ASK THE EXPERT - SSL VPN

Unanswered Question
Aug 8th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the Cisco ASA SSL VPN solution which enables organizations to securely provide network access to a broad array of users. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco Adaptive Security Appliance (ASA). He also works on documentation, partner and system engineer trainings.


Remember to use the rating system to let Kiran know if you have received an adequate response.


Kiran might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 22, 2008. Visit this forum often to view responses to your questions and the questions of other community members.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (32 ratings)
Loading.
hillegas Fri, 08/08/2008 - 11:07

I'm having a problem supporting SSL VPN access and clienteless SSL VPN access simultaneously on an ASA running 8.0.2. The SSL VPN client authenticate with a smart card and the clientless access use RSA keyfobs. In order for smart card authenticatio to work, the require client certificates option must be enabled on the outside interface. However, ths prevents clientless users from working unless they have a valid PKI cert, which they won't. Unless I'm missing something, I need another ASA to support this dual functionality?

ksirupa Fri, 08/08/2008 - 13:43

Unfortunately this is a limitation today. Once you've enabled certificate based authentication, everyone will be prompted for one even if their particular group doesn't require one. We have this on our list to investigate if it can be resolved in future release.


Note: Just to be clear,your clientless users would still be able to connect even if they don't have valid certificate. They will have to click through (i.e hit cancel) the Certificate request dialog box to get to the authentication prompt. I understand it affects end-user satisfaction because of the confusion and inconvenience.

sunyu@eccom.com.cn Tue, 08/19/2008 - 01:31

u can config two tunnel ,one is authen with

smart card ,the other user RSA keyfobs.

when u user clientless SSL vpn ,u must choose the right tunnel name.

ksirupa Tue, 08/19/2008 - 12:47

You are correct that the end-users need to choose the right tunnel name. However, if one of the tunnel-group has "Certificate" authentication turned on, all the users connecting to the ASA will be prompted for a "certificate". The end-user can hit the "cancel" button and then they can chose the right tunnel group.


Bottom line: The query for certificate happens even before you have the choice to select the tunnel group.

sding2006 Tue, 08/19/2008 - 05:12

Hi Kiran,


I am deploying a ASA5540. One thing I run into now is that the ospf Reverse Route Injection is taking some time(2-3minutes) to be injected into my backbone.


I am running 8.0(4) code.


route outside 0.0.0.0 0.0.0.0 192.168.250.169

route inside 0.0.0.0 0.0.0.0 10.10.38.1 tunneled


and I am running ospf nssa on the inside interface with my backbone network.


The ospf configuration is very similar to the

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

except that I am running nssa instead of area 0. I have the route-map for controlling the reverse route injection.


Once I configured the RRI, I can see the static route is in asa sh route. But when I do sh ospf database adv-router insideIP, the injected route is not in the database. After 3-5 minutes, it will then show up in the database and get redistributed to my backbone.


Any thought on this?


Thanks.


BTW, thanks for the answer on DAP performance impact, ssh plug-in and interface virtualization questions I asked.


ksirupa Tue, 08/19/2008 - 22:51

We need a lot more info than what's described here to know what's going on.


'show tech' from both the adjacent routers and ASA and some show commands:


Show ospf neig

Show ospf data


From both router and ASA would help.


I think it is best to open a TAC case for this problem.


sding2006 Wed, 08/20/2008 - 09:03

Thanks Kiran. I opened a case with TAC.


BTW, this ask expert session has been so helpful. We really appreciate your good work.


Regards,


Shiling

jjohnson36 Fri, 08/08/2008 - 22:11

Kiran,


I understand that I need the licenses for SSL VPN. I have an ASA5550. How do the licenses work? If I have 100 concurrent users, do I need 100 licenses?


Can you setup both SSL VPN and IPSEC on the same ASA? When would you prefer AnyConnect over VPN client?


Thanks.


Jill

ksirupa Fri, 08/08/2008 - 22:41

Hi Jill,


Yes, you are right, you would need to buy SSL licenses. And you are correct that if you expect a max of 100 concurrent users connecting to the ASA at any given time, you would need to budget for 100 licenses.


Yes, you can setup both SSL and IPSec on the same ASA. ASA 5550 platform allows a maximum of 5000 remote access VPN users. This 5000 is the limit for both IPSec and SSL session combined. You can buy the SSL license in a block of either 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000.


Below are some of the reasons to prefer SSL over IPSec:


a) It is possible that firewalls or other security gateways block the IPSec (ESP/AH) traffic. However, SSL VPN uses port 443 which is ubiquitous.


b)With the SSL VPN solution, you can either have clientless or client access.


In clientless mode, the users can use any regular internet browser and connect to the security gateway. They don't need to install any software.


The SSL based AnyConnect VPN Client delivers the same functionality as a regular IPSec VPN client by providing full-tunnel access and a dedicated IP address to the endpoint. In addition, the AnyConnect client is dynamically downloadable, thereby eliminating administration associated with VPN client software updates.


c)The SSL solution enables posture assessment of the endpoint. Based on the endpoint trust level, the administrator has the flexibility to apply customized security policy for the VPN connection. For example, you can enforce that any employee accessing from an internet Kiosk machine will be limited to clientless access only.


d)With the SSL solution, you can also enable "Cisco Secure Desktop" which ensures that cookies, browser history, temporary files, and downloaded content do not remain on a system after a remote user logs out or an SSL VPN session times out. CSD increases protection against data theft and client system malware (malicious software) by encrypting all data and files associated with or downloaded during the SSL VPN session.


Hope this helps. Please ask again for further clarification.

jjohnson36 Mon, 08/11/2008 - 12:11

Kiran,


Thanks very much for taking time to explain. Now, I have a better understanding about SSL.


1. Since SSL VPN requires licenses, is it possible to set it up without a license to see how it works?


2. Since we can setup both SSL and IPSEC, do we have the control of each user uses SSL and which user uses IPSEC?


3. For Cisco Secure Desktop, do we just install one application and all the users can access it? For example, if we install Microsoft Word or Outlook, all the Remote users can access the application remotely.


4. If we want to deploy Cisco Secure Desktop and the application is Payroll, would you recommend SSL VPN since it is a web based?


5. If our Remote Branches grow and we expect 2500 concurrent users at any given time, do you foresee any traffic congestion problems if we use IPSEC client?


Thanks.


Jill

ksirupa Mon, 08/11/2008 - 14:41

Hi Jill,


1. Since SSL VPN requires licenses, is it possible to set it up without a license to see how it works?


[KS] Yes, each ASA comes with two free SSL licenses. So, you can use the "SSL VPN Wizard" to quickly setup your SSL VPN for evaluation purposes.


2. Since we can setup both SSL and IPSEC, do we have the control of each user uses SSL and which user uses IPSEC?


[KS] Yes, you can create multiple groups and allow different connection methods for each group.


3. For Cisco Secure Desktop, do we just install one application and all the users can access it? For example, if we install Microsoft Word or Outlook, all the Remote users can access the application remotely.


[KS] In clientless mode, the ASA hosts limited number of applications such as Remote Desktop, VNC, SSH, Telnet, Sametime and Citrix. In addition, if the end-user's device already has the Word or Outlook applications installed, they would be able to access the applications securely within the secure desktop. Once they disconnect from the VPN, all the sensitive data will be erased.


4. If we want to deploy Cisco Secure Desktop and the application is Payroll, would you recommend SSL VPN since it is a web based?


[KS] Yes, web-based applications can be easily supported in SSL Client-less mode. Your end-users won't have to download any client and the sensitive data can be erased using Cisco Secure Desktop after disconnect.


5. If our Remote Branches grow and we expect 2500 concurrent users at any given time, do you foresee any traffic congestion problems if we use IPSEC client?


[KS] ASA 5550 should be able to handle 2500 concurrent users. Your throughput may vary based on the applications and their packet sizes. I also recommend implementing a VPN load-balancing cluster so that you always have a backup. Alternatively, you can create a active/standby pair for high-availability.

talha_490 Sat, 08/09/2008 - 05:21

I have configured a SSL VPN using Cisco Anyconnect ssl vpn client and cisco secure desktop. The purpose is to give the client secure access to his application to the database available at the central site. The application is installed on various directories on Windows 2003 system. The user is able to establish the vpn. the ssl vpn client and cisco secure desktop is downloaded into the machine. a secure desktop appears and he is in the desktop. once he tries to access the directory by clicking on the My computer icon available on the desktop he does not see the directory where his application is installed. Moreover there are a lot of directories which does not appear on the secure desktop. Once he switches from the secure desktop to the normal desktop the directories are available. Because the directories are not available his application is not able to run from the secure desktop. however from the cmd he can ping the servers. how can i make the application run and make those directories available in secure desktop.


ksirupa Sat, 08/09/2008 - 08:09

Cisco Secure Desktop does not allow applications to be installed whilst in the SD Vault/space, but uses the default applications (under Program Files) already installed on the client PC. Secure Desktop Only Supports Applications Installed in the Default Location. For increased security only applications installed under the Windows and Program Files directories are accessible under the Secure Desktop. Secure Desktop does not support or allow access to applications not found in these default installation locations.

talha_490 Sat, 08/16/2008 - 23:48

i switchover my desktop and came to my normal desktop. from there i tried to connect the application it was connecting. But once i create a vpn session and disconnect i am unable to access my local lan. however when i have vpn connection i am not able as my split tunnel policy is tunnel all. but once i disconnect i am not able to communicate with my local lan unless i restart my computer. I have not observed these things as the users are at remote location. however with my machine i donot face this problem. Do you have any idea of what can be the probable cause of this.?

ksirupa Mon, 08/18/2008 - 09:47

Please let me know the version of ASA and the version of CSD? If using AnyConnect, which version of AnyConnect? Also, please provide details about the End-point. Which operating system and browser? And, if possible, please share your application details. Does the application work properly if you don't enable the secure-vault option? I mean, is this specific to the CSD secure vault?


On the flip side, you may also open a TAC case for a more detailed, live and advanced troubleshooting session.

talha_490 Mon, 08/18/2008 - 11:54

ASA Version 8.0(3)


csd image disk0:/securedesktop-asa-3.2.1.126-k9.pkg


svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1


MS Windows xp and vista


They told that they are not accessing the application through secure desktop but switching over the desktop and using from there. This is only happening with 2 users

it is a oracle based application. i donot know much about it.


ksirupa Mon, 08/18/2008 - 12:49

Hi,


Your CSD version doesn't support the secure vault on Vista. So, your users must be encountering this problem on Windows XP only.


Our engineering has not seen this issue, so they are asking to upgrade the ASA and CSD to the latest code and confirm the results for these two users with XP.


http://www.cisco.com/cgi-bin/tablebuild.pl/asa


ASA: 8.0.4

ASDM: 6.1.3

AnyConnect: 2.2.0136

Cisco Secure Desktop: 3.3.0129

Plug-ins for RDP, VNC, SSH/Telnet,post-plugin.


Please note that in CSD 3.3, there is no support of AnyConnect within the vault for Vista.

talha_490 Sat, 08/09/2008 - 05:46

I have configured a Clientless SSL VPN on ASA to give access to 5 application. Among those 5 applications one of the application which is oracle based in not working. I have simply publish the 5 urls on the screen. the main page is also coming. once he puts his credetial then it is going to a wrong url. Below is the response from the programmer.



Oracle Forms applications don't work thru the VPN.

Oracle Forms application is actually java code which runs in a JVM

(JInitiator for Oracle Forms) and it communicates with Oracle Forms

application server over http.

Look at attached java-log.txt, this is dump of the communication between

JInitiator and Oracle Forms application server.

I have attached cisco-java-log.txt which is the dump of communication

between JInitiator and Oracle Forms application server over VPN.


Please look at the attached java-log.txt (direct communication dump) at

line 31.

The corresponding line for VPN communication dump is in

cisco-java-log.txt at line 83.

The URL in cisco-java-log.txt is bad, some HTML is injected on the URL

which is coming from the VPN client component. When this bad URL goes to

the forms server it throws a communication error.

It seems CISCO VPN client is not preparing the URL properly for some

reason beyond my understanding.


---------------------------------------


you can see in both the log files that the url tried to access the server is wrong.


what is the possible cause. how to move about.



Attachment: 
ksirupa Sat, 08/09/2008 - 08:24

Have you enabled Smart Tunnels option for this application? Also, make sure to try this application through IE browser.


You can create a bookmark for this application in the web-portal and then enable "Smart Tunnel Option" for this bookmark.


I hope this resolves the problem. Otherwise, Please contact the Cisco TAC for further detailed troubleshooting about this.


You can read more about the Smart Tunnel feature at: http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

talha_490 Wed, 08/13/2008 - 04:22

Hello Ksirupa,


I have enabled the smart tunneling option by going into the bookmark. but the problem is same. Earlier it was not loading the jar file but later on after clearing the cache it loaded it. Following is the rsponse from the programmer.

----------------------------

The jar file loading problem is sorted out. I cleared the jar cache an

now it can load the jar file.

But the earlier problem is still there. Still the CISCO client is

messing up the URL being sent back to the Oracle Forms server.

You can use the log file and problem statement I had sent to you earlier

for reporting the case.

--------------------------------


He has sent me the screen snapshot for the error. I am attaching it again.



Before that i will tell you how i have enable the smart-tunneling. i went into the bookmark. i edited it and came into the url-list of the oracle server. there i have enabled the smart-tunneling option. i have gone through the following pdf file.



ksirupa Wed, 08/13/2008 - 21:44

Hi,


Yes, you enabled the Smart Tunnels correctly.


I think we explored all the easy options to debug. The next step would to contact Cisco TAC for further detailed and advanced troubleshooting.


I am wondering if they would be able to develop a APCF (Application Profile Customization Framework) file for you after further troubleshooting.

eblizard Sun, 08/10/2008 - 16:28

I would like to migrate IPSEC VPN clients to SSL in the near future. However, I am running into issues with some features. The backup function of AnyConnect similar to the "backup server" function of IPSEC client does not seem to function correctly. If an ASA failes to respond the AnyConnect (simulated external link failure) the backup does not roll to another host defined in the XML config forcing a user to manually choose a different connection entry. Also, I foresee this being an issue because the client automatically connects to the last used connection. Any changes planned in this area?

ksirupa Tue, 08/12/2008 - 08:59

Hi,


The following Cisco defect matches the problem that you described:


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj88360


This defect was resolved in the recently released (Aug 8th) AnyConnect 2.2.0136 release.


You can download this latest version at:


http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect


With this latest release, you can also disable the "startup AutoConnect behavior". However, you would need to add an entry to the AnyConnect profile.


false


The setting, as shown above in the profile XML file will disable the auto connect behavior.

eblizard Fri, 08/15/2008 - 09:09

Fantastic. Thanks for the response. Are there any release notes specific to this latest version?

ksirupa Fri, 08/15/2008 - 10:04

Thank You. I would appreciate if you can rate my post as well.

stlieser Tue, 08/19/2008 - 02:24

Hi Kiran,

I need help with my Clientless SSL VPN configuration.


I have configured all Java plugins (RDP, SSH, Citrix...). And they are all successfully imported. If I connect to my WebVPN, I can select "RDP:", "SSH:" and "ICA:".


My problem is that all Java Plugins only work if I am directly connectet to the WebVPN. If I access my WebVPN through a proxy (configured in my browser), all Java-plugins doesn't work.


I troubleshoot this failure and my result is:

If I select "RDP:" and fill in a IP-address of my internal network and click on "Browse", the .jar files (in the RDP plugin is only one .jar File) are downloaded to my Client. After downloading these Files they were startet by java. And at this point i get my connection failure. I have observed my Java-logging and found following entry:


network: Verbindung von socket://webvpn.sul.de:443 mit Proxy=DIRECT wird hergestellt


All communication including the download of the .jar files is send over the proxy of my browser. But after the download, Java starts the plugin and tries to connect my ASA directly.


I think this is a problem with the plugin. The plugin should use the proxy of Browser. And yes I have checked my Java configuration on my client. It is set to "Use Browser Settings".


Do you have any ideas to fix my Problem?


Kind Regards

Ralf

stlieser Tue, 08/19/2008 - 23:52

Hi,

what a pity. I have allready configured Smarttunnels for different kind of connections. RDP, ICA, SSH... . But then you have to install the Client on the Workstations.


But thanks for the answer

mchockalingam Tue, 08/19/2008 - 13:17

Kiran,


I am testing Anyconnect 2.2 SSL VPN and sometimes I run into a problem where the XML profile does not get pushed to the client. I think this happens when the default directory for XP c:\documents and settings\all users\application data\cisco does not exist.


When the profile is missing on the client's machine, bringing up Anyconnect leaves the "connect to" field blank the first time even though they went to the website and downloaded the full client.


How can I force the xml profile to be pushed?

mchockalingam Tue, 08/19/2008 - 16:03

Kiran,


I am testing Anyconnect 2.2 SSL VPN and sometimes I run into a problem where the XML profile does not get pushed to the client. I think this happens when the default directory for XP c:\documents and settings\all users\application data\cisco does not exist.


When the profile is missing on the client's machine, bringing up Anyconnect leaves the "connect to" field blank the first time even though they went to the website and downloaded the full client.


How can I force the xml profile to be pushed?



ksirupa Tue, 08/19/2008 - 17:01

Hi,


I hope the note below helps with your problem. If not, please let me know.


Profile file location:


1) On Windows 2000/XP the default profile file (e.g. CiscoAnyConnectProfile.xml) is in the directory: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile



2)The location for Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile


The host that appears in the "Connect to" combo box will be the first one listed in the profile or the last host you successfully connected with.


3) For MAC and Linux the profile file is found in the /opt/cisco/vpn/profile directory .


Note1:The .xml file must be loacted in these directories. It will not work if located in different directory, say under instead of All Users.


Note2: You may have multiple profiles file with an .xml entension. All the .xml files in the profile directory will be parsed and the resulting XML tags aggregattion presented to the AnyConnect user.


For example if profileA.xml had an VPN-A.company.com entry and profileB.xml had an VPN-B.company.com , the AnyConnect GUI 'Connect to" field would show 2 entries:VPN-B.company.com and VPN-B.company.com


Deploying the profile:


You can push the profile from ASA to the client PC by specifying the CLI "group-policy-webvpn-svc-profiles " command.


In ASDM it is performed in the Configuration-Remote Access VPN-Network (Client) Access-Group Policies-Advanced-SSL VPN Client "Client Profile to Download" parameter.

mchockalingam Tue, 08/19/2008 - 19:49

Kiran,


Thank you so much for your reply.


Where would you think thr problem could be if the profile is missing on some of the clients? The profile gets pushed to the clients using the steps you mentioned.


I tested on 2 XP machines and on one I had the profile whereas on the second machine, there is no profile. The only differnce I see between the 2 machines is c:\documents and settings\all users folder missing on the one that had no profile.


MC

ksirupa Tue, 08/19/2008 - 21:09

From the Note-1 in my earlier post, it seems that since your XP machine doesn't have All Users directory, the profile is not working as expected. I am pasting it again..


Note1:The .xml file must be loacted in these directories. It will not work if located in different directory, say under instead of All Users.


Can you try creating the directory?

mchockalingam Wed, 08/20/2008 - 03:24

Kiran,


Thank you! Sorry that I somehow missed about the All Users directory on your previous post.


It works if the directory is manually created. But this would be a problem in our environment where people just expect it to work as soon as they install it and most of the time they do not read instructions.


One option would be to direct them to go to the web page everytime. The second option would be to fill out the host name in the "connect to" field manually the first time.


Can you think of any other option?


I have another question regarding SSL certificates.


We were testing SSL with self-signed certs and we have 2 ASAs in a cluster mode.


When people connect using SSL, it was creating 2 warnings, first one for the cluster's virtual IP and the second warning when their connection gets load balanced to one of the 2 ASAs.


Now, I have 2 certs from a trusted CA and I associated the cert with the virtual name to the outside interface of the ASAs. I also installed the cert on each ASA that belonged to their hostname. Now clients get one warning when they conenct saying the certificate name do not match.


I tried couple of other things but nothing helped. How do I solve this problem?

ksirupa Thu, 08/21/2008 - 22:33

I couldn't come up with any other options.


For the second question, I have attached an application note. I hope you find it useful to resolve the problem.


You might need to add the following to the vpn load-balancing config because without it all redirects are done to the ASA IP addresses which will usually mismatch the certificate.


vpn load-balancing

redirect-fqdn enable


If you still see the problem, please contact our TAC and we can continue the investigation. Please include your running configs from all the devices.






Attachment: 
satishcp Mon, 08/11/2008 - 04:35

Kiran,


I need your help in resolving this.


I'm unable to export the identity certificate being used for WebVPN url on ASA 5540. When I click on Export button thru ASDM, I get an error "the certificate cannot be exporeted, becuase it does not have a CA certificate associated with it"


I need to export this certificate to configure one more box on the same network. Can you please let me know what needs to be done to export the cert in PKCS format. Also let me know incase of any CLI command available to do this.


Regards,

ksirupa Mon, 08/11/2008 - 10:28

Satish,


Your symptoms match the Cisco defect: CSsj40088

(http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj40088)


ASDM: Unable to export ID cert when CA cert is not present


Symptom:

Exporting the ID certificate of a trustpoint that doesn't contain a CA cert fails using ASDM.


Workaround:

Use the CLI to export the ID cert and it will work OK using this command "crypto ca export identity-certificate". Alternatively you could use the CLI to authenticate the trustpoint also and then ASDM wouldn't complain.


pankaj.kakade Mon, 08/11/2008 - 22:58

Hi Kiran,


Recently we had did rollover from IPsec VPn to SSL VPN.But SSL VPN was very slow as compare to IPSec VPN for accessing the corporate applications.So We have to rollback the SSL VPN.


Can you suggest any troubleshooting.


Pankaj


ksirupa Tue, 08/12/2008 - 00:17

Hi Pankaj,


It was not clear whether you tried the clientless mode or client mode. Either way, I would suggest upgrading the ASA to at least 8.0.3(19) or later as there have been some important bug-fixes.


In addition, in case of AnyConnect client, it will be interesting to find out whether DTLS was negotiated or not. For many latency sensitive applications DTLS is supposed to give better performance than TLS.


If possible, please reply with the type of applications, whether you enabled CSD host scan, secure vault etc and whether its client mode or clientless mode.

pankaj.kakade Tue, 08/12/2008 - 01:05

Hi Kiran,


Thanks for quick response.


Its client mode we are using.


We have asa803-k8 on ASA.Do we need to upgrade this?


The DTLS negotiations are enable for this VPN service and CSD is also enable.


We are using Citrix,Lotus Notes and Cisco IP soft Phone on VPN.


Pankaj







ksirupa Tue, 08/12/2008 - 01:35

Hi Pankaj,


Even though DTLS is enabled in your configuration, it is possible that a firewall or other secure gateway blocked the UDP requests from client. So, please make sure when you connect using AnyConnect, its "Status" indeed shows the negotiated protocol as "DTLS".


I am not sure if you deployed the Secure Vault. If so, we could try disabling CSD to isolate the performance issue.


In addition, upgrading to asa803-19-k8 is one option, but I am not sure if your production environment allows you to do so. Keep in mind that you would also need to upgrade to the latest versions for AnyConnect, ASDM and CSD as mentioned here:


http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html


ASA: 8.03.1 to 8.1

ASDM: 6.0.3 to 6.1.1

CSD: 3.3.0.118+

AnyConnect: 2.2.0133+


I will get back to you if i find any better information about this.


pankaj.kakade Tue, 08/12/2008 - 03:06

Hi Kiran,


I had checked the transport protocol in AnyConnect is DTLS.


Except ASA version other required software versions are as per your suggestion.


Secure Vault is not configure( or please suggest how to check) but we have Policy Inspection configured on device does that make any delay.


I had tac open with Cisco but no update from Cisco since week.


I had tried Cisco Output Interpreter if there is configuration issue.It doesnt show any error.




ksirupa Tue, 08/12/2008 - 23:43

Hi Pankaj,


Yes, Policy inspection does have an impact on performance.


Since you already have a TAC case open, I suggest you continue the conversation with them for detailed troubleshooting.

NewBloke01 Tue, 08/12/2008 - 02:26

I have an ASA at the data centre and to connect via an IPSEC VPN, I have a crypto map within my branch routers, this calls access list “Encrypt” that encrypts interesting traffic and forwards that traffic via the VPN to the ASA.


At one branch I have a partial failure in that quite a lot of traffic is going through but traffic to one site is not being encrypted and is not even incrementing the Access list. Output of “show access-list Encrypt” has following:

550 permit ip 10.30.68.0 0.0.0.255 10.21.22.0 0.0.0.255

560 permit ip 10.30.68.0 0.0.0.255 10.21.110.0 0.0.0.255 (47 matches)

570 permit ip 10.30.68.0 0.0.0.255 10.21.237.0 0.0.0.255

580 permit ip 10.30.68.0 0.0.0.255 10.30.11.0 0.0.0.255


If I ping from the 10.30.68.1 interface to 10.21.110.1 I get the following:

550 permit ip 10.30.68.0 0.0.0.255 10.21.22.0 0.0.0.255

560 permit ip 10.30.68.0 0.0.0.255 10.21.110.0 0.0.0.255 (57 matches)

570 permit ip 10.30.68.0 0.0.0.255 10.21.237.0 0.0.0.255

580 permit ip 10.30.68.0 0.0.0.255 10.30.11.0 0.0.0.255


As you can see the hit count has incremented, however, when I ping 10.30.11.1 from the interface 10.30.68.1 I register no hits at all and the ping fails. I can't seem to get access to the 10.30.11.0 network. Any ideas, this is driving me crazy.


Thanks


Tim


AGINetworkGroup Tue, 08/12/2008 - 04:08

Hi Kiran,


I have a problem while configuring my ssl web vpn on my ASA which runs on ver 7.2.3. I am unable to opt for "rdp:\\" in the address bar.My ssl vpn is clientless, I would like to know if there is any restriction in having the rdp service configured in ASA 7.2 version.


Thank you,


Regards,

K.V.Krishna

ksirupa Tue, 08/12/2008 - 10:31

Hi Krishna,


In the 7.2 release RDP is only supported via Port forwarding or via the Web Portal using a HTTP/S URL Bookmark, i.e., www.rdpserver.com.


Thanks,

Kiran


Actions

This Discussion