cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting Secure Sockets Layer (SSL) VPN on Cisco 5500 Series Adaptive Security Appliance ASA - FAQ from Live Webcast

2615
Views
0
Helpful
0
Comments

 

Introduction

Read the bioJazib Frahim (CCIE 5459) is a Technical Leader in World Wide Security Services Practice of Cisco Advanced Services for Network Security. Previously, he was a Technical Leader for the Cisco TAC Security team and led engineers in resolving complicated Security and VPN technologies. He holds two CCIE certifications: one in Routing and Switching, and one in Security. He has presented via Cisco Live on multiple occasions, and has written numerous technical documents and books. These include Cisco ASA: All-in-Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd Edition); Cisco Network Admission Control, Volume 2 and Cisco SSL VPN Solutions.

 

 

 

 

The following experts helped Jazib answer a few of the questions asked during the session: Omar Santos, James Cline, and Larry Edie. Omar and Larry are top security experts and have vast knowledge in security topics.

 

You can download the slides of the presentation in PDF format here. The related Ask The Expert session is available here. The Complete Recording of this live Webcast can be accessed here.

 

General Questions

Q. With double authentication, we end up with two fields on the AnyConnect client called 'Password'. Can we customize this to 'token' or 'passcode' if we use another RADIUS based authentication method instead of using SDI?

A. You cannot customize the word "password" with the word "token" being displayed to the end user. The reason why we enable double authentication is because many customers wanted to use the 2 factor authentication, such as SDI or token based authentication, and internal authentication database such as Active Directory (AD). This is why when we stated this, it is assumed that users will be using SDI. Therefore, two options are given: token or passcode. I do not think there is an option to do this in the current version. However, it is a good point. For example, when you are using AD or RADIUS for authentication databases and you want token or passcode written on it. We can possibly work with BU for enhancement and get it done. For more information on customization options, refer to

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac12customize.htm.

 

Q. Does the capture command only capture local users? Or, will it capture users that authenticate via RADIUS as well?

A. The capture command captures both local users and users that are being authenticated with an external authentication server (such as RADIUS, SDI, etc.). For more information, refer to

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c1.html#wp2147322.

 

Q. Can I have reference information for different debug levels, for example, debug webvpn <1, 7, 255>?

A. Some of the debug levels are very well defined from the different level perspectives. However, a lot of debugs are not as defined from each level perspective, such as what are the messages you are supposed to get, or what are the messages you expect at each level. Depending on what debug you are using, I would say a general safe option. For example, if you enable to debug 251, what if that debug 255 shows you the decoded packets and you expect that you might just crash your system because you get so much debug at a packet level that you will not be able to sustain. Therefore, the safest option is around 127 because once you have debug 127 enabled, it chooses enough messages and enough details to take it to the next level. If it says it is failing because of this and is still not sure, you can increase the debugs. However, it is not recommended to enable debug 255 unless you know what you are expecting. If you do not know what output you might receive, then start with level 127.

 

The debug command output is assigned high priority in the CPU process(es) in the ASA, and these can cause performance issues in busy networks. For this reason, it is recommended to use debug commands only to troubleshoot specific problems or during troubleshooting sessions with the Cisco Technical Support staff. You might want to start by enabling the debugs with low levels (for example, default vs. level 255). There is no "one-size fits all" value for every debug because each has a different amount of data/output being displayed. On the other hand, the recommendation is to start with a low value (or even something such as 125) and work your way up based on the amount of output, and the need during troubleshooting.

 

Q. Recently, the server admin pushed McAfee firewall to client machines. Since then the user machines crash when they start AnyConnect and try to access internal websites. How can I identify the source of the problem using the AnyConnect troubleshooting tools?

A. It is best to get a DART file from the machine and work with the Technical Assistance Center (TAC).

 

Q. Can you have multiple domains listed for resolution by the client? For example, the internal domains include both abc.com and def.com. Can these be set up as comma delimited with the policy?

A. You can only have one domain name for resolution, but you can have multiple domain names for split tunneling. For example:

split-dns value Domain1 Domain2 Domain3 Domain4.

 

Q. What is the best book to get in order to receive more troubleshooting information?

A. We are updating our ASA book with more information, including ASA version 9.0.

 

SSL VPN Related Questions

Q. Can we use an IP Communicator with SSL VPN?

A. Yes, you can use the AnyConnect client with a VPN tunnel to allow an IP Communicator to connect.

 

Q. I configured an IP Communicator with SSL VPN, but the voice is not clear. Why?

A. There are several things that can cause voice clarity issues. Check for latency and jitter. Also, make sure the connection is using DTLS. DTLS uses UDP instead of TCP and is faster for voice. One other thing is to use g729 compression.

 

Q. Is there a document that details how to configure the DTLS?

A. For DTLS configuring, refer to this configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html#wp1090425

 

Q. Is it recommended to use DTLS for the IP Communicator under SSL VPN?

A. Yes, DTLS is UDP based and is much faster. Cisco recommends it for voice over a VPN connection.

 

Q. Can the clientless SSL be used for RDP?

A. Yes, clientless SSL can be used for RDP. You have to install a server side plug-in. There are three types of plug-ins available that you can download from Cisco's website. These are: plug-in for RDP, plug-in for VNC, and plug-in for SSH Telnet. Once you download and install the plug-ins in ASA, then you can use the RDP. If you are not choosing the plug-ins and want to tunnel the traffic, the second option is to use thin client with smart tunnel options and port forwarding.

 

Q. When will ASA support SSL VPN in multiple context mode?

A. It is slated for a future release. I am not aware of a date yet.

 

Q. When we are looking at SSL VPN and certificates, is it possible to use the FQDN for access restriction so that the FQDN refers to an access-list or a policy?

A. It is possible to use FQDN for certificates.

 

Q. Do we support IPv6 traffic over SSL VPN tunnel?

A. Yes, at the moment you can certainly send the IPv6 traffic over the SSL tunnel. However, the restriction is that it terminates the IPv4 tunnels. For example, in a way it is encapsulating v6 traffic over v4 so your slot indicates to the head and you are still pushed down. In summary, your client is encapsulating v6 traffic over v4 traffic in a tunnel. In v6 perspective, you should be able to communicate end to end.

 

Bookmarks Related Questions

Q. What is a bookmark on configuring clientless VPN?

A. Bookmarks are used to link clientless users to internal servers via the clientless VPN tunnel. These are similar to bookmarks/favorites in your web browser. However, they tunnel the traffic through the ASA. Refer to the clientless configuration guide at:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html

 

For sample clientless configurations, refer to http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html.

 

Q. Is it always better to use GUI for bookmarks instead of exporting the template for the bookmark and modifying it?

A. ASDM is easier when configuring bookmark templates. In certain scenarios, such as DAP, you cannot use the CLI to configure SSL VPN options/features.

 

Q. Where are bookmarks saved in the ASA?

A. The bookmarks are stored in the xml file on the flash.

 

Q. In the future will we be able to add bookmarks from the CLI?

A. The only way you can add bookmarks from the CLI is by manually creating an xml file and uploading.

 

 

Related Information