
    7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
    7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
    6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
    7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
    6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
    6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
    6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server =  X.X.X.X : user = [email protected]

    If you have implemented SSLVPN i18n then I think you are hitting bug.

  • SSL VPN Connection error with SA520

    Hi there,
    I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
    I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
    Thanks

    Hihi,
    we have the same problem, running on Vista 32 bit, and IE9.
    On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
    It works also on Win 7 64 bit, although only with the 64 bit version of IE.
    Coming back to our Vista issue, we did not find any way to make it work properly.
    Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
    We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
    Anyone has any suggestion ??
    Tks

  • SSL VPN Client Error

    I setup a Cisco ASA 5510 SSL VPN with the folowing;
    IOS 7.2
    SSL VPN CLient sslclient-win-1.1.1.164.pkg
    Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
    IBM Thinkpad T40
    Windows XP SP 2
    Internet Explorer 7
    All patches up-to-date
    All drivers up-to-date
    SSL VPN Client connection process;
    - User login with valid account and password
    - The SSL VPN Client package will automatically download and installed.
    - User will then be connected to SSL VPN
    The ERRORS;
    1. GUI (Cisco SSL VPN Client installation process)
    "The SSL VPN Client driver has Encountered an Error"
    2. Event Viewer
    The only error in this user event viewer that differs from other users who successfully connected are;
    a)
    Function: EnableVA
    Return code: 0
    File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
    Line: 310
    Description: unknown
    b)
    Function: EnableVA
    Return code: 0xFE080007
    File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
    Line: 1145
    Description: VAMGR_ERROR_ENABLE_VA_FAILED
    Anyone know what thus the error means?
    BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
    Thanks

    The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

  • SSL VPN Failed to validate server certificate (cannot access https)

    Hi all,
    I have the next problem.
    I've configured in an UC520 a SSL VPN.
    I can access properly and I can see the labels, but I only can access urls which are http, not https:
    I can access the default ip of the uc520 (192.168.1.10) but
    When I try to get access to a secure url I get the msg: Failed to validate server certificate
    I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
    Does the certificate of both hardware has to be the same?
    How can I add a https?
    Here is the config of the router:
    webvpn gateway SDM_WEBVPN_GATEWAY_1
    ip address 192.168.1.254 port 443 
    ssl trustpoint TP-self-signed-2977472073
    inservice
    webvpn context SDM_WEBVPN_CONTEXT_1
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    url-list "Intranet"
       heading "Corporate Intranet"
       url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
       url-text "Impresora" url-value "http://192.168.10.100"
       url-text "DMM" url-value "https://pc.sumkio.local:8443"
       url-text "DMM 1" url-value "http://192.168.10.10:8080"
       url-text "UC520" url-value "http://192.168.10.1"
    policy group SDM_WEBVPN_POLICY_1
       url-list "Intranet"
       mask-urls
       svc dns-server primary 192.168.10.250
       svc dns-server secondary 8.8.8.8
    default-group-policy SDM_WEBVPN_POLICY_1
    aaa authentication list sdm_vpn_xauth_ml_1
    gateway SDM_WEBVPN_GATEWAY_1
    max-users 10
    inservice
    Any help would be apreciatted.
    Thank you

    Hi, thanks for your advise.
    I'm trying to copy the certificate via cut and paste, but I'm getting a
    % Error in saving certificate: status = FAIL
    I dont know if I'm doing this right.
    I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
    I get a file which if I open with notepad is like
    -----BEGIN CERTIFICATE-----
    MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
    KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
    mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
    nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
    -----END CERTIFICATE-----
    If I try to authenticate the trustpoint, I get that error.
    how can I export the certificate from the DMM?
    I think that this file is not the right file.
    and then, do I have to make some changes in
    webvpn gateway SDM_WEBVPN_GATEWAY_1?
    Should I choose the new trustpoint?
    I understand that the old trustpoint is for the outside connection, no for the LAN connection.
    Dont worry about me, answer when you can but I really need to fix this.
    Thank you so much

  • SSL VPN (WebVPN) issues with IOS 15.0(1)M1

    Hello everyone... I need your help!
    I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
    Symptoms:
    - AnyConnect Client prompts users with the following error:
    "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
    Debug:
    Mar  5 13:09:45:
    Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
    Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
    Mar  5 13:09:45: WV-TUNL: Allocating stc_config
    Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
    Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
    Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
    Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45:
    Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
    Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
    Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
    Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
    WV-TUNL:      Severity ERROR Type USER_LOGOUT
    WV-TUNL:      Text: HTTP response contained an HTTP error code.
    Mar  5 13:09:45: WV-TUNL: Call user logout function
    Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
    When the error occurs, the "SVCIP install TCP failed" counter increments:
    VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
    [snip]
    Tunnel Statistics:
        Active connections       : 1       
        Peak connections         : 3          Peak time                : 19:09:04
        Connect succeed          : 9          Connect failed           : 5       
        Reconnect succeed        : 0          Reconnect failed         : 0       
        SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
        SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
        SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
        DPD timeout              : 0        
    [snip]
    IOS Version Details:
    Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
    System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
    The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
    Config:
    webvpn context CUSTOMER-VPN
    title "SSL VPN for Customer"
    ssl authenticate verify all
    login-message "Enter username and passcode"
    policy group CUSTOMER-VPN
       functions svc-required
       svc keep-client-installed
       svc split include 10.1.16.0 255.255.240.0
       svc split include 10.1.2.0 255.255.254.0
    vrf-name CUSTOMER-VPN
    default-group-policy CUSTOMER-VPN
    aaa authentication list AAA-LIST
    aaa authentication auto
    aaa accounting list AAA-LIST
    gateway vpn virtual-host customer.xx.com
    logging enable
    inservice
    The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

    Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
    At that point in time we were running with local pool definition.
    As the http 401 rc happens very sporadically we still gathering incident reports internally.
    Will open a case if you did not yet.
    cheers, Andy

  • ASA 5505 SSL VPN LOG failed

    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
    %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
    %ASA-6-113012: AAA user authentication Successful : local database : user = admin
    %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
    %ASA-6-113008: AAA transaction status ACCEPT : user = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
    %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
    %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
    %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
    %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
    Red error what is the reason? Only appears in the window 2003 server.

    ciscoasa# show   activation-key 
    Serial Number:  JMX1314Z1UV
    Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
    Licensed features for this platform:
    Maximum Physical Interfaces    : 8        
    VLANs                          : 3, DMZ Restricted
    Inside Hosts                   : 10       
    Failover                       : Disabled
    VPN-DES                        : Enabled  
    VPN-3DES-AES                   : Enabled  
    SSL VPN Peers                  : 2        
    Total VPN Peers                : 10       
    Dual ISPs                      : Disabled 
    VLAN Trunk Ports               : 0        
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled 
    AnyConnect for Cisco VPN Phone : Disabled 
    AnyConnect Essentials          : Disabled 
    Advanced Endpoint Assessment   : Disabled 
    UC Phone Proxy Sessions        : 2        
    Total UC Proxy Sessions        : 2        
    Botnet Traffic Filter          : Disabled 
    This platform has a Base license.
    The flash activation key is the SAME as the running key.
    ciscoasa#
    Sure ?it was licence question?

  • SSL VPN Login failure issue

    Hello,
    I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
    Function: ConnectMgr::setPromptAttributes
    File: .\ConnectMgr.cpp
    Line: 2657
    Invoked Function: setPromptAttributes
    Return Code: -33554423 (0xFE000009)
    Description: GLOBAL_ERROR_UNEXPECTED
    Error text:
    Login failed.
    If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
    This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
    Regards.
    After a little more testing, seems somehow related to users being in to many groups in AD.      
    Message was edited by: Rich Viola

    Hello,
    If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
    Solution (workaround):
    You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
    You can implement it as follow:
    Add a Bookmark
    Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
    For further information you can find it here:
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
    Let me know how tit works out!
    Please don't forget to rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • Problem establishing SSL VPN from only 1 IP address

    Hi,
    I'm experiencing strange problem.
    I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
    Remote IP address: 10.0.0.1
    ASA's public IP address: 192.168.1.1
    Output of packet-tracer:
    1. with problematic source IP address:
    packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.1.1   255.255.255.255 identity
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
            hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 3
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
            hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
            hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
            hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 6
    Type: TCP-MODULE
    Subtype: webvpn
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
            hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 7
    Type: VPN
    Subtype: encrypt
    Result: DROP
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
            hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
            src ip/id=192.168.1.1, mask=255.255.255.255, port=0
            dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
            input_ifc=any, output_ifc=wan
    Result:
    input-interface: wan
    input-status: up
    input-line-status: up
    output-interface: NP Identity Ifc
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
    packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.1.1   255.255.255.255 identity
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
            hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 3
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
            hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
            hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
            hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 6
    Type: TCP-MODULE
    Subtype: webvpn
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
            hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 7
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
            hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=any, output_ifc=wan
    Phase: 8
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 4384689, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_tcp_mod
    snp_fp_adjacency
    snp_fp_fragment
    snp_fp_drop
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Result:
    input-interface: wan
    input-status: up
    input-line-status: up
    output-interface: NP Identity Ifc
    output-status: up
    output-line-status: up
    Action: allow
    I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
    I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
    The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
    Here is the configuration of the tunnel:
    group-policy GroupPolicy_10.0.0.1 internal
    group-policy GroupPolicy_10.0.0.1 attributes
    vpn-filter value VPN-ACL
    vpn-tunnel-protocol ikev1 ssl-client
    access-list VPN-ACL:
    access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
    object-group network DM_INLINE_NETWORK_83
    network-object 10.11.217.0 255.255.255.0
    network-object 192.168.201.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_84
    network-object 10.11.217.0 255.255.255.0
    network-object 192.168.201.0 255.255.255.0
    tunnel local & remote networks:
    access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
    crypto map wan_map 5 match address wan_cryptomap_5
    crypto map wan_map 5 set connection-type answer-only
    crypto map wan_map 5 set peer 10.0.0.1
    crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
    I've configured the same setup in my lab and I can't reproduce the error.
    The SW version running on ASA is asa861-12.
    I'm out of ideas.

    Just collected some other information:
    1. traceroute shows that traffic is not leaving ASA at all
    1   *  *  *
    2   *  *  *
    3   *  *  *
    I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
    2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
    IPSEC(crypto_map_check)-1: Error: No crypto map matched.
    It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
    There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
    And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
    Any idea?

  • Cisco IOS SSL VPN Not Working - Internet Explorer

    Hi All,
    I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
    Below is the config snippet:
    username vpntest password XXXXX
    aaa authentication login default local
    crypto pki trustpoint TP-self-signed-1873082433
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1873082433
    revocation-check none
    rsakeypair TP-self-signed-1873082433
    crypto pki certificate chain TP-self-signed-1873082433
    certificate self-signed 01
    --- omitted ---
            quit
    webvpn gateway SSLVPN
    hostname Router
    ip address X.X.X.X port 443 
    ssl encryption aes-sha1
    ssl trustpoint TP-self-signed-1873082433
    inservice
    webvpn context SSLVPN
    title "Blah Blah"
    ssl authenticate verify all
    login-message "Enter the magic words..."
    port-forward "PortForwardList"
       local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
    policy group SSL-Policy
       port-forward "PortForwardList" auto-download
    default-group-policy SSL-Policy
    gateway SSLVPN
    max-users 3
    inservice
    I've tried:
    *Enabling SSL 2.0 in IE
    *Adding the site to the Trusted Sites in IE
    *Adding it to the list of sites allowed to use Cookies
    At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
    Thanks

    Hi,
    I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
    Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

  • No SSL VPN tunnel from AnyConnect to IOS

    Dear all
    Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
    But I simply cannot make it work.
    I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
    Here is my configuration on the router:
    crypto pki trustpoint TP-self-signed-595019360
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-595019360
    revocation-check none
    rsakeypair TP-self-signed-595019360
    crypto pki certificate chain TP-self-signed-595019360
    certificate self-signed 01
      3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    [......skipped....]
    interface Loopback123
    ip address 192.168.123.254 255.255.255.0
    ip local pool GS-POOL 192.168.123.1 192.168.123.10
    webvpn gateway GS-GW
    hostname GS-VPN-test
    ip address x.x.x.x port 443
    ssl trustpoint TP-self-signed-595019360
    inservice
    webvpn install svc flash:/webvpn/svc.pkg
    webvpn context GS-CONTEXT
    ssl authenticate verify all
    policy group GS-POLICY
       functions svc-required
       svc address-pool "GS-POOL"
    default-group-policy GS-POLICY
    gateway GS-GW
    inservice
    These are my debug settings:
    #sh debug
    WebVPN Subsystem:
      WebVPN (verbose) debugging is on
      debug webvpn entry GS-CONTEXT
      WebVPN HTTP (verbose) debugging is on
      WebVPN AAA debugging is on
      WebVPN tunnel (verbose) debugging is on
      WebVPN Single Sign On debugging is on
    And these are all debug messages I get upon incoming connection:
    Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
    At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
    Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
    Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
    Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
    buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
    Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
    Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
    Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
    buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
    Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
    buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
    Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
    At this point the Anyconnect client says "Connection attempt failed" and that's all.
    So please, any advice how to solve this?
    And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
    Thanks a lot for any suggestions,
    Grischa

    Some more restrictions:
    12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
    In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
    CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
    In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
    If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
    hth
    Herbert

Maybe you are looking for