Hi m8r-68yphu1,

m8r-68yphu1 · ‎01-25-2016

A remote client uses the SSL VPN apps for port forwarding through an ASA 5505 firewall.

Basically no traffic was able to traverse the port forwarded IP addresses.

Using the web browser in the VPN portal allowed access to servers web front ends.

Only by rolling back the Java update to 8_66 were the servers accessible by the vpn applications tool

Can you share any advice about debugging / resolving this issue?

It is required to run latest java version on the client network.

Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)58 
Device Manager Version 6.4(5)

Result of the command: "show ssl"
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
outside interface: ASDM_TrustPoint0
Certificate authentication is not enabled

Connections to servers by ssh on the VPN resulted in this error:

ssh someuser@127.0.0.1:22222
"ssh_exchange_identification: Connection closed by remote host"

Using ssh -v we saw keys were transferred and right away closed.

rvarelac · ‎01-26-2016

Hi m8r-68yphu1,

Based on your description, looks like the problem might be on the client or server end when the java is updated.

The port forwarding works at OSI layer 4 and the Java works on the application layer 7, then is unlikey the ASA is modifying the traffic with a new java version installed on the client side.

Placing a capture on the ASA might gave you a better perspective of problem.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Hope it helps

-Randy-

SSL VPN Apps fail to connect using Java 8 update 71 (Java 8u71)