AnyConnect 2.4 ssl vpn portal and certificate problems

Unanswered Question
Apr 15th, 2010

I currently have two issues with AnyConnect 2.4 to a ASA 5505.

ASA version: 8.2(1)

ASDM version: 6.2(5)

1. Can't access clientless ssl vpn portal

Can't access the clientless ssl vpn portal. Everytime when I access the vpn portal I only get to download the anyconnect client through the WebLaunch, even when I configure that I should get forwarded to the portal (se picture below). What am I missing?

EDIT: Found the issue for this, if I uncheck the "Enable AnyConnect Essentials" then I get access to the vpn portal.

asdm.ssl.portal.png

2. Certficate problem when running AnyConnect directly (not through the web page)

When I access the web ssl portal and download/start the AnyConnect, authentication works fine. I use username + certificate authentication (local CA on asa).

However, when I just start the AnyConnect client from start menu/tray bar and try to connect, AnyConnect displays and error: "Certificate Validation Failure"

The debug webvpn 255 displays this on the asa console:

webvpn_portal.c:ewaFormSubmit_webvpn_login[2162]
ewaFormSubmit_webvpn_login: tgCookie = NULL
ewaFormSubmit_webvpn_login: cookie = 1
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
ewaFormSubmit_webvpn_login:2362: why are we resuming with !cert_auth_done? we failed?
Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!
Embedded CA Server not enabled. Logging out the user.
webvpn_portal.c:ewaFormServe_webvpn_login[1966]
webvpn_portal.c:http_webvpn_kill_cookie[787]

---------------

Successful authention through the web show this:

WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5158]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[2162]
ewaFormSubmit_webvpn_login: tgCookie = NULL
ewaFormSubmit_webvpn_login: cookie = 1
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Success.
...resuming [2564]

I don't understand what is different from connection with the web browser to the ssl portal and start the client from there and connect directly from the client itself. The certficate works just fine when accessing anyconnect from the ssl page as you can see from the log above.

Does anyone have a clue why it behaves like this?

Kind regards,

Daniel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cdeeds Wed, 06/16/2010 - 09:02

Did you ever find a solution?

I'm using the LDAP/Active Directory, Group Policy, Attribute Map design (http://www.cisco.com/application/pdf/paws/98634/asa_ldap_group_pol.pdf) for my ssl vpn setup, but I'm encountering the same issue with the AnyConnect client not being able to establish when launched directly (standalone mode) vs. launching the AnyConnect vpn from the SSL clientless portal page.  Authenticating via the SSL portal page and launching the AnyConnect client is the only way that I can get the AnyConnect client to successfully work.  If I try to connect directly from the client gui, it does nothing.  Through the command line, it establishes the initial conncection to my ASA but then just keeps prompting for authentication (group, username, and password).  I've verified that the svc is enabled under each group policy and the group policy login settings appear to be correct, so I'm lost as to why the client will not establish when launched in standalone mode.

This doesn't totally cripple the the AnyConnect's use, but I would say that it's definitely an annoyance.

-cheers

Actions

This Discussion

Related Content