SSL VPN login page does not display

Unanswered Question
Jan 22nd, 2010

I have an ASA5510 that I am trying to set up for remote access using SSL VPN & clientless SSL VPN. I have followed the config guides on the Cisco website as well as the config guides elsewhere on the internet to no avail. I have a TAC case opened and have spoken with 4 engineers thus far. I have tried several software versions on the device and they all give the same result.

When going to https://(outside interface ip address), I receive the expected ssl certificate error, then I click to continue to the website, and the browser never loads a page. I can see the ssl negotiation in my debug, and it completes that portion. My http debug shows the get requests to https://(outside interface ip address)/+CSCOE+/index.html and/or logon.html, but the page never loads.

Has anyone ever seen this before---any ideas or what would be helpful in troubleshooting this further?

Thank you in advance!

J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
busterswt Fri, 01/22/2010 - 22:43

What OS and browser have you tested this on? What version code and what version of AnyConnect are you using?

james.bastnagel Sat, 01/23/2010 - 05:25

OS & Browsers I have tried so far are Vista Ultimate SP1 w/ IE 7, Win XP SP 3 w/ IE 6 & Firefox, Win 7 w/ IE 8 & Chrome.

Code versions on my ASA that I have tried so far are 8.2.2, 8.0.5, and 7.0.8

I'm not sure that the AnyConnect version matters since the browser never gets to the point to where it should download it, but i have tried every version of the AnyConnect for windows client from 2.2 to the current 2.4

If I manually install the AnyConnect client on a machine, I am able to get a login prompt through the client, but end up getting an error message while it is "Establishing VPN Connection" that says "AnyConnect package missing or corrupt. Contact your administrator." But the package isnt missing nor is it corrupt....

If I enable AnyConnect on the inside interface, the whole thing works just fine--but whats the point if that if I'm already inside the firewall lol.

busterswt Sat, 01/23/2010 - 08:33

Would you mind posting your config, free of passwords and any other sensitive data?

james.bastnagel Sat, 01/23/2010 - 09:13

The config is kind of messy now after fiddling with it, but here it is along

w/ a show ver.

I have IPSEC remote access vpn's working--connectivity is very slow. When I

create static translations and allow traffic through the firewall, for a

webserver for example, that is extremely slow as well via both https & http.

The internet connection at this location is a 15Mb ethernet connection

though & should not be as slow as it is.

Thanks for your time, help, & consideration.

James

###########################################################

ciscoasa(config)# show run

: Saved

:

ASA Version 8.2(2)

!

hostname ciscoasa

domain-name XXXXXXXXXXXXXXXX

enable password XXXXXXXXXXXXXX

passwd XXXXXXXXXXXXXXXXXXXXXXXXXXX

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXX.XXX.45.2 255.255.255.224

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

speed 100

duplex full

nameif inside

security-level 100

ip address XXX.XXX.5.6 255.255.255.240

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

domain-name ABCsolutions.com

dns server-group ABC.LOCAL

name-server XXX.XXX.2.70

name-server XXX.XXX.100.32

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list OSW-INTERNET extended permit ip XXX.XXX.0.0 255.255.240.0 any

access-list TRE-INTERNET extended permit ip XXX.XXX.20.0 255.255.255.0 any

access-list TRE-INTERNET extended permit ip XXX.XXX.32.0 255.255.255.0 any

access-list TRE-INTERNET extended permit ip XXX.XXX.33.0 255.255.255.0 any

access-list TRO-INTERNET extended permit ip XXX.XXX.100.0 255.255.255.0 any

access-list TRO-INTERNET extended permit ip XXX.XXX.111.0 255.255.255.0 any

access-list TRO-INTERNET extended permit ip XXX.XXX.112.0 255.255.255.0 any

access-list TRO-INTERNET extended permit ip XXX.XXX.113.0 255.255.255.0 any

access-list LAV-INTERNET extended permit ip XXX.XXX.0.0 255.255.0.0 any

access-list LAV-INTERNET extended permit ip 10.3.1.0 255.255.255.0 any

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq

smtp

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2 eq

https

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2 eq

www

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq

https

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq

www

access-list INBOUND-INTERNET extended permit icmp any any

access-list INBOUND-INTERNET extended permit tcp host 67.183.30.29 host

XXX.XXX.45.13 eq 3389

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2

access-list INBOUND-INTERNET extended permit ip XXX.XXX.5.16 255.255.255.240

any

access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.10 eq

https

access-list bypass extended permit ip XXX.XXX.0.0 255.255.0.0 XXX.XXX.5.16

255.255.255.240

access-list bypass extended permit ip 10.0.0.0 255.0.0.0 XXX.XXX.5.16

255.255.255.240

access-list outside_access_in extended permit tcp any host XXX.XXX.45.2

access-list REMOTE_ACCESS_TUNNELED_NETWORKS standard permit XXX.XXX.0.0

255.255.0.0

access-list REMOTE_ACCESS_TUNNELED_NETWORKS standard permit 10.0.0.0

255.0.0.0

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip local pool Default 192.168.200.10-192.168.200.50 mask 255.255.255.0

ip local pool IT_VPN_POOL XXX.XXX.5.17-XXX.XXX.5.30 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 XXX.XXX.45.3

global (outside) 2 XXX.XXX.45.4

global (outside) 3 XXX.XXX.45.5

global (outside) 4 XXX.XXX.45.6

global (outside) 5 interface

nat (outside) 5 XXX.XXX.5.16 255.255.255.240

nat (inside) 0 access-list bypass

nat (inside) 3 access-list TRO-INTERNET

nat (inside) 4 access-list LAV-INTERNET

nat (inside) 1 access-list OSW-INTERNET

nat (inside) 2 access-list TRE-INTERNET

static (inside,outside) XXX.XXX.45.10 XXX.XXX.5.7 netmask 255.255.255.255

static (inside,outside) XXX.XXX.45.13 XXX.XXX.2.37 netmask 255.255.255.255

access-group INBOUND-INTERNET in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.45.1 1

route inside 10.0.0.0 255.0.0.0 XXX.XXX.5.1 1

route inside XXX.XXX.0.0 255.255.0.0 XXX.XXX.5.1 1

route inside XXX.XXX.2.20 255.255.255.255 XXX.XXX.5.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

eou allow none

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set

ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5

ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA

ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 1440 burst-rate 400

average-rate 200

ssl encryption aes128-sha1 aes256-sha1

webvpn

enable outside

enable inside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

webvpn

url-list value IT

svc ask enable default webvpn

group-policy ITSG_IPSEC internal

group-policy ITSG_IPSEC attributes

dns-server value XXX.XXX.2.70 XXX.XXX.100.32

vpn-tunnel-protocol IPSec

group-lock value ITSG_IPSEC

split-tunnel-policy tunnelspecified

split-tunnel-network-list value REMOTE_ACCESS_TUNNELED_NETWORKS

default-domain value ABCsolutions.local

username test password XXXXXXXXXXXXX encrypted privilege 0

username test attributes

vpn-group-policy DfltGrpPolicy

username cisco password XXXXXXXXXXXXXXXXXXXX encrypted privilege 15

tunnel-group Default type remote-access

tunnel-group Default general-attributes

address-pool Default

tunnel-group Default webvpn-attributes

group-alias ABC enable

group-url https://XXX.XXX.45.2/ABC enable

without-csd

tunnel-group ITSG_IPSEC type remote-access

tunnel-group ITSG_IPSEC general-attributes

address-pool IT_VPN_POOL

default-group-policy ITSG_IPSEC

password-management

tunnel-group ITSG_IPSEC ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:be8ef73f0c1aa75aa0fbb84e02e96dc2

: end

ciscoasa(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders

System image file is "disk0:/asa822-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 19 hours 13 mins

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision

0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0026.cb6f.02c0, irq 9

1: Ext: Ethernet0/1 : address is 0026.cb6f.02c1, irq 9

2: Ext: Ethernet0/2 : address is 0026.cb6f.02c2, irq 9

3: Ext: Ethernet0/3 : address is 0026.cb6f.02c3, irq 9

4: Ext: Management0/0 : address is 0026.cb6f.02c4, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

SSL VPN Peers : 100

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Serial Number: XXXXXXXXXXXXXXXXXX

Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Configuration register is 0x1

Configuration last modified by enable_15 at 16:50:32.198 UTC Sat Jan 23 2010

ciscoasa(config)#

On Sat, Jan 23, 2010 at 8:33 AM, busterswt <

Nelson Rodrigues Tue, 02/02/2010 - 11:25

Hi James,

1) Let's try Clientless (aka.WebVPN )1st.

BTW: Win7 and IE8, MAC OSX 10.6 official support are only available in the upcoming ASA 8.3 version. Also if you are using the SLL AES cipphers on the ASA, IE6 doesn't support them. Or enable all the ASA ciphers momentarily, so regardless of the browser you try , at least an RC4 should be available.

The current/latest VPN supported platforms matrix is at http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html .

2) Enable console debugs "logging class auth console debugging", "logging class auth console debugging " , "logging enable "

3) based on your config go to https://ASA-FQDN or outside-IP ; use FireFox 3.x for example for your test. Enable both SSLV3 and TLSv on the browser.

4) Enter your credentials on the Webvpn Login and collect the debugs I mentioned and paste here.

5) If you can/want to send me your TAC case  Ica nreview to see where we stand on this. I'm not in TAC but I can review the case .

Cheers,

Nelson

FlavioRoberto Sat, 01/21/2012 - 04:25

Hi James and Nelson,

  I know it is pretty old,but the fact is that I am facing the same problem and as the James have not answered, I would the like to know if it has been solved, if so, how ?

I would help me a lot !!!

Thanks.

lambiase@multifa.com Wed, 02/08/2012 - 15:52

I have noticed a couple of browsers that are exhibiting similar bahavior.

First, we use client certificates with 'both' certificate and AAA (LDAP).  Cisco, by default, puts RC4 at the top of the list, and with most browsers it will be the chosen cipher.  I have noticed that up-to-date Macs will terminate the connection (SSL reset) and refuse to submit a certificate.  Not sure if Apple decided strong key negotiation was incompatible with a weak cipher, but as soon as RC4 was demoted and AES 128 was negotiated the Mac worked fine.

Now, on Chrome (seen in both 16 and 17) I am seeing this in the ASDM logs.

Device chooses cipher : AES128-SHA for the SSL session with client gap:208.179.252.194/60870

CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D).

SSL lib error. Function: SSL3_GET_RECORD Reason: decryption failed or bad record mac

CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D).

The two errors are obviously not related, but could you look in the ASDM logs and see if there are messages.

Actions

Login or Register to take actions

This Discussion

Posted January 22, 2010 at 9:07 AM
Stats:
Replies:7 Avg. Rating:
Views:7538 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard