SSL VPN SA520 Level security change

Unanswered Question
Jul 18th, 2010

Hy,


After trying to use SSL on WIN 7 INTEGRAL 32B with FF, it does not work, and gave me a Java messageBox "Error:Virtual Passage Execution Failed!".

(Under IE 8 it works. even if after using SSL and disconnecting, most often, the Web does not respond from WAN: need to connect by IPSEC with Shrew, go to Interface locally, and reboot routeur....)


The important thing is with that Error, I went to the Java console.

I found a ligne with: "DES-CBC-SHA"


I supposed that The SSL VPN use DES with SHA-1, and CBC activated.


Is there a way to use a better security, as AES-258, PFS with Groups.... or at least, 3DES ???



To complete my message, for Cisco support, for the problem described with FF:


OS : Windows 7
Arch : x86
Home : C:\Users\xxxxxxxxxxxx
Display Name is:Cisco-SSLVPN-Tunnel
Company Name is:Cisco
Product Name is:Cisco-SSLVPN
C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\
Cisco-SSLVPN-Tunnel
getDocumentBase().getHost() : xxxxxxxxxxxx
server_port : 443
getDocumentBase().getPort() : -1
Source URL : https://xxxxxxxxxxxx:443/
C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\ exists : false
Created Directory : C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\
Opening connection to https://xxxxxxxxxxxx:443/WindowsVPDialer.jar...
URL.openStream . . .
Resource type : text/html
Last modified on : 8 avr. 2010
File size : 96120
Copying https://xxxxxxxxxxxx:443/WindowsVPDialer.jar to C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\WindowsVPDialer.jar
96120 byte(s) copied
Decompressing SSLDrv.sys
Decompressing SSLDrv.cat
Decompressing XTunnel.dll
Decompressing UninstallVTPassage.exe
Decompressing SSLDrv.txt
Decompressing VirtualPassageExe.exe
DES-CBC-SHA
EasyAccess
No of route entries : 1
No of routev6 entries : 0
About to execute : C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe ; 1 xxxxxxxxxxxx xxxxxxxxxxxx==::::hugo 192.168.251.1 192.168.251.254 1 443 0 0 none 0.0.0.0 0 Cisco-SSLVPN-Tunnel Cisco Cisco-SSLVPN DES-CBC-SHA EasyAccess 1 xxxxxxxxxxxx 255.255.255.0 0
java.io.IOException: Cannot run program "C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe": CreateProcess error=740, L?opération demandée nécessite une élévatio
C:\Users\xxxxxxxxxxxx\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe execution failed...!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
charlesw Mon, 07/19/2010 - 16:25

Hi:


Thank you for reporting the issue.  Can you provide more detail information such as which version of FF you are using and the Java version?


Thank you.

Charles

charlesw Mon, 07/26/2010 - 18:02

Hi:


Thanks for your reply, we are currently investigating it now.


I assume you open your FF with Admin privilege mode, if not, can you try again using admin privilege?


Thanks you for your patience.


Best Regards,

Charles

Hugues ROCHIN Tue, 07/27/2010 - 02:27

Hy,


Of course, I am using admin account.


Is there a way to raise up the security mode for SSL VPN, it seems to use low security with DES?


Thank you for support.

charlesw Thu, 08/05/2010 - 12:31

Hi:


I have send you a private message requesting some information.  Please let me know if you receive your private message.


Thanks,

Charles

charlesw Tue, 08/17/2010 - 15:51

Hi:


We are supporting the 3DES in the latest relese (1.1.65).  Please update your SA and let us know if you have any further problem.


Thanks,

Charles

alberto.zanon Sat, 12/18/2010 - 01:48

HI, I have the same problem


SA-520 with 1.1.65 firmware and SSLVPN doesn't work for Firefox & Chrome due Java "Virtual Passge Execution Failed " for Windos 7 Pro 32 Bit

The system works for IE8 with activeX launcher.


Java Console output:


Created Directory : C:\Users\Vanessa\CiscoCisco-SSLVPN-Tunnel\
Could not find Manifest file
Decompressing SSLDrv.sys
Decompressing SSLDrv.cat
Decompressing XTunnel.dll
Decompressing UninstallVTPassage.exe
Decompressing SSLDrv.txt
Decompressing VirtualPassageExe.exe
DES-CBC-SHA
EasyAccess
No of route entries : 1
No of routev6 entries : 0
About to execute : C:\Users\Vanessa\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe ; 1 0CzHJGc8aa1VBfrR6N0Z6Q==::::vanessa 192.168.220.1 192.168.220.254 1 443 0 0 srvwebbrobotica.local 0.0.0.0 0 Cisco-SSLVPN-Tunnel Cisco Cisco-SSLVPN DES-CBC-SHA EasyAccess 1 0
java.io.IOException: Cannot run program "C:\Users\Vanessa\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe": CreateProcess error=740, Per eseguire l'operazione richiesta è necessaria l'esecuzione con privilegi elevati
C:\Users\Vanessa\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe execution failed...!
VP disconnect invoked


The issue is user privilege, the phrase: "Per eseguire l'operazione richiesta è necessaria l'esecuzione con privilegi elevati" means "You need higher privilege to execute the operation"


UserVanessa is Administrator in local computer and I've removed User Control Param.


Please inform me how to resolve the issue and how to choose a differente encryption scheme. DES is not a good choice any more but in SSLVP config page there is no section to choose 3DES or AES....

Eric Moyers Thu, 01/06/2011 - 14:59

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center.


SSL VPN tunnel can be established using Internet Explorer 8. Currently there is no support for Firefox, Safari and Chrome browser - this restriction is only for tunnel establishment using java based browsers.

With SSLVNP there is no additional encryption level to select. Using SSLVPN you are already encrypted with the Secure Socket Level. The encrpytion types Des, 3DES SHA1 only relate to IPSEC VPN tunnels.


Please let me know if you have any additional questions.


Eric Moyers
Cisco Support Network Engineer
1-866-606-1866

alberto.zanon Mon, 01/10/2011 - 09:32

Thanks for the quick update.


I hope the support will be extended in the future to other browsers with java. These (Chrome/Firefox) works great under Win XP and it's really a pity not to have in Vista/Seven.


For the encryption problem I don't want to to argue but Secure Socket Layer is a complex protocol and it has a simmetric cryptographic section in which a bunch of different algorithms can be chose.  AES, 3DES, RC4 ect are examples.


From the logs you can clearly see that the system has selected DES-CBC-SHA for the crypto section.


Right now DES is no more a good choice even for small business enviroment and I would like to have the capabilities to use (manual selection is not a must) at least RC4, or better 3DES & AES.


Eneterpise firewalls (ASA first) have the abilities to choose the crypto algorithms  but even SMB devices belonging to other vendor have SSLVPN with 3DES crypto function.

nmanglik Wed, 02/23/2011 - 13:54

Hi Alberto,


The encryption issue of DES showing up have been fixed and will be available in the next release. The encryption used will be 3DES.


Thanks,

Nitin

Actions

This Discussion