Webvpn / sslvpn problem

Similar Messages

• RV220W SSLVPN Problem

  Hello all,
  I do not have a valid SSL Certificate on my firewall but I want to use SSLVPN.
  If I connect to the IP adress and the SSLVPN Portal I can choose the sslclient launcher but after that I get a error that I need a internet explorer 64bit or that the active I was blocked because of a unsecure publisher.
  what can I do?
  regards

  Dennis,
  If you are using a 64 bit version of Windows below is the link for the SSL VPN connection workaround.
  download  VC++ 2005 64-bit from Microsoft.
  http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21254
  If this does not resolve your issue please call the SBSC at 1.866.606.1866, open a ticket, and we will try to get the issue resolved for you as quickly as possible
  Blake Wright
  SBSC Network Engineer

• IOS SSL VPN problem

  I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
  The error on the router is:
  Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
  Jun 5 16:07:55.755: WV: server side not ready to send.
  The following is the configuration:
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context vpn1
  ssl authenticate verify all
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  policy group vpn1
  url-list "eng"
  default-group-policy vpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context vpn2
  ssl authenticate verify all
  policy group vpn2tunnel
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc split include 10.0.0.2 255.255.255.255
  default-group-policy vpn2tunnel
  gateway ISR2801-RM domain tunnel
  inservice

  Thanks for the reply !!!!
  the configation is the following:
  interface Ethernet 0
  ip address 10.0.0.128 255.255.255.0
  ip http secure-server
  ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
  webvpn gateway ISR2801-RM
  hostname ISR2801-RM
  ip address 1.2.3.4 port 443
  ssl trustpoint TP-self-signed-50153718
  ssl encryption aes-sha1
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context context-sslvpn1
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn1/
  url-list "eng"
  url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
  nbns-list cifs-servers
  nbns-server 172.16.1.1 master
  nbns-server 172.16.2.2 timeout 10 retries 5
  nbns-server 172.16.3.3 timeout 10 retries 5
  login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
  this device are logged and violations of this policy may result in disciplinary action."
  port-forward "portlist"
  local-port 30019 remote-server ssh-server remote-port 22 description SSH
  local-port 30020 remote-server mailserver remote-port 143 description IMAP
  local-port 30021 remote-server mailserver remote-port 110 description POP3
  local-port 30022 remote-server mailserver remote-port 25 description SMTP
  policy group policy-sslvpn1
  url-list "eng"
  port-forward "portlist"
  nbns-list "cifs-servers"
  functions file-access
  functions file-browse
  functions file-entry
  citrix enabled
  default-group-policy policy-sslvpn1
  gateway ISR2801-RM domain clientless
  inservice
  webvpn context context-sslvpn2
  ssl authenticate verify all
  user-profile location flash:webvpn/sslvpn/context-sslvpn2/
  policy group policy-sslvpn2
  functions svc-enabled
  svc address-pool "WEBVPN"
  svc keep-client-installed
  svc dpd-interval gateway 30
  svc dpd-interval client 300
  svc rekey method new-tunnel
  svc rekey time 3600
  svc split include 10.0.0.0 255.255.255.0
  svc default-domain cisco.com
  svc dns-server primary 192.168.3.1
  svc dns-server secondary 192.168.4.1
  default-group-policy policy-sslvpn2
  gateway ISR2801-RM domain tunnel
  inservice
  ISR2801-RM#show webvpn install status svc
  SSLVPN Package SSL-VPN-Client version installed:
  CISCO STC win2k+
  2,2,0133
  Mon 05/19/2008 12:58:52.34 v
  ISR2801-RM#
  WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
  https://1.2.3.4/tunnel
  * the ssl client installed on the pc tell me can't connect.
  * on the router the log:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283:
  Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
  Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
  offset: 0, domain: 0)
  Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
  Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
  Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
  Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
  Jun 6 10:28:08.287: X-CSTP-Version: 1
  Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
  Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
  Jun 6 10:28:08.287: X-CSTP-MTU: 1406
  Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
  Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
  Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
  Jun 6 10:28:08.287:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291:
  Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
  Jun 6 10:28:08.291: WV: server side not ready to send.
  SSLVPN sock pid 182 sid 161: closing

• Monitoring WebVPN connections

  Hi folks.
  I'm planning on rolling-out WebVPN functionality on our ASA's, but wanted to be able to monitor usage during the initial pilot and thereafter. I'm interested in # of current connections, Total # of connections (e.g. High water mark), and hopefully the users that connected.
  Does the newly-released CSM 3.1 provide this functionality via the Management Center for Performance? If not, where should I be looking?
  Thank.s

  Thanks for the link, but I'm already comfortable with the configuration aspect of WebVPN / SSLVPN.
  What I'm really concerned with is the subsequent monitoring of the VPN 'service' after its deployed. CSM has an add-on called the Management Center for Performance (MCP). Its used to track router and VPN device stats (CPU, Memory, etc) as well as IPSec tunnels, Top users, Top VPN interfaces, etc.
  I really want to know if MCP can monitor WebVPN statistics. I think I'll have to open a TAC case on this one.
  Thanks anyways. I'll post any results.

• WebVPN monitoring

  Does the Cisco Performance Monitor 3.0 (thats an free add-on to the Cisco Security Manager 3.0.1) have the ability to monitor WebVPN / SSL VPN sessions?
  It looks like it supports SSL, but on closer inpsection its for SSL offloading onto cards for the 6500 switches.
  I'm interested in monitoring WebVPN Remote Access sessions, # of users connected, etc, much like it can now for IPSec VPN remote-access connections.
  Anyone know if MCP will be refreshed when CSM 3.1 is released? (Which is WAY overdue, but thats besides the point.)

  Thanks for the link, but I'm already comfortable with the configuration aspect of WebVPN / SSLVPN.
  What I'm really concerned with is the subsequent monitoring of the VPN 'service' after its deployed. CSM has an add-on called the Management Center for Performance (MCP). Its used to track router and VPN device stats (CPU, Memory, etc) as well as IPSec tunnels, Top users, Top VPN interfaces, etc.
  I really want to know if MCP can monitor WebVPN statistics. I think I'll have to open a TAC case on this one.
  Thanks anyways. I'll post any results.

• Problems with Port Forwarding for RDP in WebVPN

  Hi,
  I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
  After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
  I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail. 
  I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.  

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni

• ASA 5510 8.0(2) WebVPN problems

  Hi,
  we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
  Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
  Now to me that makes no sense whatsoever. I have already run the following command:
  auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
  to try to prevent the second credentials prompt but to doesn't do anything.
  I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
  can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.

  i wish it was that simple.
  the permissions have not changed at all on the network shares. i can log in to the network locally and have no issues whatsoever accessing the very same shares I am trying to access through the webvpn.

• SVC WebVPN Problem

  Hi all,
  in the past i have WebVPN on my Cisco 1811 running without any Problems. Know i get a new Router Cisco 2811. My Problem is that the: SVC pakage file is not availible annymore on the Cisco page.
  What should i use know ? What is the actual file ?
  greets

  solved ---> Close

• WebVPN 4.7 , Citrix 4.0 , JavaClient-Problem

  Hello,
  I have WebVPN 4.7 and Citrix Metaframe 4.0 with WebInterface.
  I configured the Citrix Webinterface as Web Resource at the Concentrator
  and activated the Citrix Support
  All works fine, when I use my local ICA-Client at the Desktop or the ActiveX-Client. But when I try the Citrix-Java-Client I get a java-error-message:
  'java.lang.ClassFormatError: com/citrix/ConnectionCenter (Bad magic number)'
  and the applet doesn't start
  The java-Client works fine when I use it in my LAN, but it seems to have a problem, when it is downloaded through the WebVPN-tunnel.

  Thanks for your reply .
  I found the indexes which got deleted in transaction SPDD under node Deleted Objects .
  >> You can refresh database consistency check using DB02 . This will in addition list out missing tables and indexes in your SAP system. You can create all the missing index in mass using tcode DB02.
  Also I refreshed database consistency check in DB02 . This gave me the missing Indexes which are different from what is displayed in SPDD deletd objects index .
  I want to create  indexes which are displayed in SPDD as Deleted Objects . How Can I do this ?
  Thanks ,
  Rushikesh

• Problem configuring webvpn using SDM

  Hi all, I'm trying to configure a webvpn gateway and I'm running into a problem with digital certificates. SDM prompts me to create one, so I do, and it says it completed successfully, but still says I need to configure a certificate, and won't let me continue with the wizard. I'm running SDM 2.5 and a 3725 router with 12.4(15)T9 software. Thanks in advance for any help.

  Do not to change either the IP domain name or the host name of the router as this will trigger a regeneration of the self-signed certificate and will override the configured trustpoint. Regeneration of the self-signed certificate causes connection issues if the router has been configured for WebVPN. WebVPN ties the SSL trustpoint name to the WebVPN gateway configuration. Therefore, if a new self-signed certificate is issued, the new trustpoint name does not match the WebVPN configuration and users are unable to connect.
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml#tshoot

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• WebVPN flash based website loading problem

  We are using Cisco ASA WebVPN, ASA version 8.2(2).
  Problem: Flash driven website is not loading especially for MAC users.
  Same website accessible from Windows based machines.
  Initially user logins to WebVPN and 2 bookmarked links for same website.
  frist website for Windows users and other is for MAC users
  Only difference is Windoes users bookmark is configured with Smarttunnel and MAC is not.
  Website does open for MAC user, but it's just not loading the content (flash contents)
  Could someprovide inputs to resolve this problem.
  Thanks in advance.

  That was a waste of a couple hours.... The reason it was not redering is because I had a glow filter effect on a parent
  displayobject in the app... Really weird, cause html stuff would load, but flash would not show up.

• Problem with Java-based application and WebVPN

  Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
  A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
  Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
  Any hint about where to search or what to try?
  Thanks.

  Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
  A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
  Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
  Any hint about where to search or what to try?
  Thanks.

• ASA 8.2(1) WEBVPN ntlm authentication with internal sharepoint problem

  I have added internal sharepoint site in ssl vpn bookmark and setup all required permission , but after the user enter his credential in web authentication form , the connection reset with the server, when I used wireshark to sniff the traffic from ASA to sharepoint server I found that ASA does not send NTLMSSP_AUTH, User request.

  Hi Oscar,
  That's the reason why I requested that information.
  Remember that we strongly encourage you to upgrade to a fully tested Maintenance or Feature  release when it becomes available.
  For instance the release notes doc for 8.2.x does mention SharePoint 2007, but not 10. On the other hand, the specific release notes for 8.2.5 include information about 2010, please be aware of this bug:
  CSCtn99416
  WebVPN: Dropdown menu doesn't work in customized SharePoint 2010
  I am glad to know you fix the issue by upgrading the ASA to 8.2(5).
  Please mark this post as answered and rate any helpful posts
  Portu

• SSLVPN/webvpn in multiple context mode?

  We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
  So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
  As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
  Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

  If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
  Sent from Cisco Technical Support iPad App