WEBVPN Add-On Porblem

I have a porblem with the RDP-Plugin on WebVPN on the ASA.
On one client, i have installed this Add-on: "Microsoft rdp client control", here the RDP-Plugin works. On the other Client i have installed this Add-on: "Microsoft terminal services client control", here the rdp Plugin doesn't work.
has anyone an idea to delete the add-on or to reinstall the right add-on?
thanks

See the troubleshooting section on this link.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml

Similar Messages

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

Display name of bookmark in WebVPN

Hey,
I'm using very heavily the bookmarks within ASA WebVPN and let different users only show some of them.
Currently for my user I get 8 different bookmark lists displayed and when I reduce e.g. 3 lists, I can't see the names.
Is there a way to displan the title where I can expand/reduce them?
Thanks!

Hi,
You can add the custom refiners for your content type and set the display name for the refiner.
Please refer to the following article.
http://blogs.technet.com/b/sharepoint_made_easy/archive/2013/03/19/step-by-step-configuration-to-add-custom-refiners-in-the-refinement-panel-of-search-results-page-for-sharepoint-online.aspx
Please don't forget to mark it answered, if your problem resolved or helpful.

IOS: AnyConnect 2.5.3055, Windows 7 x64 fails to connect to Webvpn on 2811

I am attempting to add SSLVPN to my 2811 and 2801 production routers. These devices currently run IOS 12.4(24)T4 ADV SECURITY images. I have succesfully configured the SSL VPN gateway via CCP. I can connect via web browser to https://2811IP/sslvpn, log in, and use the web portal. When I attempt to use the full tunnel AnyConnect client on Windows 7 x64 (I have nothing else to test with right now) I get the simple and vague error: "Connection attempt has failed." This error occurs before I would receive a prompt to provide credentials. It never prompts me. There is no further information such as timeout, certificate error, or anything like that.
running term mon and debug webvpn on the router produces only the following when the client attempts to connect:
002121: Oct 23 00:10:35.081: WV: sslvpn process rcvd context queue event
002122: Oct 23 00:10:35.085: WV: sslvpn process rcvd context queue event
002123: Oct 23 00:10:38.973: WV: sslvpn process rcvd context queue event
002124: Oct 23 00:10:38.977: WV: sslvpn process rcvd context queue event
002125: Oct 23 00:10:39.041: WV: sslvpn process rcvd context queue event
002126: Oct 23 00:10:39.041: WV: Entering APPL with Context: 0x47FE4C90,
Data buffer(buffer: 0x4732ABC0, data: 0x3F5BE498, len: 172,
offset: 0, domain: 0)
002127: Oct 23 00:10:39.041: WV: http request: /sslvpn with no cookie
002128: Oct 23 00:10:39.041: WV: Client side Chunk data written..
buffer=0x4732AA20 total_len=188 bytes=188 tcb=0x481CF0A8
I've tried adding a program exception for anyconnect to the windows firewall.
I've tried disabling the windows firewall.
I've tried connecting via different ISPs, both wired and cellular.
I've tried the previous release of AnyConnect for Windows.
The TP certificate on the device is self-signed and valid from 1/23/2006 to 12/31/2019. I am prompted to accept the cert when I client Select (Connect) in the client. After I click Accept on the certificate window the connection fails. If I wait a while (perhaps a minute) the following error pops up, but ONLY if I wait a while before clicking Accept:
"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network"
What else can I check?

Does the iPod work OK?
Does it charge when connect to the computer?
Does it appear in My Computer?
Look at the dock connector on the iPod. Compare with the iPod that does work/connect.
I suspect you have a 2G iPod. Those can only go to iOS 4.2.1
http://support.apple.com/kb/HT1353#iPod_touch_late2009
iPod touch (3rd generation)
iPod touch (3rd generation) features a 3.5-inch (diagonal) widescreen multi-touch display and 32 GB or 64 GB flash drive. You can browse the web with Safari and watch YouTube videos with Wi-Fi. You can also search, preview, and buy songs from the iTunes Wi-Fi Music Store on iPod touch.
The iPod touch (3rd generation) can be distinguished from iPod touch (2nd generation) by looking at the back of the device. In the text below the engraving, look for the model number. iPod touch (2nd generation) is model A1288, and iPod touch (3rd generation) is model A1318.

WebVPN dosen't work after a Windows 7 update.

Hi
Today a costumer called me with a strange problem
After a Widows 7 update two days ago all their WebVPN users could not log on.
The web browser comes with a popup with the message: This web location wants to install the following add-on: "Cisco Portforwarder Control by Cisco"
But nothing happens ?
If they remove the Windows 7 update, WebVPN works again.
Anyone there know what the problem could be and what to do to make it work ?
Best regards
Rex Petersen / Denmark.

Hi All,
If I am not wrong, the only application that has been affected because of the Microsoft update is clientless vpn. It is because of the Microsoft Security update KB 2695962. For more information please visit:
http://technet.microsoft.com/en-us/security/advisory/2695962
The resolution to this can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient.
Though this link provide a workaround but I have not seen that working.
There are two options to make it to work:
1. Either uninstall the specified security update
or
2. Upgrade the code to the code mentioned under Software Versions and Fixes of the link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
Let me know if this works after performing these steps.
Thanks,
Vishnu Sharma

How to edit webvpn login page with 7.2 version in ASA5510?

Dear guys,
As a solution for business, I have deployed webvpn with 7.2 version in ASA5510(Version 8.0 cannot be used in this case). Could you share some experiences in customizating login page of webvpn manually(not use ASDM)? for example, if I want to add some system tips or links in login page, how to do?
Appreciate your kindly help and suggestion.
Best Regards,
David Wu

Customizing login page of webvpn with 7.2 version of ASA is easy to be done and the following Url contains the dcument for customizing the webvpn login page for ASA version 7.2:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html#wp1031868
This document contains the step-by-step procedure for customizing the login page.

More than 1 AAA server for logging in to WebVPN

Hi everybody,
Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
Please advice.
Thanks for advance,
Nitass

If you are aaa server you are referring to is "radius server", then you can try out the following commands.
In ASDM you would simply add the said RADIUS servers to the "server group"
If you wish to do this through CLI, you would define a group eg
aaa-server radius protocol radius
aaa-server radius host x.x.x.x
aaa-server radius host y.y.y.y
aaa-server radius host z.z.z.z
and you would then call this in the said tunnel-group :
tunnel-group opsource type ipsec-ra
tunnel-group opsource general-attributes
address-pool admin_ra
authentication-server-group radius LOCAL
default-group-policy opsource

WebVPN will not send radius accounting

Hi Folks,
I have setup a webvpn system, which works perfectly on a 2811. However, when I enable aaa accounting on the context, it seems to be enabled BUT the accounting packet is never sent.
Debug shows this
Aug 28 09:55:56 c2811-test 312: Aug 28 07:55:56.652: WV-AAA: Nas Port ID set to 31.54.80.206.
Aug 28 09:55:56 c2811-test 313: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): Register SSLVPN/4BFEEA58 64 bit counter support not configured
Aug 28 09:55:56 c2811-test 314: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 09:55:56 c2811-test 315: Aug 28 07:55:56.652: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 09:55:56 c2811-test 316: Aug 28 07:55:56.656: AAA/ACCT/EVENT/(00000011): CALL START
Aug 28 09:55:56 c2811-test 317: Aug 28 07:55:56.656: Getting session id for NET(00000011) : db=4F5A7618
Aug 28 09:55:56 c2811-test 318: Aug 28 07:55:56.656: AAA/ACCT(00000000): add node, session 7
Aug 28 09:55:56 c2811-test 319: Aug 28 07:55:56.656: AAA/ACCT/NET(00000011): add, count 1
Aug 28 09:55:56 c2811-test 320: Aug 28 07:55:56.656: WV-AAA: AAA authentication request sent for user: "username"
Aug 28 09:55:56 c2811-test 321: Aug 28 07:55:56.668: WV-AAA: AAA Authentication Passed!
Aug 28 09:55:56 c2811-test 322: Aug 28 07:55:56.668: WV-AAA: User "username" has logged in from "31.54.80.206" to gateway "BBSVPN"
Aug 28 09:55:56 c2811-test 323: context "BABILON"
Aug 28 09:55:56 c2811-test 324: Aug 28 07:55:56.668: Getting session id for NET(00000011) : db=4F5A7618
Aug 28 09:55:56 c2811-test 325: Aug 28 07:55:56.668: WV-AAA: Calling START accounting
Aug 28 09:55:56 c2811-test 326: Aug 28 07:55:56.668: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 09:55:56 c2811-test 327: Aug 28 07:55:56.668: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 09:55:56 c2811-test 328: Aug 28 07:55:56.668: WV-AAA: Adding group name pol1
Aug 28 09:55:56 c2811-test 329: Aug 28 07:55:56.668: AAA/ACCT/EVENT/(00000011): NET UP
Aug 28 09:55:56 c2811-test 330: Aug 28 07:55:56.668: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 09:55:57 c2811-test 331: Aug 28 07:55:56.672: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 09:56:00 c2811-test 332: Aug 28 07:55:59.100: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 09:56:00 c2811-test 333: Aug 28 07:55:59.100: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 09:56:00 c2811-test 334: Aug 28 07:55:59.104: WV-AAA: Sending TUNL IP (10.192.69.53) addr update
Aug 28 09:56:00 c2811-test 335: Aug 28 07:55:59.104: AAA/ACCT/EVENT/(00000011): ATTR ADD
Aug 28 09:56:00 c2811-test 336: Aug 28 07:55:59.104: AAA/ACCT(00000011): Accounting response status = FAILURE
Aug 28 09:56:00 c2811-test 337: Aug 28 07:55:59.104: AAA/ACCT(00000011): Send NEWINFO accounting notification to EM successfully
Aug 28 10:00:00 c2811-test 340: Aug 28 08:00:00.162: WV-AAA: Calling STOP accounting
Aug 28 10:00:00 c2811-test 341: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): Pick method list 'bablist'
Aug 28 10:00:00 c2811-test 342: Aug 28 08:00:00.162: AAA/ACCT/SETMLIST(00000011): Handle DE000002, mlist 4AA1D1A8, Name bablist
Aug 28 10:00:00 c2811-test 343: Aug 28 08:00:00.162: AAA/ACCT/EVENT/(00000011): NET DOWN
Aug 28 10:00:00 c2811-test 344: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 10:00:00 c2811-test 345: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 10:00:00 c2811-test 346: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): Accounting record not sent
Aug 28 10:00:00 c2811-test 347: Aug 28 08:00:00.162: AAA/ACCT(00000011): del node, session 7
Aug 28 10:00:00 c2811-test 348: Aug 28 08:00:00.162: AAA/ACCT/NET(00000011): free_rec, count 0
Aug 28 10:00:00 c2811-test 349: Aug 28 08:00:00.162: /AAA/ACCTNET(00000011) reccnt 0, csr FALSE, osr 0
Aug 28 10:00:01 c2811-test 350: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): Update SSLVPN/4BFEEA58
Aug 28 10:00:01 c2811-test 351: Aug 28 08:00:00.162: AAA/ACCT/HC(00000011): no HC SSLVPN/4BFEEA58
Aug 28 10:00:01 c2811-test 352: Aug 28 08:00:00.162: AAA/ACCT/EVENT/(00000011): CALL STOP
Aug 28 10:00:01 c2811-test 353: Aug 28 08:00:00.162: AAA/ACCT(00000011) reccnt 0, osr 0
c2811-test#sh webvpn context BABILON
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: WEBVPN
AAA Authorization List not configured
AAA Accounting List: bablist
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy: pol1
Associated WebVPN Gateway: BBSVPN
Domain Name: babilon
Maximum Users Allowed: 1000 (default)
NAT Address not configured
VRF Name not configured
Virtual Template: 1
Virtual Access : 3
aaa accounting network bablist start-stop group babaaa
aaa group server radius babaaa
server 10.192.68.2
ip radius source-interface Tunnel1
deadtime 0
load-balance method least-outstanding
What have a done wrong?
Cheers
Alan

Thanks for your reply Marcin,
I have added that debug too and checked the server, i have even added ip packet debug too.
I simply dont see the packet sent from the box, at all!
I dont understand why when the debug shows the accounting packet still being built at
Aug 28 07:55:59.104
Why does it report the accounting response failure in the same timestamp?
Bizarre!

WebVPN using External Authentication

I have a VPN concentrator 3005 that is configured for WebVPN which works great if I login with a local user.
I would like to authenticate my users through our LDAP. I created a SSLusers group that is setup for external authentication. The SSLusers group works fine when I use the Cisco VPN client to connect (I enter the group name/password in the text boxes, when it connects it asks for the username/password).
In the logs it shows that it is checking for the user in the Internal server, I want to point it to my ACS box. I feel like there is a check box somewhere that I am missing that tells the concentrator 'if I can't find the user in my local database, check the external authentication server'.
Any advice on how to get the external authentication working with the WebVPN would be most appreciated. Thanks in advance.

Thanks Daniel for the suggestion. I tried to add the above, but still received the same error. Is there an additional checkbox that needs to be marked for the base group to search the radius server?
Authentication rejected: Reason = User was not found
handle = 686, server = Internal, user = bobeldde, domain =
It appears to work ok if I login with 'bobeldde#ssl';where the ssl group is configured for Radius Authentication.

Anyconnect Client with IOS Webvpn - Multiple Installs

Has anyone worked out how to install multiple anyconnect packages (to support different versions)? When I do a webvpn svc install it overwrites the existing platform, and we need to support all of the different platform types. Many thanks

I just figured out the answer.'
I had a 2.5.60005 version installed on my ASA with Windows NT running.
I wanted to upgrade to the latest version of the Cisco Secure Mobility Client.
I put the anyconnect-win-3.1.03203 package at the top, but I did not add the regular expression, and presto.
I was still able to connect with the win-2.5.6005 anyconnect.
I even removed the regular expression from the 6005 image and was still able to establish a connection.
**NOTE** - I was not able to browse to the portal and click start anyConnect with the 6005 image still on my machine, but I was able to open up the client and connect directly. When I uninstalled the client, and connected to the portal and clicked on start anyconnect, it installed the latest client.
Please rate helpful post and mark this question as answered.
Thanks,
Alex

Has anyone used the wiki behind a Cisco WebVPN?

I'm trying to use the wiki behind a Cisco WebVPN with little success.
What I think is going on is that as pages are downloaded to the browser, the WebVPN (as it should) translates each link into a WebVPN-specific link (acting essentially as a proxy). When you edit the page and submit, these links get submitted through the web service with the translated links intact, now setting all previously internal links into unusable external links. For some reason the result of this is a page with links fails to save.
Has anyone written a APCF (Application Profile Customization Framework) file that might take care of this, or some imaginative proxy bypass rules or something else? I can't believe I'm the first person to use a combo of a Cisco ASA WebVPN and the Snow Leopard wiki. Any other ideas short of using an ipsec VPN instead?

Ahhh the days of the Creative Nomad Jukebox MP3 Player. Thanks for the bringing back the memories Apple! I had one of those and the USB 1.1 transfer rate took HOURS to fill the Nomad's 6 GB drive. Once it was full, minor updates to playlists were tolerable.
So now for anyone with a pre-2003 Mac will have to cope with USB 1.1 transfer speeds, specifically iBooks and PowerBooks. Desktop Macs can simply add a USB 2.0 card to resolve that problem.
Still, the iPod Nano is a huge improvement over the Mini. FireWire would have been nice since the original iPod was a FireWire device. But, to keep the form factor small, they had to decide on only one transfer protocol...so I guess USB 2.0 won.
Also, Apple will never get rid of FireWire, not even when they start shipping Intel-based Macs. Digital Video is huge, and so is iMovie and Final Cut Pro.

Disable csd for webvpn and enable csd for anyconnect

Hi all,
I find it very annoying that csd is being launched when I connect via webvpn, but I do need csd when I connect with anyconnect. does anyone know how to get this working?
asa version 8.4
regards,
Gerard

I know this is a very old post, but I found the solution. I hope someone that stumbles upon this page will find this info useful.
As we all know, when navigating to the IP/FQDN of the ASA, as long as the URL is not matched against another connection profile, the DefaultWEBVPNGroup connection profile will be matched. The solution is to edit the connection profile DefaultWEBVPNGroup > Advanced > Clientless SSL VPN > Group URLs > Add > and here create the url of the ASAs IP (https://1.2.3.4) or FQDN (https://abc.net). Then, under "Group URLs" check to "Do not run Cisco Secure Desktop (CSD) on client machine when using group URLs ............
This will allow you to go to the main portal page and bypass CSD!!
Unfortunately, with this solution, you lose the ability to select an alias from the drop-down list.

Attachement with Microsoft Outlook integration Add-On

I am facing a porblem with Outlook Integration add-on. Attachement of the document is not getting attached. The essage is getting delivered but the attachement is not going.
Patch Level 25.
Can any one help me out .......
Thanx in advance.

Hello CG,
Is the attachments path correct ? and the necessary rights are given ?
Please try to do this
1)Open a document.
2)Make a Print Preview of the document. Then export this preview
file as JPG image. ( File->Export To->File->Image ) A JPG file.
3)Send email for this document and manually attach the JPG file created
in step 2.
4)Try to resend the document.
Can you also check the event viewer/application log to see if there
are any errors.
SAP Note 693306 :Error analysis for e-mails and fax sent via Service Manager
Hope this is helpful,
regards,
Willy
SAP Business One Forum Team

Monitoring WebVPN connections

Hi folks.
I'm planning on rolling-out WebVPN functionality on our ASA's, but wanted to be able to monitor usage during the initial pilot and thereafter. I'm interested in # of current connections, Total # of connections (e.g. High water mark), and hopefully the users that connected.
Does the newly-released CSM 3.1 provide this functionality via the Management Center for Performance? If not, where should I be looking?
Thank.s

Thanks for the link, but I'm already comfortable with the configuration aspect of WebVPN / SSLVPN.
What I'm really concerned with is the subsequent monitoring of the VPN 'service' after its deployed. CSM has an add-on called the Management Center for Performance (MCP). Its used to track router and VPN device stats (CPU, Memory, etc) as well as IPSec tunnels, Top users, Top VPN interfaces, etc.
I really want to know if MCP can monitor WebVPN statistics. I think I'll have to open a TAC case on this one.
Thanks anyways. I'll post any results.

WEBVPN Add-On Porblem

Similar Messages

Maybe you are looking for