Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - SSL VPN

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the Cisco ASA SSL VPN solution which enables organizations to securely provide network access to a broad array of users. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco Adaptive Security Appliance (ASA). He also works on documentation, partner and system engineer trainings.

Remember to use the rating system to let Kiran know if you have received an adequate response.

Kiran might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 22, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

190 REPLIES
New Member

Re: ASK THE EXPERT - SSL VPN

I'm having a problem supporting SSL VPN access and clienteless SSL VPN access simultaneously on an ASA running 8.0.2. The SSL VPN client authenticate with a smart card and the clientless access use RSA keyfobs. In order for smart card authenticatio to work, the require client certificates option must be enabled on the outside interface. However, ths prevents clientless users from working unless they have a valid PKI cert, which they won't. Unless I'm missing something, I need another ASA to support this dual functionality?

Silver

Re: ASK THE EXPERT - SSL VPN

Unfortunately this is a limitation today. Once you've enabled certificate based authentication, everyone will be prompted for one even if their particular group doesn't require one. We have this on our list to investigate if it can be resolved in future release.

Note: Just to be clear,your clientless users would still be able to connect even if they don't have valid certificate. They will have to click through (i.e hit cancel) the Certificate request dialog box to get to the authentication prompt. I understand it affects end-user satisfaction because of the confusion and inconvenience.

New Member

Re: ASK THE EXPERT - SSL VPN

u can config two tunnel ,one is authen with

smart card ,the other user RSA keyfobs.

when u user clientless SSL vpn ,u must choose the right tunnel name.

Silver

Re: ASK THE EXPERT - SSL VPN

You are correct that the end-users need to choose the right tunnel name. However, if one of the tunnel-group has "Certificate" authentication turned on, all the users connecting to the ASA will be prompted for a "certificate". The end-user can hit the "cancel" button and then they can chose the right tunnel group.

Bottom line: The query for certificate happens even before you have the choice to select the tunnel group.

New Member

Re: ASK THE EXPERT - SSL VPN

Hi Kiran,

I am deploying a ASA5540. One thing I run into now is that the ospf Reverse Route Injection is taking some time(2-3minutes) to be injected into my backbone.

I am running 8.0(4) code.

route outside 0.0.0.0 0.0.0.0 192.168.250.169

route inside 0.0.0.0 0.0.0.0 10.10.38.1 tunneled

and I am running ospf nssa on the inside interface with my backbone network.

The ospf configuration is very similar to the

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

except that I am running nssa instead of area 0. I have the route-map for controlling the reverse route injection.

Once I configured the RRI, I can see the static route is in asa sh route. But when I do sh ospf database adv-router insideIP, the injected route is not in the database. After 3-5 minutes, it will then show up in the database and get redistributed to my backbone.

Any thought on this?

Thanks.

BTW, thanks for the answer on DAP performance impact, ssh plug-in and interface virtualization questions I asked.

Silver

Re: ASK THE EXPERT - SSL VPN

We need a lot more info than what's described here to know what's going on.

'show tech' from both the adjacent routers and ASA and some show commands:

Show ospf neig

Show ospf data

From both router and ASA would help.

I think it is best to open a TAC case for this problem.

New Member

Re: ASK THE EXPERT - SSL VPN

Thanks Kiran. I opened a case with TAC.

BTW, this ask expert session has been so helpful. We really appreciate your good work.

Regards,

Shiling

Silver

Re: ASK THE EXPERT - SSL VPN

No problem. Thanks for the good feedback.

New Member

Re: ASK THE EXPERT - SSL VPN

Kiran,

I understand that I need the licenses for SSL VPN. I have an ASA5550. How do the licenses work? If I have 100 concurrent users, do I need 100 licenses?

Can you setup both SSL VPN and IPSEC on the same ASA? When would you prefer AnyConnect over VPN client?

Thanks.

Jill

Silver

Re: ASK THE EXPERT - SSL VPN

Hi Jill,

Yes, you are right, you would need to buy SSL licenses. And you are correct that if you expect a max of 100 concurrent users connecting to the ASA at any given time, you would need to budget for 100 licenses.

Yes, you can setup both SSL and IPSec on the same ASA. ASA 5550 platform allows a maximum of 5000 remote access VPN users. This 5000 is the limit for both IPSec and SSL session combined. You can buy the SSL license in a block of either 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000.

Below are some of the reasons to prefer SSL over IPSec:

a) It is possible that firewalls or other security gateways block the IPSec (ESP/AH) traffic. However, SSL VPN uses port 443 which is ubiquitous.

b)With the SSL VPN solution, you can either have clientless or client access.

In clientless mode, the users can use any regular internet browser and connect to the security gateway. They don't need to install any software.

The SSL based AnyConnect VPN Client delivers the same functionality as a regular IPSec VPN client by providing full-tunnel access and a dedicated IP address to the endpoint. In addition, the AnyConnect client is dynamically downloadable, thereby eliminating administration associated with VPN client software updates.

c)The SSL solution enables posture assessment of the endpoint. Based on the endpoint trust level, the administrator has the flexibility to apply customized security policy for the VPN connection. For example, you can enforce that any employee accessing from an internet Kiosk machine will be limited to clientless access only.

d)With the SSL solution, you can also enable "Cisco Secure Desktop" which ensures that cookies, browser history, temporary files, and downloaded content do not remain on a system after a remote user logs out or an SSL VPN session times out. CSD increases protection against data theft and client system malware (malicious software) by encrypting all data and files associated with or downloaded during the SSL VPN session.

Hope this helps. Please ask again for further clarification.

New Member

Re: ASK THE EXPERT - SSL VPN

Kiran,

Thanks very much for taking time to explain. Now, I have a better understanding about SSL.

1. Since SSL VPN requires licenses, is it possible to set it up without a license to see how it works?

2. Since we can setup both SSL and IPSEC, do we have the control of each user uses SSL and which user uses IPSEC?

3. For Cisco Secure Desktop, do we just install one application and all the users can access it? For example, if we install Microsoft Word or Outlook, all the Remote users can access the application remotely.

4. If we want to deploy Cisco Secure Desktop and the application is Payroll, would you recommend SSL VPN since it is a web based?

5. If our Remote Branches grow and we expect 2500 concurrent users at any given time, do you foresee any traffic congestion problems if we use IPSEC client?

Thanks.

Jill

Silver

Re: ASK THE EXPERT - SSL VPN

Hi Jill,

1. Since SSL VPN requires licenses, is it possible to set it up without a license to see how it works?

[KS] Yes, each ASA comes with two free SSL licenses. So, you can use the "SSL VPN Wizard" to quickly setup your SSL VPN for evaluation purposes.

2. Since we can setup both SSL and IPSEC, do we have the control of each user uses SSL and which user uses IPSEC?

[KS] Yes, you can create multiple groups and allow different connection methods for each group.

3. For Cisco Secure Desktop, do we just install one application and all the users can access it? For example, if we install Microsoft Word or Outlook, all the Remote users can access the application remotely.

[KS] In clientless mode, the ASA hosts limited number of applications such as Remote Desktop, VNC, SSH, Telnet, Sametime and Citrix. In addition, if the end-user's device already has the Word or Outlook applications installed, they would be able to access the applications securely within the secure desktop. Once they disconnect from the VPN, all the sensitive data will be erased.

4. If we want to deploy Cisco Secure Desktop and the application is Payroll, would you recommend SSL VPN since it is a web based?

[KS] Yes, web-based applications can be easily supported in SSL Client-less mode. Your end-users won't have to download any client and the sensitive data can be erased using Cisco Secure Desktop after disconnect.

5. If our Remote Branches grow and we expect 2500 concurrent users at any given time, do you foresee any traffic congestion problems if we use IPSEC client?

[KS] ASA 5550 should be able to handle 2500 concurrent users. Your throughput may vary based on the applications and their packet sizes. I also recommend implementing a VPN load-balancing cluster so that you always have a backup. Alternatively, you can create a active/standby pair for high-availability.

New Member

Re: ASK THE EXPERT - SSL VPN

I have configured a SSL VPN using Cisco Anyconnect ssl vpn client and cisco secure desktop. The purpose is to give the client secure access to his application to the database available at the central site. The application is installed on various directories on Windows 2003 system. The user is able to establish the vpn. the ssl vpn client and cisco secure desktop is downloaded into the machine. a secure desktop appears and he is in the desktop. once he tries to access the directory by clicking on the My computer icon available on the desktop he does not see the directory where his application is installed. Moreover there are a lot of directories which does not appear on the secure desktop. Once he switches from the secure desktop to the normal desktop the directories are available. Because the directories are not available his application is not able to run from the secure desktop. however from the cmd he can ping the servers. how can i make the application run and make those directories available in secure desktop.

Silver

Re: ASK THE EXPERT - SSL VPN

Cisco Secure Desktop does not allow applications to be installed whilst in the SD Vault/space, but uses the default applications (under Program Files) already installed on the client PC. Secure Desktop Only Supports Applications Installed in the Default Location. For increased security only applications installed under the Windows and Program Files directories are accessible under the Secure Desktop. Secure Desktop does not support or allow access to applications not found in these default installation locations.

New Member

Re: ASK THE EXPERT - SSL VPN

i switchover my desktop and came to my normal desktop. from there i tried to connect the application it was connecting. But once i create a vpn session and disconnect i am unable to access my local lan. however when i have vpn connection i am not able as my split tunnel policy is tunnel all. but once i disconnect i am not able to communicate with my local lan unless i restart my computer. I have not observed these things as the users are at remote location. however with my machine i donot face this problem. Do you have any idea of what can be the probable cause of this.?

Silver

Re: ASK THE EXPERT - SSL VPN

Please let me know the version of ASA and the version of CSD? If using AnyConnect, which version of AnyConnect? Also, please provide details about the End-point. Which operating system and browser? And, if possible, please share your application details. Does the application work properly if you don't enable the secure-vault option? I mean, is this specific to the CSD secure vault?

On the flip side, you may also open a TAC case for a more detailed, live and advanced troubleshooting session.

New Member

Re: ASK THE EXPERT - SSL VPN

ASA Version 8.0(3)

csd image disk0:/securedesktop-asa-3.2.1.126-k9.pkg

svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

MS Windows xp and vista

They told that they are not accessing the application through secure desktop but switching over the desktop and using from there. This is only happening with 2 users

it is a oracle based application. i donot know much about it.

Silver

Re: ASK THE EXPERT - SSL VPN

Hi,

Your CSD version doesn't support the secure vault on Vista. So, your users must be encountering this problem on Windows XP only.

Our engineering has not seen this issue, so they are asking to upgrade the ASA and CSD to the latest code and confirm the results for these two users with XP.

http://www.cisco.com/cgi-bin/tablebuild.pl/asa

ASA: 8.0.4

ASDM: 6.1.3

AnyConnect: 2.2.0136

Cisco Secure Desktop: 3.3.0129

Plug-ins for RDP, VNC, SSH/Telnet,post-plugin.

Please note that in CSD 3.3, there is no support of AnyConnect within the vault for Vista.

New Member

Re: ASK THE EXPERT - SSL VPN

I have configured a Clientless SSL VPN on ASA to give access to 5 application. Among those 5 applications one of the application which is oracle based in not working. I have simply publish the 5 urls on the screen. the main page is also coming. once he puts his credetial then it is going to a wrong url. Below is the response from the programmer.

Oracle Forms applications don't work thru the VPN.

Oracle Forms application is actually java code which runs in a JVM

(JInitiator for Oracle Forms) and it communicates with Oracle Forms

application server over http.

Look at attached java-log.txt, this is dump of the communication between

JInitiator and Oracle Forms application server.

I have attached cisco-java-log.txt which is the dump of communication

between JInitiator and Oracle Forms application server over VPN.

Please look at the attached java-log.txt (direct communication dump) at

line 31.

The corresponding line for VPN communication dump is in

cisco-java-log.txt at line 83.

The URL in cisco-java-log.txt is bad, some HTML is injected on the URL

which is coming from the VPN client component. When this bad URL goes to

the forms server it throws a communication error.

It seems CISCO VPN client is not preparing the URL properly for some

reason beyond my understanding.

---------------------------------------

you can see in both the log files that the url tried to access the server is wrong.

what is the possible cause. how to move about.

Silver

Re: ASK THE EXPERT - SSL VPN

Have you enabled Smart Tunnels option for this application? Also, make sure to try this application through IE browser.

You can create a bookmark for this application in the web-portal and then enable "Smart Tunnel Option" for this bookmark.

I hope this resolves the problem. Otherwise, Please contact the Cisco TAC for further detailed troubleshooting about this.

You can read more about the Smart Tunnel feature at: http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

New Member

Re: ASK THE EXPERT - SSL VPN

Hello Ksirupa,

I have enabled the smart tunneling option by going into the bookmark. but the problem is same. Earlier it was not loading the jar file but later on after clearing the cache it loaded it. Following is the rsponse from the programmer.

----------------------------

The jar file loading problem is sorted out. I cleared the jar cache an

now it can load the jar file.

But the earlier problem is still there. Still the CISCO client is

messing up the URL being sent back to the Oracle Forms server.

You can use the log file and problem statement I had sent to you earlier

for reporting the case.

--------------------------------

He has sent me the screen snapshot for the error. I am attaching it again.

Before that i will tell you how i have enable the smart-tunneling. i went into the bookmark. i edited it and came into the url-list of the oracle server. there i have enabled the smart-tunneling option. i have gone through the following pdf file.

Silver

Re: ASK THE EXPERT - SSL VPN

Hi,

Yes, you enabled the Smart Tunnels correctly.

I think we explored all the easy options to debug. The next step would to contact Cisco TAC for further detailed and advanced troubleshooting.

I am wondering if they would be able to develop a APCF (Application Profile Customization Framework) file for you after further troubleshooting.

New Member

Re: ASK THE EXPERT - SSL VPN

I would like to migrate IPSEC VPN clients to SSL in the near future. However, I am running into issues with some features. The backup function of AnyConnect similar to the "backup server" function of IPSEC client does not seem to function correctly. If an ASA failes to respond the AnyConnect (simulated external link failure) the backup does not roll to another host defined in the XML config forcing a user to manually choose a different connection entry. Also, I foresee this being an issue because the client automatically connects to the last used connection. Any changes planned in this area?

Silver

Re: ASK THE EXPERT - SSL VPN

Hi,

The following Cisco defect matches the problem that you described:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj88360

This defect was resolved in the recently released (Aug 8th) AnyConnect 2.2.0136 release.

You can download this latest version at:

http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect

With this latest release, you can also disable the "startup AutoConnect behavior". However, you would need to add an entry to the AnyConnect profile.

false

The setting, as shown above in the profile XML file will disable the auto connect behavior.

New Member

Re: ASK THE EXPERT - SSL VPN

Fantastic. Thanks for the response. Are there any release notes specific to this latest version?

Silver

Re: ASK THE EXPERT - SSL VPN

Thank You. I would appreciate if you can rate my post as well.

New Member

Re: ASK THE EXPERT - SSL VPN

Hi Kiran,

I need help with my Clientless SSL VPN configuration.

I have configured all Java plugins (RDP, SSH, Citrix...). And they are all successfully imported. If I connect to my WebVPN, I can select "RDP:", "SSH:" and "ICA:".

My problem is that all Java Plugins only work if I am directly connectet to the WebVPN. If I access my WebVPN through a proxy (configured in my browser), all Java-plugins doesn't work.

I troubleshoot this failure and my result is:

If I select "RDP:" and fill in a IP-address of my internal network and click on "Browse", the .jar files (in the RDP plugin is only one .jar File) are downloaded to my Client. After downloading these Files they were startet by java. And at this point i get my connection failure. I have observed my Java-logging and found following entry:

network: Verbindung von socket://webvpn.sul.de:443 mit Proxy=DIRECT wird hergestellt

All communication including the download of the .jar files is send over the proxy of my browser. But after the download, Java starts the plugin and tries to connect my ASA directly.

I think this is a problem with the plugin. The plugin should use the proxy of Browser. And yes I have checked my Java configuration on my client. It is set to "Use Browser Settings".

Do you have any ideas to fix my Problem?

Kind Regards

Ralf

Silver

Re: ASK THE EXPERT - SSL VPN

Hi Ralf,

The plug-ins do not work if the security appliance configures the clientless session to use a proxy server.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1292863

I will get back to you if I can find any workarounds from the engineering.

Silver

Re: ASK THE EXPERT - SSL VPN

Hi Ralf,

One of the workarounds proposed is to use the "Smart Tunnels" feature. You can create a Smart Tunnel list for the mstsc.exe (RDP client).

You can find more about this feature at:

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

2263
Views
152
Helpful
190
Replies
CreatePlease login to create content