02-25-2009 08:20 AM
Hello everybody.
I have a problem enabling "wbvpn" on any interface. Every time the ASA show me the following log:
ASA(config-webvpn)# enable outside
Could not start webvpn
ERROR: Failed to enable WebVPN.
ASA(config-webvpn)#
I have a ASA5510 V. 8.0(3)6 with WebVPN License.
If somebody knows anything about this problem, i will really appreciate for your comments.
Thanks in advance.
----------------- ASA WEB VPN Config ----
hostname ASA
domain-name mydomain.com
enable password *** encrypted
name
name 192.168.110.0 VPN-3 description VPN-3 Externo
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.114 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.249 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.10.249 255.255.255.0
ospf cost 10
!
tcp-map alltcp
!
tcp-map msstcpmap
exceed-mss allow
queue-limit 250
mtu outside 1500
mtu inside 1600
mtu DMZ 1600
mtu management 1500
ip local pool Pool-VPN-3 192.168.110.1-192.168.110.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 1.1.1.112 255.255.255.248 outside
icmp permit 192.168.1.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
timeout xlate 5:01:00
timeout conn 15:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 2:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:30:00 uauth 5:00:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
http server enable 7443
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
webvpn
group-policy SSL-SAPOLIO internal
group-policy SSL-SAPOLIO attributes
vpn-tunnel-protocol SSL-SAPOLIO
SSL-SAPOLIO
url-list none
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-3-ACL
default-domain value mydomain.com
username jlvelasquez password **** encrypted
username jlvelasquez attributes
vpn-group-policy SSL-SAPOLIO
service-type remote-access
username jpozo password **** encrypted
username jpozo attributes
vpn-group-policy Remote-VPN
service-type remote-access
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool Pool-VPN-3
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
pre-shared-key *
tunnel-group SSL-SAPOLIO type remote-access
tunnel-group SSL-SAPOLIO general-attributes
default-group-policy SSL-SAPOLIO
!
policy-map IPS_policy_OUT
class ips_class_map_OUT
ips inline fail-open
policy-map global_policy
class mssclassmap
set connection advanced-options msstcpmap
policy-map IPS_policy_DMZ
class ips_class_map_DMZ
ips inline fail-open
!
service-policy IPS_policy_OUT interface outside
service-policy IPS_policy_DMZ interface DMZ
----------------
02-26-2009 08:48 AM
Can you post here your "show run all http"
02-26-2009 10:25 AM
Hi, this is the output:
ASA# show run all http
http server enable 7443
http 200.41.97.226 255.255.255.255 outside
http 10.1.9.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 DMZ
José Luis
02-26-2009 10:37 AM
Thanks, http is enabled, can you get the "show run all webvpn"
02-26-2009 02:39 PM
Hi, this is the output:
ASA# show run all webvpn
webvpn
memory-size percent 50
port 443
dtls port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
no csd enable
no svc enable
no tunnel-group-list enable
rewrite order 65535 enable resource-mask *
no internal-password
no onscreen-keyboard
no default-language
no keepout
cache
no disable
max-object-size 1000
min-object-size 0
no cache-static-content enable
lmfactor 20
expiry-time 1
no auto-signon
no error-recovery disable
: # show import webvpn customization
: Template
: DfltCustomization
: # show import webvpn url-list
: Template
: No bookmarks are currently defined
: # show import webvpn translation-table
: Translation Tables' Templates:
: PortForwarder
: banners
: customization
: plugin-rdp
: plugin-ssh,telnet
: plugin-vnc
: url-list
: webvpn
: Translation Tables:
: fr PortForwarder
: fr csd
: fr customization
: fr plugin-rdp
: fr plugin-ssh,telnet
: fr plugin-vnc
: fr webvpn
: ja PortForwarder
: ja csd
: ja customization
: ja plugin-rdp
: ja plugin-ssh,telnet
: ja plugin-vnc
: ja webvpn
: ru PortForwarder
: ru customization
: ru webvpn
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
: rdp
: ssh,telnet
: vnc
ASA#
02-26-2009 12:27 PM
You might be hitting a bug. Can you post the output of "show memory detail"?
Thanks.
02-26-2009 02:43 PM
02-27-2009 05:29 AM
Ok, so there's enough memory. It could be something else. It would be best to go to a later 8.0(3) release or the latest 8.0(4) interim, as initial 8.0(3) had quite a few memory / webvpn bugs.
04-16-2018 01:36 AM
How much memory is required to enable HTTP or webvpn
02-27-2009 11:24 AM
Something rare happen with this ASA. Now i did the same command and it works!!, this is the output:
ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)#
May be it is a memory bug.
Thanks to all
José Luis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide