cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7405
Views
5
Helpful
13
Replies

SSL VPN with anyconnect client - login page does not display

DavidReisner
Level 1
Level 1

I have an ASA5510 that I am trying to set up for remote access using SSL VPN with the anyconnect client. I have followed the config guides on the Cisco website as well as the config guides elsewhere on the internet to no avail.

When going to https://(outsdie interface ip address),I get nothing, the browser never loads a page. Here are the commands I have entered:

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

svc image disk0:/anyconnect-macosx-powerpc-2.5.3046-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-2.5.3046-k9.pkg 3

svc enable

tunnel-group-list enable

group-policy VRx-WebVPN internal

group-policy VRx-WebVPN attributes

dns-server value 192.168.100.11

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value vrx.net

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask none default svc

tunnel-group VRx-WebVPN type remote-access

tunnel-group VRx-WebVPN general-attributes

address-pool value vpn_pool

authentication-server-group VRxAD

default-group-policy VRx-WebVPN

tunnel-group VRx-WebVPN webvpn-attributes

group-alias VRx-WebVPN enable

Has anyone ever seen this before---any ideas or what would be helpful in troubleshooting this further?

Thank you in advance!

Dave

1 Accepted Solution

Accepted Solutions

Hello David,

Hmm.. I am going to do a real quick lab setup for this.

Edit: Mine work with no problem, there got to be something else on the configuration that is no allowing you to get the anyconnect portal.

I used the same anyconnect image and same ASA image.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

13 Replies 13

Roman Rodichev
Level 7
Level 7

Did you assign ssl trustpoint to the outside interface?

No, that wasn't mentioned in Cisco setup doc. How would I do that?

Hello David and Roman,

That step is no necesary as the ASA will use its own and automatic ssl certificate on its interfaces but just to let you know its like this.

Lets give it a try and see if that makes a difference but it should not.

1- First lets create our own certificate

-crypto ca trustpoint #%^#@@ ( whatever name you want to use)

-enrollment self

2- Enroll to the new certificate

-crypto ca enroll #%^#@@

3- Assigned the new trustpoint to the outside interface

-ssl trustpoint #%^#@@ outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the quick responses. I added the trustpoint but there was no change. So I turned on logging and got the following:

Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]

Then I added the following commands:


sysopt connection permit-vpn - no change - not sure if takes the command because I can't see it in "show run | inc sysopt"

access-list outside-in extended permit tcp any host(ASA outside inteface IP) eq https - no more errors like above but same issue on ssl vpn connection.

Is the firewall hosed or am I still missing something?

If you do a show run all syspot you should see it.

Can you share your sh version

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

There it is! Found the sysopt command.

Show ver:

ASA up 14 hours 34 mins

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0         : address is 5475.d0ba.637a, irq 9

1: Ext: Ethernet0/1         : address is 5475.d0ba.637b, irq 9

2: Ext: Ethernet0/2         : address is 5475.d0ba.637c, irq 9

3: Ext: Ethernet0/3         : address is 5475.d0ba.637d, irq 9

4: Ext: Management0/0       : address is 5475.d0ba.6379, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 100

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 250

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5510 Security Plus license.

rest of it:

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.3(4)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

Hello David,

Glad you found the syspot command,

Please do a debug for the webvpn and then try to access the Anyconnect portal:

debug webvpn svc 255

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Same thing:

Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:03:02: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:03:05: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Mar 19 2012 18:03:11: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]

Hello David,

Hmm.. I am going to do a real quick lab setup for this.

Edit: Mine work with no problem, there got to be something else on the configuration that is no allowing you to get the anyconnect portal.

I used the same anyconnect image and same ASA image.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vlad_ezh
Level 1
Level 1

Please provide  "show ssl" output results.

I've seen that problem when only AES was configured as  cipher suite

ASA# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 null-sha1

SSL trust-points:

  outside interface: localtrust

Certificate authentication is not enabled

DavidReisner
Level 1
Level 1

I finally resolved this issue. I found that there were a few nat statements in my config leftover from a previous engineer:

static (inside,outside) tcp xxx.xxx.xxx.xxx https xxx.xxx.xxx.xxx https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.xxx http xxx.xxx.xxx.xxx http netmask 255.255.255.255

I removed those statements and then ran the "show asp table socket" command. It showed that ssl was NOT listening on the outside interface but it was on the inside.


I ran the "no http server enable" command.(most likely not needed) Then under webvpn the " no enable outside" and then "enable outside" to refresh it.

At this point the "show asp table socket" command showed the outside interface listening for ssl. Then my ssl connections WORKED!!!

Thanks for all your help on this!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: