10-08-2012 12:01 PM - edited 03-11-2019 05:06 PM
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.
I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.
I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
Attached is a sanitized version of my config. Any help is appreciated.
10-09-2012 01:34 PM
When I try "enable outside" my ASA tells me they're already enabled.
10-09-2012 01:47 PM
Stranger and stranger, I un-enabled the default webvpn group. Outside interface page still won't come up. On Android, neither of my VPN5 users can log in. When I try to use the default webvpn log in it tells me anyconnect isn't enabled on the server, which I expected because I just un-enabled it. But why is VPN5 still not working? And for that matter, the web page?
10-09-2012 02:08 PM
I had some sort of group lock option on. I turned that off and I can log in via Android. I can't get to any corporate sites or internet sites, but I can log in using the VPN5 vpn. I thought this was a split tunneling issue and turned that off. This did not help, I still cannot get to the internet or to internal sites while logged into the VPN.
Also, still can't get into the outside interface page.
10-09-2012 02:10 PM
Additionally, I took out my entries for DNS and WINS servers thinking this might be the issue, changed it to inherited, this brings up an error that "dns cannot be blank" when I try to edit the connection profile. Added the DNS and WINS server addresses back in. No change.
10-09-2012 03:00 PM
I added a NAT exemption and re-added split tunneling. That's working, as far as I've tested, I can vpn into my network via android, ping local networks and ping the internet. Traceroute shows split tunneling is working. Android, overall, seems to be working.
HOWEVER, I still cannot get the outside interface website to show up. Not on it's on, not with VPN5, vpn5, or admin after. This is the last part, any help is appreciated.
10-10-2012 07:45 AM
More strangeness, I can ping the outside interface external ip address from my firewall, which I've read is a good indicator the web page should be working. But it's not. Any ideas?
10-10-2012 08:20 AM
Followed the below thread:
https://supportforums.cisco.com/thread/2138580
When I ran the "show asp table socket" command, SSL was being listened for on that outside interface. I ran the "
no http server enable" and got into webvpn to run the "no outside enable" then "outside enable" to refresh it. Checked the socket table, it was still listening. Web page still isn't working.
EDIT: Running "no http server enable" kills your ability to get into the ASDM, do NOT run that command.
10-10-2012 12:27 PM
Hello Adam,
Can you post the updated show running-config so I can analize it
Regards
Julio
10-11-2012 12:22 PM
Ok, things are progessing, but I still have some issues I'd like help with. Here's the situation: I can connect in via Android AnyConnect and iPhone AnyConnect, they can get around in the internal network. Coming from the outside of my network, I can get to the external address of my outside interface and the login page comes up to install the client.
Issues:
1) I still cannot access my outside interface from my internal network, at least to the point where it let's me bring up the webpage, log in, and install the client. This seems like it should be easy to set up, but it has eluded me so far.
2) I can install the client on my Windows 7 x86 machine but when I try to connect I'm getting 2 windows that pop up talking about security warnings and certificates. The second window requires me to actually get into the settings of the client and allow client to connect to an "untrusted server". I have a self signed certificate created by the ASA, I'm assuming/hoping there is a way I can import that cert into any machine that wants to connect and avoid seeing those error messages.
3) After working with the AnyConnect client I noticed the lack of an option to save/remember a password. I'm looking for an alternative client that allows this and works with SSL, anyone have recomendations? Ideally I'd like one client for both Android and iPhone.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide