ASA cut-through proxy authentication stopped displaying login page

jedavis · ‎01-09-2017

Hi,

I have an ASA-5510 running 8.0 that has been in place for years. It suddenly stopped displaying the login page for cut-through proxy. Log messages show that it is completeing the SSL handshake but this is the last message, then the browser just hangs.

%ASA-6-725002: Device completed SSL handshake with client outside:10.1.1.1/57464

No configuration changes related to cut-through have taken place since this was working. The only configuration change was a simple addition of an unrelated IP address to an unrelated network object group. I have rebooted the ASA and tried several variations on the configuration. At this point I am at a loss as to how to troubleshoot any further. Has anyone experienced this before? Any suggestions?

Thanks,

-Jeff

Philip D'Ath · ‎01-10-2017

What version of software are you using on the ASA?

I note this mentions SSL. Any chance you have had a recent browser upgrade, and it is using incompatible SSL settings with the ASA?

jedavis · ‎01-11-2017

Hi Philip, thanks for the response.

This is an older firewall which is slated for upgrade, and as I noted it is running 8.0. I tried multiple browsers on multiple systems and it just does not serve up the login page. I have run a packet capture on both the firewall and the PC that is trying to connect and compared them to make sure something wasn't getting filtered out along the way.

In my configuration I have the authentication listeners configured:

aaa authentication listener http outside port 1080 redirect
aaa authentication listener https outside port 1443 redirect

In troubleshooting I did discover that if I remove this statement:

aaa authentication secure-http-client

I can then use the browser to connect to the http listener and then authenticate. It is properly redirected to port 1080. However, I cannot use clear text user IDs and passwords. But I can't get the https listener to respond.

-Jeff

jedavis · ‎02-13-2017

I never did find an answer as to why this stopped working. But here is an interesting twist. Someone told me that they discovered that if they configured IE11 with a proxy server and then entered the firewall address in as an exclusion that the browser would display the login page. In disbelief I tried it myself and bang! There was the login page. I played with it a little bit and discovered that I could put anything in as a proxy server, such as proxy.nonexistent.com and then tell IE to exclude everything by putting a single * in the exclusion list. Of course this makes no sense at all because we started with a browser that had no proxy configured, and it didn't work. Then we configured a proxy server but told IE not to use it and it did work. Obviously this changed something about the browser behavior but I don't know what exactly. It still doesn't work with Firefox or Chrome.

I already had an ASA-5515X on the way to replace this 5510 so I just told them to use this as a workaround.