cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter

9148
Views
0
Helpful
68
Replies
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

Hi

I have a problem on all my ISA 570 (firmware 1.2.17) on SSL VPN side.

i have to reboot pratically daily the router in order to have the VPN connexion to be OK.

I'm using a rapidSSL certificate P12 that seems to be OK (no message during the connexion).

So after a reboot, the SSL VPN is OK, i can working on it without any problems on my LAN ressources.

The day after, if I try to reconnect on the SSL VPN, I have the message on my Anyconnect Client (v3.1.02) :

"The service provider in your current location is restricting access to  the Internet. You need to log on with the service provider before you  can establish a VPN session. You can try this by visiting any website  with your browser."

This message is the same for all my users, on different computers (MAC and PC).

A reboot of the ISA570 will make the SSL VPN OK.

I note the same problem on my 4 others routeur.

On the client side, I'm trying to connect by the FDQN (vpn.impf.fr), but having the same result by the Public IP directly.

Remark : I'm using my P12 certificate on all my router.

Someone could help me in diagnost this problem ?

Could come from my certificate ?

Here a screenshot of my SSL configuration :

Thanks in advance for your help.

Kevin

68 REPLIES 68
Highlighted
Contributor

Re: [ISA570] Impossible to connect to SSL VPN after a while

Not saying it would be a permanent fix, but if you select the Create NAT checkbox, does it work any better? My thinking is possibly a Split Tunneling issue that is causing difficulties validating the cert. If so, probably a bug. But worth testing.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

Thanks for your answer.

But if I enable the NAT for Internet traffic, all my internet packets will be send over the SSL VPN ? Is that correct ? Because it is not what I want...

Highlighted
Contributor

Re: [ISA570] Impossible to connect to SSL VPN after a while

Correct. I understand. I would just try it.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

I'm using a split tunneling, by specify my Corporate LAN network in the "include network" of the SSL Policy, and the "Create NAT" enable.

So in that case, I think (verifying with a traceroute) that internet traffic passed by the local user 's WAN ?

Thanks

Highlighted
Contributor

Re: [ISA570] Impossible to connect to SSL VPN after a while

Yes you are correct. The Internet should pass through the users local connection and what I'm asking you to do would cause the users Internet traffic to pass over the VPN and use your Internet connection. Would you mind trying the change, temporarily, to see if it makes a difference?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

Hi

Thanks for your help

I have enabled the "Create NAT" yesterday evening, I'm waiting for SSL to bug.

But when i made a traceroute for www.google.fr from a SSL user's computer, it seems to use the local WAN and not the SSL VPN. Strange...

Highlighted
Beginner

Hi All:I'm experiencing the

Hi All:

I'm experiencing the same behavior with latest firmware ; I've checked the above workarounds but nothing works more than once... Is there a way to have a working SSL VPN on this box?

Regards,

==

Firmware  1.2.22 / 1.2.20
  
  
Highlighted
Contributor

[ISA570] Impossible to connect to SSL VPN after a while

Do you have remote HTTPS management enabled?

What happens when you change the SSL VPN port to 8443?

I have a running setup with 1.2.15 and also with 1.2.17 with LDAP authentication, must be a confusing combination which crashes the SSL VPN.

Had a similiar issue with remote management and management via IPSec to the internal IP. Wasn't really stabled and crashed some SSL stuff which SSL VPN also uses.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
Highlighted
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

Hi

thanks for your help.

Yes, I'm using HTTPS for management, but on 8081 port.

I would like to keep 443 for SSL, for my user just have to fill the FDQN on anyconnect client.

What do you mean by "management by ipsec" ?

I'm using LDAP authentification too.

Highlighted
Beginner

Re: [ISA570] Impossible to connect to SSL VPN after a while

Hi

It is strange, I Have enable the "Create NAT" option.

I have no more SSL Bug : the user (for the moment) can always connect to the SSL VPN. It is a good point.

BUT...

After 2 days, the SSL connexion is OK, but impossible to ping any computers on the corporate LAN

After a reboot, all is OK.


Have you got an idea ?

Highlighted
Contributor

Re: [ISA570] Impossible to connect to SSL VPN after a while

What it sounds like to me is that there is potentially a Split Tunnelling bug.  When you have the Create NAT unchecked, it works and then fails but when it's checked, it works...except for pinging the LAN but who really needs access to the LAN over the VPN. 

So what may be happening is that when Create NAT is unchecked, it uses Split Tunnelling to verify the cert with the CA.  Once the bug kicks in, a day later, Split Tunnelling doesn't work correctly and since it can't connect to the internet, it can't verify the cert with the CA.  But when you check the Create NAT, there is not Split Tunnelling bug and the device doesn't have issue verifying the cert with CA because it continues to have internet access.

Of course this is all theory.  I'd recommend opening a case with SBSC to see if they can determine for sure.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

Re: [ISA570] Impossible to connect to SSL VPN after a while

Thanks for your help

"except for pinging the LAN but who really needs access to the LAN over the VPN."

I mean the corporateLAN, so SSL user has no access to the company's ressources to work

What is SBSC ? How to make this bug testing and solved by Cisco's Team ?

Highlighted
Contributor

Re: [ISA570] Impossible to connect to SSL VPN after a while

Kevin,
Sorry my comment about who needs access to the LAN over the VPN was meant to be a joke.

SBSC is the Small Business Support Center. You can contact them using a method found in this link.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

Sent from Cisco Technical Support iPad App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

[ISA570] Impossible to connect to SSL VPN after a while

Hi Kevin,

Latest AnyConnect (version 3.x.x) has put some changes to prevent SSL VPN connection through unsecure networks and it would send the proble to SSL VPN gateway when the current session is disrupted. To avoid the error you are getting what you need to do is to have a certificate with the Common Name as your ISA's WAN IP (SSLVPN Server IP) or FQDN.

I recommend you to use the AnyConnect version 3.0.2052 which is available on the DVD shipped with the ISA.

Please contact STAC for further assisatnace.

Regards,

Biraja