This discussion is locked

ASK THE EXPERTS - ANYCONNECT SSL VPN CLIENT ON ASA THROUGH ASDM

Unanswered Question
Dec 14th, 2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation.   This is an opportunity to learn about configuration basics of AnyConnect Secure Sockets Layer VPN Client on Adaptive Security Appliances through Adaptive Security Device Manager with Vikas Saxena. Vikas has been a customer support engineer at the Cisco Technical Assistance Center since 2003. Currently he is associated with the Security and VPN teams. His areas of expertise include VPN, firewalls, public key infrastructure, Cisco Security Manager, intrusion prevention systems, and Linux. He holds CCIE certification #19971 in Security.

Remember to use the rating system to let Vikas know if you have received an adequate response.

Vikas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the  unanswered questions in other discussion forums shortly after the  event. This event lasts through December 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
coto.fusionet Tue, 12/14/2010 - 19:49

Hellos Vikas!

I would like to thank you for this opportunity and just ask you a couple of quick questions...

Personally I'm used to the CLI for the most part, but...

I know that it's recommended to configure the SSL via ASDM via the wizard or even manually, but can you use the ASDM when something does not work?

I mean.. for troubleshooting a non-working AnyConnect connection... how would you use ASDM to troubleshoot (or better CLI)?

What's coming new for SSL in Cisco ASAs in a future release?

Thank you!

Federico.

visaxena Tue, 12/14/2010 - 23:10

Hello Federico,

Thanks for being so active in the community.

>>I know that it's recommended to configure the SSL via ASDM via the  wizard or even manually, but can you use the ASDM when something does  not work?

ASDM unlike VPN 3000 Concentrator GUI is not itegrated into the code of the ASA. ASDM is just an application which runs the command (availble for CLI users) and pipes the output to the GUI parser. Troubleshooting through ASDM is still only limited to watching the live logs in the log viewer.

>>I mean.. for troubleshooting a non-working AnyConnect connection... how would you use ASDM to troubleshoot (or better CLI)?

As I mentioned before, the syslogs can be viewed regarding an AnyConnct connection problem, Apart from that debugs have to be run through the CLI only.

To troubleshoot the first thing is to ascertain where the problem is for example. the problem could be with the initial SSL connection or after the initial connection. Because the AnyConnect protocol travels inside the SSL connection. If the SSL Connection is established and the client is not connecting than 'deb webvpn svc' can show us where the problem is. Again, the problem could be DAP or tunnel/group policy assignment or plain client install problem (debug dap ? for all the options for DAP). For pure client side issues DART is the best tool, simply because it collects whatever there is related to AnyC client and presents the information in one place.

>> What's coming new for SSL in Cisco ASAs in a future release?

The AnyConnect client 3.0 is still in Beta, therefore the features present in Beta may or may not be present in the released client. However, as per the initial reports IKEv2 (that means IPSEC Client) could be one of the main features. Stay tuned for the release, I would say.

Regards

Vikas

coto.fusionet Wed, 12/15/2010 - 08:11

Thank you for addressing my questions Vikas!

Appreciate your time :-)

Federico.

dianewalker Wed, 12/15/2010 - 13:40

Vikas,

When the AnyConnect  SSL VPN Client 3.0 is released, will it run on Cisco IOS 8.0.5?  Thanks.

Diane

visaxena Wed, 12/15/2010 - 23:17

Hello Dianne,

This will actually depend upon the features which will be there in the new client.

Nothing can be said with certainty regarding the features as the client is still due to be released.

Regards

Hitesh Vinzoda Mon, 12/20/2010 - 01:53

Hi Vikas,

I would like to know whether there is a way to assign group policy based on the user group authenticated against LDAP. e.g. User is group XYZ he will have different policy while user in Group ABC will be assigned different group policy.

Thanks in advance

Hitesh Vinzoda

deepash2 Mon, 12/20/2010 - 02:22

Hi Hitesh,


In case of user authentication via LDAP the memberOf attribute associated with the user is  sent acorss by the LDAP server.  On Cisco ASA we can go ahead and map the memberof attribute with other RADIUS  attribute / Cisco Attribute etc.   Once the mapping is done we can map the value accordingly.


For example:   A user by name Deepak can be part of Group"Employee" in a domain sectac.com.   As soon as user Deepak logs in the LDAP server will return the authentication success and memberOf Employee.  We can configure ASA to map the LDAP attribute value Employee to group policy like Employee etc.


A LDAP the representation of syntax above will be like:-


CN=Employees,CN=Users,DC=sectac,DC=com


CN=Users is like folder under which this group exist. 


We had an example in the presentation by Vikas and I have attached the screeen shot of Mapping with example.   Additionaly, you will find the following link helpful.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml


Hope this helps.


Regards,


-Deepak

Attachment: 
Hitesh Vinzoda Mon, 12/20/2010 - 02:40

Hi Deepak,

Thanks for the prompt response and its perfect match for the solution that i was looking for. Appreciate your time and help.

Regards

Hitesh Vinzoda

ahmedbishry Mon, 12/20/2010 - 13:44

Hellos Vikas!

I would like to thank you for this opportunity and I need your help in my setup...

I use an ASA 5520 with 2800 Cisco router as in the design attached to this email and I did a Site-Site VPN connection from the router inter face (10.10.0.1/16) in the users subnet (10.10.X.X /16) to the interface of the ASA (10.100.1.1) in the Subnet (10.100.1.X /24) and it did not work, any advice will by appreciated,

Thanks in advanced

Ahmed

Attachment: 
deepash2 Mon, 12/20/2010 - 23:51

Hi Ahmed,


Please note, this thread is specifically meant for "ANYCONNECT SSL VPN CLIENT ON ASA THROUGH ASDM" . However; in your case you seems to be looking for an assistance with regard to IPSEC Lan to Lan VPN. 


I would request you to please go ahead and post the query under the correct thread :-


https://supportforums.cisco.com/community/netpro/security/vpn


Also, please get the output of show cry ipsec sa and sh cry isakmp sa to check on which phase concerned tunnel is failing. On ASA please get show run crypto and on IOS router get the ouput of show run | sec cry and show access-list used as crypto acl.


Thanks, for understanding.


Regards,


-Deepak

ahmedbishry Tue, 12/21/2010 - 22:35

Hi Deepak,

Thanks for your reply and I will post there in the link,

best regards,

Ahmed

ddawson Tue, 12/21/2010 - 10:17

VIkas,

I'll be configuring an AnyConnect Client & ASA remote access solution and will need to enforce a requirement that the client systems are corporate-owned and imaged computers.  I know there are a variety of watermark checking features, but I'm curious if you have any experience and/or suggestions on what the most reliable files, registry entries, etc. are that people generally use for this feature.  I'm thinking that checking for the existence and valid checksum of the corporate drive encryption software might be a good start, and possibly a registry entry or two that would indicate that the software is installed and active.  Does this sound reasonable?  And just to keep this question more on-topic, is ASDM a good approach for configuring this, or is it easier to use the CLI?  I'm reasonably comfortable with both.

Thanks for any advice you can share.

Dana

CCIE #1937

ciscobigcat Tue, 12/21/2010 - 10:28

Vikas,

on an ASA5510, what is the most stable software version to enable the anyconnect feature? and how do we publish a portal, based on the user who is logging in, so this portal can show the user the files he is allowed to access?

for example, if userA logs in via ciscoanyconnect, we want him to land into a portal where he will have access to folders he is allowed. the same thing for userB... when userB gets in, we want to land him on a portal that will make visible only the items he is allowed to see.

Jay Young Tue, 12/21/2010 - 11:51

ciscobigcat,

Generally it is recommened to be on the latest version of the anyconnect client.  It will provided the widest support for operating systems and the most recent bug fixes.  With that being said many customers have found that the latest version in the 2.4.x throttle works well.


In regards to your second question that seems more related to the clientless portal rather than anyconnect.  Under the user/group accounts you can configure different bookmarks or customizations.  This way user a and user b will have different links presented to them.  You will naturally need to provide some method to distinguish user a from user b.  Perhaps ldap mapping as was mentioned earlier in the thread.

-Jay

ciscobigcat Tue, 12/21/2010 - 13:02

Jay, this is good stuff. Thank you. I'll check that out.

Jay Young Tue, 12/21/2010 - 14:35

ddawson,

From my understanding of what you are asking it seems that you would like to check for the presence of something that was put on the computer by your IT department.  That way you can validate whether it is a corporate assest or a home user's computer.  There are various different ways to do this.

1)  You can use client certificate authentication.  You give each client computer a certificate and use that for an authentication method.

2)  You can use CSD/Host scan to search for the presence of either a registry key.

3)  You can use CSD/Host scan to search for the presence of a file on the system.

Hope that helps.

-Jay

ddawson Tue, 12/21/2010 - 15:23

Jay,

Thanks for the reply.  I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated.  I had assumed I'd need to use CSD to check for files and/or registry entries, but my main question is what sorts of things are generally considered reliable and not easily bypassed by simply copying the correct file(s) or keys to what would otherwise be a non-authorized machine.  I'm guessing a registry entry would be more useful, but I'm curious what the current, if any, "best practice" is for such system watermarking.  I agree that certificates would probably be the best solution, but I don't think they're an option.

Thanks again!

Dana

Jay Young Wed, 12/22/2010 - 07:16

Dana,

Certificates pushed from your AD as non-exportable is really the only way to be sure.  The other ones are really "security by obsecurity", put a marker in an obsecure place.  You are correct, if users figure out what file needs to be put where they can definitely just copy over the file.

I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated.

You can do both!  You can require the use of certificate authentication and a user/password (which is checked against the RSA database).

tunnel-group TunnelGroupName webvpn-attributes

     authentication aaa certificate

Hope that helps.

-Jay

ddawson Wed, 12/22/2010 - 09:12

Thanks, Jay - yes that does help.  I don't have direct involvement in the imaging or configuration of the corporate systems, but I'll see if I can get something done with certificates.  There's a chance there's already an appropriate cert in these systems, so that might be another option.  If so, I guess I don't really need to use it for authentication per se, I just need to check to see if it's there.  As long as it's non-exportable I should be all set, as long as out IT folks don't make it available for installation to the general user population.

Thanks again!  You've given me great information to head in what I think is the best direction.

Dana

breich3155 Tue, 12/21/2010 - 14:36
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi all,

I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:

1) Log on with username/password using Cisco AnyConnect VPN Client

2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:

Run-time error '7':

Out of memory

My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).

Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.)  I should add that the version of CCA is 4.1.10

Thanks in advance!

-Bill

visaxena Thu, 01/06/2011 - 01:52

Hello William,

This looks like a software conflict between CCA and some software. I will suggest you to open up a TAC case so that a NAC engineer can take a look at this.

Thanks

Vikas

Actions

Login or Register to take actions

This Discussion

Posted December 14, 2010 at 4:07 PM
Stats:
Replies:21 Avg. Rating:5
Views:4499 Votes:0
Shares:0
Categories: AnyConnect
+

Related Content

Discussions Leaderboard