This discussion is locked

Ask the Experts: Troubleshooting Secure Sockets Layer (SSL) VPN on Cisco 5500 Series Adaptive Security Appliance ASA

Unanswered Question
Oct 29th, 2012

Read the bioWith Jazib Frahim

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Jazib Frahim about configuring and troubleshooting SSL VPN on the Cisco 5500 Series Adaptive Security Appliance (ASA) and Cisco AnyConnect Secure Mobility Client. This Ask the Expert event is a continuation from the live webcast held on October 31.

Jazib Frahim is a technical leader in the Security Services practice of Cisco's Advanced Services. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. He was previously a technical leader for Cisco's TAC Security team, leading engineers in resolving complicated security and VPN technologies. He has presented at many industry events, including the Cisco Support Community and Cisco Live on multiple occasions. He has also written numerous technical documents and books, including Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd editions); Cisco Network Admission Control, Volume II; and Cisco SSL VPN Solutions. Frahim holds CCIE (number 5459) certifications in routing and switching and security, a bachelor’s degree in computer engineering from the Illinois Institute of Technology, and a master of business administration (MBA) degree from North Carolina State University.

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through Nov 9, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
antonioalmeida16 Tue, 10/30/2012 - 10:46

Where the bookmarks are saved in the ASA? I need this information for backup purposes.

Thank you,

Antonio

jfrahim Mon, 11/05/2012 - 14:46

Hola Antonio,

If you want to backup the bookmarks in the ASAs, you can use the backup option within ASDM, just select bookmark. It will save all the bookmarks in XML

Hope that helps

-Jazib

johnhustonralcorp Wed, 10/31/2012 - 09:48

The links above go to CUCM and other places.  The slides link t the corret place.

fahad.wasi Thu, 11/01/2012 - 02:20

Hi Jazib,

I have some questions, does this 5500 Series of ASA firewall also have IDS(Intrusion Detection System)?

My other question is that the configuration and troubleshooting of SSL VPN technique is  same on all ASA models?

Regards,

jfrahim Mon, 11/05/2012 - 14:49

Hello Fahad,

Please see my inline responses.

1)I have some questions, does this 5500 Series of ASA firewall also have IDS(Intrusion Detection System)?

You can have an IPS module if your ASA model supports it.

2) My other question is that the configuration and troubleshooting of SSL VPN technique is  same on all ASA models?

Yes, pretty much the same

Regards,

Jazib

dreams_as_money Fri, 11/02/2012 - 05:43

Hi Jazib,

I hope you are doing well

I have webvpn  configured in asa5585x but 3 days ago users who uses  3g data card  could not connect to service

However,   who uses Mac or Linux they are ok except  windows systems and  they can connect  if  remove 3g card and connect it via ethernet

would you please give me some explanation

I have updated  cisco anyconnect to latest and cisco asa soft to 9 version but  there is no luck

It says:

the vpn client was unable to modify the ip forwarding table

Thanks

jfrahim Mon, 11/05/2012 - 15:01

Hi there,

Is it possible to look at the debugs on the ASA. This can be a tricky issue since many things can cause this. The common issue that I have seen is when you have two active interfaces (3G and ethernet for example) and the default gateway is pointing to the wrong interface.

Hope that helps

-Jazib

reiner.fink Wed, 11/07/2012 - 00:54

Hi Jazib,

we are deploying Anyconnect with Smartcard-Authentication and  face some issues.

With Anyconnect 3.1.01065 Smartcard Authentication doesn't seems to work if you initiate the connection from the client-software. TAC-suggested workaround is to install Anyconnect from the web which really works for one connect but afterwards fails again and is not accepted by the customer.

Older Anyconnect Versions showed other issues like "disconnect on smartcard-removal" is not supported.

Can you tell anything about the timeframe for further/enhanced smartcard-support in Anyconnect?

Regards,

Reiner

jfrahim Wed, 11/07/2012 - 17:34

Hello Reiner,

Did TAC refer a bug (DDTS) to you for your smartcard issue. Unless there is a specific issue identified, it will be impossible to guide you what enhancement will really fix the problem you are running into

regards,

Jazib

cscbrannent Wed, 11/07/2012 - 18:21

Hi Jazib,

When troubleshooting RAS connectivity with TAC through SSL VPN - I've seen the engineers run a command line packet capture to see traffic coming through the vpn connection and exiting the inside interface.

Could you point to some good docs that explain how to do this from the command line?

Also, the real time log viewer in ASDM seems hit or miss for us.  Running 8.3.  When we try to filter, it seems to stop working.  Have to get out of it and back in to get it working again.  Is there a good way to use the log viewer in ASDM?  I ask because TAC always uses CLI vs. ASDM.

Thanks,

B.

pjetupjetu Fri, 11/09/2012 - 10:46

We are trying to set up an IKEv2 site to site VPN with certificates (Microsoft AD CS) using suite B algorithms on the ISR 15.2(T).  We have been unsuccessful receiving various errors, most consistently AUTH failure.

My question is, has this ever been done?  Is there any example configurations we could use?

We have been successful at setting up IKEv1 with certificates and IKEv2 with pre share.

I know this is not the topic of this event but thought you may be able to give us some direction.

Thank you.

Actions

Login or Register to take actions

This Discussion

Posted October 29, 2012 at 3:15 PM
Stats:
Replies:11 Avg. Rating:
Views:2866 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard