Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6455
Views
0
Helpful
3
Replies

Missing SSL VPN Bookmarks

Flaming Badger
Level 1
Level 1

‎03-15-2011 07:39 AM - edited ‎03-11-2019 01:07 PM

Hi guys,

Has anyone come across problems with missing Bookmarks on an SSL RA VPN (ASA 8.4, ASDM 641)?

I have an SSL group policy which is configured to use a Bookmark list.  When a user signs into the SSL VPN, they can see other settings that have been manually configured such as Smart Tunnels but no bookmarks appear.  I know the user is receiving the correct group policy (I created a banner which the user gets successfully when they sign in) but I'm at a bit of a loss.

Any help appreciated!

Cheers

Labels:
0 Helpful
3 Replies 3

Michael Schueler
Cisco Employee
Cisco Employee

‎03-25-2011 08:09 AM

Hi Iain,

Looks like this question went into the "Firewalling" section by mistake, instead of to the VPN section. That's probably why you haven't received any replies yet.

Regarding your issue:

1. You can check the group-policy selected for your test user with the command "show vpn-sessiondb webvpn filter user " on the ASA CLI. The output of this command contains a line starting with "Group Policy", which is what you need to look for.

2. Once you have confirmed, that the correct group-policy is selected, verify, if this group-policy has the desired bookmark list ("url-list") configured by using the "show run group-policy | include url-list" command. Does this output point to the correct bookmark list?

3. If yes, verify, that this bookmark list is not empty using the "export webvpn url-list stdout" command. Does this give any output?

4. If all is still fine up to this point, the most likely cause for why you are not seeing the bookmark list is a Dynamic Access Policy (DAP), that is removing it. To check for this, enable "debug dap trace" on the ASA CLI and login with your test user.

   You can safely ignore most of the output of this command, just look for a line containing "Selected DAPs", it will look similar to this:

   ---snip---

   DAP_TRACE: Username: , Selected DAPs:
   ---snip---

   Whatever DAP gets selected (even, if it should be the "DfltAccessPolicy"), look at the output of "show run dynamic-access-policy-record ". If you are seeing "url-list none" in this output, it is this DAP policy creating this issue. To resolve it, open up ASDM, go to "Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies" and "Edit" the policy which has "url-list none". Next, go to the "Bookmarks" tab in the "Access/Authorization Policy Attributes" section and set the checkmark at "Enable bookmarks", then click "OK" and "Apply".

   If you prefer working on the CLI, you can also do the following on the CLI to resolve this:

   ---snip---

   ASA# conf t

   ASA(config)# dynamic-access-policy-record
   ASA(config-dynamic-access-policy-record)# webvpn

   ASA(config-dap-webvpn)# no url-list none

   ---snip---

   Reconnect to WebVPN and you should see your bookmarks now.

5. If you see your bookmarks, but they are greyed out, this means, that you are using DNS names in your bookmarks, that ASA cannot resolve. In this case, please check your DNS server settings in ASDM under "Configuration -> Remote Access VPN -> DNS" and make sure, that the configured DNS server is reachable from the ASA.

Please let me know, if this helps.

Cheers,

Michael

0 Helpful

chris-lawrence
Level 1
Level 1
In response to Michael Schueler

‎05-30-2011 12:18 PM

Hi,

I know this is going to sound strange - it is possible to loose the bookmarks? Two people support the webVPN for my organization. I know I did not remove any url-lists/bookmarks defined and he says he did not either.

Is there any way to recover bookmarks even if the "export webvpn url-list" only shows me "Template". All of my bookmarks are missing.

0 Helpful

Michael Schueler
Cisco Employee
Cisco Employee
In response to chris-lawrence

‎06-01-2011 05:40 AM

Hi Chris,

I've never heard of such a behavior. One possible explanation might be a corruption of the ASA's flash filesystem. However, if you do not experience any other weird behavior, this is rather unlikely.

Unfortunately, there's no way to recover from such a situation (unless you have backups, of course). I recommend, that in the future you backup your bookmark lists. On the CLI this can be done with the "export webvpn url-list ..." command, see here for further details:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1928832

Regards,

Michael

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card