cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5430
Views
0
Helpful
9
Replies

WEBVPN :: "ERROR: Failed to enable WebVPN"

jvelasquez
Level 1
Level 1

Hello everybody.

I have a problem enabling "wbvpn" on any interface. Every time the ASA show me the following log:

ASA(config-webvpn)# enable outside

Could not start webvpn

ERROR: Failed to enable WebVPN.

ASA(config-webvpn)#

I have a ASA5510 V. 8.0(3)6 with WebVPN License.

If somebody knows anything about this problem, i will really appreciate for your comments.

Thanks in advance.

----------------- ASA WEB VPN Config ----

hostname ASA

domain-name mydomain.com

enable password *** encrypted

name

name 192.168.110.0 VPN-3 description VPN-3 Externo

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.114 255.255.255.248

ospf cost 10

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.249 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

speed 100

duplex full

nameif DMZ

security-level 50

ip address 192.168.10.249 255.255.255.0

ospf cost 10

!

tcp-map alltcp

!

tcp-map msstcpmap

exceed-mss allow

queue-limit 250

mtu outside 1500

mtu inside 1600

mtu DMZ 1600

mtu management 1500

ip local pool Pool-VPN-3 192.168.110.1-192.168.110.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit 1.1.1.112 255.255.255.248 outside

icmp permit 192.168.1.0 255.255.255.0 inside

icmp permit 192.168.20.0 255.255.255.0 inside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

timeout xlate 5:01:00

timeout conn 15:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 2:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:30:00 uauth 5:00:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

http server enable 7443

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 86400

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

webvpn

group-policy SSL-SAPOLIO internal

group-policy SSL-SAPOLIO attributes

vpn-tunnel-protocol SSL-SAPOLIO

SSL-SAPOLIO

url-list none

group-policy Remote-VPN internal

group-policy Remote-VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-3-ACL

default-domain value mydomain.com

username jlvelasquez password **** encrypted

username jlvelasquez attributes

vpn-group-policy SSL-SAPOLIO

service-type remote-access

username jpozo password **** encrypted

username jpozo attributes

vpn-group-policy Remote-VPN

service-type remote-access

tunnel-group Remote-VPN type remote-access

tunnel-group Remote-VPN general-attributes

address-pool Pool-VPN-3

default-group-policy Remote-VPN

tunnel-group Remote-VPN ipsec-attributes

pre-shared-key *

tunnel-group SSL-SAPOLIO type remote-access

tunnel-group SSL-SAPOLIO general-attributes

default-group-policy SSL-SAPOLIO

!

policy-map IPS_policy_OUT

class ips_class_map_OUT

ips inline fail-open

policy-map global_policy

class mssclassmap

set connection advanced-options msstcpmap

policy-map IPS_policy_DMZ

class ips_class_map_DMZ

ips inline fail-open

!

service-policy IPS_policy_OUT interface outside

service-policy IPS_policy_DMZ interface DMZ

----------------

9 Replies 9

Ivan Martinon
Level 7
Level 7

Can you post here your "show run all http"

Hi, this is the output:

ASA# show run all http

http server enable 7443

http 200.41.97.226 255.255.255.255 outside

http 10.1.9.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 DMZ

José Luis

Thanks, http is enabled, can you get the "show run all webvpn"

Hi, this is the output:

ASA# show run all webvpn

webvpn

memory-size percent 50

port 443

dtls port 443

character-encoding none

no http-proxy

no https-proxy

default-idle-timeout 1800

no csd enable

no svc enable

no tunnel-group-list enable

rewrite order 65535 enable resource-mask *

no internal-password

no onscreen-keyboard

no default-language

no keepout

cache

no disable

max-object-size 1000

min-object-size 0

no cache-static-content enable

lmfactor 20

expiry-time 1

no auto-signon

no error-recovery disable

: # show import webvpn customization

: Template

: DfltCustomization

: # show import webvpn url-list

: Template

: No bookmarks are currently defined

: # show import webvpn translation-table

: Translation Tables' Templates:

: PortForwarder

: banners

: customization

: plugin-rdp

: plugin-ssh,telnet

: plugin-vnc

: url-list

: webvpn

: Translation Tables:

: fr PortForwarder

: fr csd

: fr customization

: fr plugin-rdp

: fr plugin-ssh,telnet

: fr plugin-vnc

: fr webvpn

: ja PortForwarder

: ja csd

: ja customization

: ja plugin-rdp

: ja plugin-ssh,telnet

: ja plugin-vnc

: ja webvpn

: ru PortForwarder

: ru customization

: ru webvpn

: # show import webvpn mst-translation

: No MS translation tables defined

: # show import webvpn webcontent

: No custom webcontent is loaded

: # show import webvpn AnyConnect-customization

: No OEM resources defined

: # show import webvpn plug-in

: rdp

: ssh,telnet

: vnc

ASA#

auraza
Cisco Employee
Cisco Employee

You might be hitting a bug. Can you post the output of "show memory detail"?

Thanks.

Hello, i attached the output of "show memory detail"

Thanks.

Ok, so there's enough memory. It could be something else. It would be best to go to a later 8.0(3) release or the latest 8.0(4) interim, as initial 8.0(3) had quite a few memory / webvpn bugs.

How much memory is required to enable HTTP or webvpn

jvelasquez
Level 1
Level 1

Something rare happen with this ASA. Now i did the same command and it works!!, this is the output:

ASA(config-webvpn)# enable outside

INFO: WebVPN and DTLS are enabled on 'outside'.

ASA(config-webvpn)#

May be it is a memory bug.

Thanks to all

José Luis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: