01-30-2018 08:41 AM - edited 03-20-2019 09:51 PM
Can't all webvpn configuration be removed while still allowing the AnyConnect client? I realize some functions like distributing client via ASA would be lost but the AnyConnect functionality for existing clients would continue to function, no?
01-30-2018 01:46 PM
Once you configure 'no webvpn' the AnyConnect VPN Client will not be able to connect.
01-30-2018 02:57 PM
Thanks. And it appears even leaving the "webvpn" global command but removing the "enable outside" sub-command also breaks AnyConnect.
01-30-2018 03:28 PM - edited 01-30-2018 04:55 PM
Yes removing enable Outside would break AnyConnect because you are disabling the HTTPS service on the ASA that listens for the AnyConnect request.
01-30-2018 07:04 PM
Hi, I just checked, my ASA firewall is not using webvpn on any interface. However, I do see that it is listening on SSL port 443 on the management IP that I'm using to access the ASA. Does the ASA considered as affected to this vulnerability then? Appreciate the feedback. Thanks!
01-30-2018 07:10 PM
Hello
If you run show runn webvpn and there is no output then you do not have WebVPN enabled and you are not vulnerable.
I assume you have http server enable 443 in your config. This PSIRT \ bug does not affect the ADSM listener.
HTH, Please rate!
Tim
01-31-2018 09:00 AM
It looks like the latest update states you must have webvpn enabled on an interface. Also they state "An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited"
This makes it sound like you have to have DTLS enabled but then the above statement says "TCP port" which is not DTLS.
Our configuration uses Anyconnect but we do not leverage TLS/DTLS for transport. Based on the latest iteration of the advisory I believe I am free and clear but still waiting on the final word from TAC.
01-31-2018 09:51 AM
Is your Transport IKEv2 for AnyConnect clients?
You can check this with this command
show runn | inc vpn-tunnel-protocol
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide