Cisco Support Community
Community Member

New Install anyclient VPN on ASA5510 can't connect.

Hello all

We have a new install of an ASA5510.  So far everything is working fine except the VPN.

We went through the SSL VPN wizzard in ASDM and answered all questions.

Now when we try to open a VPN connection to the ASA using the URL https://asa_ip_address  we first get a "There is a problem with this website's security certificate" message. 

When we click Continue to this website (not recommended) we get a "403-Forbidden: Access is Denied" message indicating that the credentials are invalid.  We never even got to the logon screen so we don't even know what credentials it is talking about.

Any ideas?  Do you need the config posted?



Everyone's tags (5)
Community Member

New Install anyclient VPN on ASA5510 can't connect.

Hello Edward,

Yes please post the config.


Community Member

New Install anyclient VPN on ASA5510 can't connect.

OK... I will be in the office later this afternoon and I will post the config.  (I'm in the Eastern time zone)

Thank you

Community Member

New Install anyclient VPN on ASA5510 can't connect.

Result of the command: "show running-config"

: Saved
ASA Version 8.2(5)
hostname ciscoasa
domain-name smsbconsulting
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxx.xxxxx encrypted
name Gateway description Default gateway
interface Ethernet0/0
description Static IP external interface
nameif Internet
security-level 0
ip address
interface Ethernet0/1
no nameif
no security-level
no ip address
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif Internal
security-level 100
ip address
interface Management0/0
nameif management
security-level 100
ip address
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internal
dns server-group DefaultDNS
domain-name smsbconsulting
same-security-traffic permit intra-interface
object-group network inside-net
object-group service Remote_Control
description Remote administration
service-object tcp eq 987
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any host eq smtp
access-list Internet_access_in extended permit tcp any host eq telnet
access-list Internet_access_in extended permit tcp any host eq https
access-list Internet_access_in extended permit tcp any host eq www
access-list Internet_access_in extended permit tcp any host eq 987
access-list Internet_access_in remark VPN
access-list Internet_access_in extended permit gre any host
access-list Internet_access_in remark VPN ptptp port
access-list Internet_access_in extended permit tcp any host eq pptp
access-list Internet_access_in remark Allow PC Anywhere to connect.
access-list Internet_access_in extended permit tcp any host eq pcanywhere-data
access-list Internet_access_in remark Allow PC Anywhere status
access-list Internet_access_in extended permit udp any host eq pcanywhere-status
access-list Internet_access_in remark FTP access to SMSB FTP server address
access-list Internet_access_in extended permit tcp any host eq ftp
access-list Internet_access_in extended permit tcp any host eq ftp-data
access-list Internal_nat0_outbound extended permit ip host
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
ip local pool Clientless_VPN_Address_Pool mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Internet) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 101
static (Internal,Internet) tcp interface smtp smtp netmask
static (Internal,Internet) tcp interface telnet telnet netmask
static (Internal,Internet) tcp interface www www netmask
static (Internal,Internet) tcp interface https https netmask
static (Internal,Internet) tcp interface pcanywhere-data pcanywhere-data netmask
static (Internal,Internet) udp interface pcanywhere-status pcanywhere-status netmask
static (Internal,Internet) tcp interface ftp ftp netmask
static (Internal,Internet) tcp interface ftp-data ftp-data netmask
access-group Internet_access_in in interface Internet
access-group Internal_access_out in interface Internal
route Internet Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address Internal
dhcpd dns interface Internal
dhcpd domain smsbconsulting.local interface Internal
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
enable Internet
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  url-list value List_A
group-policy VPN_Group internal
group-policy VPN_Group attributes
vpn-tunnel-protocol webvpn
  url-list value List_A
group-policy VPN_policy_Group internal
group-policy VPN_policy_Group attributes
vpn-tunnel-protocol svc webvpn
  svc dtls enable
  svc mtu 1406
username xxxxx password xxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol svc
  svc ask enable default svc timeout 30
username cisco password xxxxxxxxxxxx encrypted privilege 15
tunnel-group First_VPN_Connection type remote-access
tunnel-group PTPVPN type remote-access
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPN_Group
tunnel-group Clientless_VPN type remote-access
tunnel-group Clientless_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
default-group-policy VPN_policy_Group
tunnel-group Clientless_VPN webvpn-attributes
group-alias Conection_Group enable
group-url enable
tunnel-group SMSB_VPN type remote-access
tunnel-group SMSB_VPN general-attributes
address-pool Clientless_VPN_Address_Pool
tunnel-group SMSB_VPN webvpn-attributes
group-alias enable
group-url enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

Community Member

New Install anyclient VPN on ASA5510 can't connect.

Somebody must know. 

Community Member

New Install anyclient VPN on ASA5510 can't connect.



Re: New Install anyclient VPN on ASA5510 can't connect.


This is not realy my forté BUT

you are pointing a web client to start a webvpn client ?

My first thought was that the first problem was because of the certificate beeing selfsigned.

that will give that error since the browser does not know if it can trust the certificate or not.

but that should only account for the first part of the problem.

However I just sweeped through the config you have posted and there is one thing I think will cause problems.

you are having a static of the interface with https. ie the same port as the webvpn.

I doubt that that works just fine.

to change the webvpn port

conf t


port 4443

now it will use port 4443 instead.

good luck


Community Member

New Install anyclient VPN on ASA5510 can't connect.

Thank you for your reply.

At the risk of sounding like a compete novice... (which I am)  I am using the tools/command line interface from ASDM version 6.4(5)

When I enter the commands in multiple line mode and then select "send" I get the following:

Result of the command : "config t"

The command has been sent to the device.

Result of the command: "webvpn"

The command has been sent to the device.

Result of the command: "port 4443"

Error: Port changes cannot be made while WebVPN is enabled. blah blah blah

Also... no changes I make via the command line ever stick.  I realize I'm not saving them but I don't know how to save them.

Also... Every tutorial I see gives a command prompt that appears to grow as you get further into the commands.  For example:  #Config t

then #webvpn

then and so on.  The prompt grows larger with each successive command (always preceded with a #) .

I don't get anything like that... no prompt and no #.  The only indication I get that I did anything is the message that says Result of command xxx  The command has been sent to the device.

As you can see... I have no clue how to use the CLI and I could use very detailed help.




Re: New Install anyclient VPN on ASA5510 can't connect.


Its totally ok to be novice and fiddle around with tings.

BUT if this is a company firewall and not your own I must strongely advice you to go to a local cisco rep and ask them for advice on who to contact to help you with setting up your firewall.

Why ?

Well you have no clue of what you are doing (no disrespect) and that in itself puts the company at risk.

and we can not help you properly with that.

This is a public forum and even though most of us here are willing to donate time and experience and will give you answers to the best of our abilities there are limitations on how much you can discuss without breaching your security to everyone.

and some of those things are best discussed under the cloac of secrecy.

So my advice would be

1) talk to cisco rep

2) buy a 5505 to fiddle with so you can learn why things are done they way its done

3) educate yourself with courses/books/this forum, and so on

Now to your questions just incase you are just fiddeling around with your own unit.

Connect to the cli (sinceyou state that you know how we will skip that part).

to save a config you write

write mem


copy running-config startup-config

When it comes to the issue that the commands grow longer. actually most of them do not.

but here is a way to visualise how things are done

You have compartments.

the interface gigabitethernet0/0 fx is one compartment

in that compartment you put all the information you need for that single compartent

in this case that would be things like

ip address

subnet mask

interface name

security level.

speed and duplex

and so on

same with webvpn

its a compartment holding all the information on the webvpn that is specific for the webvpn.

if you do a command

Show running-config all (or sh ru all for short)

you will get a lot more information than just sh run

also sh ru ? will give you most of the possible arguments you can do, and there you will se fx webvpn. (the compartment)

There are problems with using the ASDM

The ASDM I am sad to say is not to be trusted.

Sometimes it just outright lie to you.

and if you do use the wizzards they sometimes do not put all things where they are supposed to be or misses things.

so the ASDM is not foolproof in any way but it is nice graphics and the logging can be helpful.

so it helps you out in the beginning but when you get more advanced it bites you in the....

Good luck

Hope This Helps

Community Member

New Install anyclient VPN on ASA5510 can't connect.

Thanks for your reply.

I contacted customer support... they asked for a copy of the config and I sent it.

I'm waiting for them to get back to me.  No joy so far.

bTw... yes, this is a company firewall and yes I'm the one who set it up originally with a lot of help from this forum.  I had some difficulty at first but since then I've always managed to get it to do what I wanted it to do.  That is, until it came to setting up the VPN.  The road map is pretty poor and not at all clear relative to what is needed for which type of VPN.

I found the spot in the GUI where you change the port but it won't let me change it until I disable the webvpn.  I can't find anyplace in the GUI where I can disable webvpn so now I'm in wait mode for customer support to contact me.

Thanks again for your help... I'll let you know what customer support has to say.


bTw... I have the running config backed up in several places.    

Community Member

New Install anyclient VPN on ASA5510 can't connect.


Customer support never got back to me but by using the information you supplied I was able to fix the problem.  As you had correctly assessed earlier, port 443 was assigned to both remote administration and remote VPN.  Once I learned how to disable webvpn I was able to reassign webvpn to a different port.  After the port was reassigned the VPN connection on the ASA 5510 worked perfectly.

Thank you so much for your excellent advice... on all issues.

Now for my next problem....

Clients inside the network are unable to connect to an outside VPN server that we sometimes use.  This is not related  to the problem we just fixed... this is a separate issue.  We know that the clients connection requests are getting to the outside VPN server because we have the ability to monitor it and we see the connection attempt but the responses coming back from the outside VPN server are being blocked by the ASA.  I believe I created all the correct access-list entries.  Any ideas as to what could be blocking inbound protocol 47 in the ASA?


CreatePlease to create content