SSL VPN using ASA 5520 in cluster mode - several problems

Answered Question
Jul 22nd, 2008
User Badges:

I have configured 2 ASA 5520s in cluster mode for load balancing. I connect using anyconnect and I download the client the first time and everything works fine except outlook. I am not sure why outlook does not work.


The second problem is after the anyconnect client is installed on your machine, it remembers which ASA (say ASA2) it connected first and the GUI shows the IP address of ASA2 instead of the virtual IP of the cluster. I want users to always connect using the virtual IP.


The third problem I have is there is a default SSL VPN group and I want all users to use that group. In the initial web page, there is a drop down menu that shows only this group but I still want to disable that pull down menu.


Any suggestions?

Correct Answer by ggilbert about 8 years 10 months ago

To disable the drop down menu, you can disable it with the command


webvpn

no tunnel-group-list enable


This will take care of your last issue.


***************************


You can create a profile for the Anyconnect client with the server name that you want to connect with and push that through the ASA which will solve your virtual IP problem.


**************************


With regard to Outlook, do you use any specific ports that can be used by the ASA to do inspection. Take a look at the inspection list on the ASA and maybe try to disable inspection and see if it works.


*****************************

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ggilbert Wed, 07/23/2008 - 11:52
User Badges:
  • Cisco Employee,

To disable the drop down menu, you can disable it with the command


webvpn

no tunnel-group-list enable


This will take care of your last issue.


***************************


You can create a profile for the Anyconnect client with the server name that you want to connect with and push that through the ASA which will solve your virtual IP problem.


**************************


With regard to Outlook, do you use any specific ports that can be used by the ASA to do inspection. Take a look at the inspection list on the ASA and maybe try to disable inspection and see if it works.


*****************************

mchockalingam Thu, 07/24/2008 - 14:58
User Badges:

Thank you very much for your help.


The no tunnel-group-list enable did the trick. I have a profile now that solved connecting to the virtual IP.


As far as outlook goes, I think it is the MTU problem. I also have problem with web browsing. On one PC, I have IPSec VPN client installed which comes with SET MTU utility and I set the MTU to 1300 for cisco anyconnect vpn connection and it solved the problem.


On another machine, I do not have any MTU utility and I did not want to change any registry settings. Plus, I cannot expect everyone in my company to change the settings on their PC.


I wonder why my MTU setting on the outside interface of the ASA to 1300 did not take effect? DO I need to change the MTU for SSL VPN connections some place else?


Any ideas?

Actions

This Discussion