AnyConnect 2.4 ssl vpn portal and certificate problems
I currently have two issues with AnyConnect 2.4 to a ASA 5505.
ASA version: 8.2(1)
ASDM version: 6.2(5)
1. Can't access clientless ssl vpn portal
Can't access the clientless ssl vpn portal. Everytime when I access the vpn portal I only get to download the anyconnect client through the WebLaunch, even when I configure that I should get forwarded to the portal (se picture below). What am I missing?
EDIT: Found the issue for this, if I uncheck the "Enable AnyConnect Essentials" then I get access to the vpn portal.
2. Certficate problem when running AnyConnect directly (not through the web page)
When I access the web ssl portal and download/start the AnyConnect, authentication works fine. I use username + certificate authentication (local CA on asa).
However, when I just start the AnyConnect client from start menu/tray bar and try to connect, AnyConnect displays and error: "Certificate Validation Failure"
The debug webvpn 255 displays this on the asa console:
webvpn_portal.c:ewaFormSubmit_webvpn_login ewaFormSubmit_webvpn_login: tgCookie = NULL ewaFormSubmit_webvpn_login: cookie = 1 ewaFormSubmit_webvpn_login: tgCookieSet = 0 ewaFormSubmit_webvpn_login: tgroup = NULL ewaFormSubmit_webvpn_login:2362: why are we resuming with !cert_auth_done? we failed? Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed! Embedded CA Server not enabled. Logging out the user. webvpn_portal.c:ewaFormServe_webvpn_login webvpn_portal.c:http_webvpn_kill_cookie
I don't understand what is different from connection with the web browser to the ssl portal and start the client from there and connect directly from the client itself. The certficate works just fine when accessing anyconnect from the ssl page as you can see from the log above.
Re: AnyConnect 2.4 ssl vpn portal and certificate problems
Did you ever find a solution?
I'm using the LDAP/Active Directory, Group Policy, Attribute Map design (http://www.cisco.com/application/pdf/paws/98634/asa_ldap_group_pol.pdf) for my ssl vpn setup, but I'm encountering the same issue with the AnyConnect client not being able to establish when launched directly (standalone mode) vs. launching the AnyConnect vpn from the SSL clientless portal page. Authenticating via the SSL portal page and launching the AnyConnect client is the only way that I can get the AnyConnect client to successfully work. If I try to connect directly from the client gui, it does nothing. Through the command line, it establishes the initial conncection to my ASA but then just keeps prompting for authentication (group, username, and password). I've verified that the svc is enabled under each group policy and the group policy login settings appear to be correct, so I'm lost as to why the client will not establish when launched in standalone mode.
This doesn't totally cripple the the AnyConnect's use, but I would say that it's definitely an annoyance.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...