cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

32513
Views
15
Helpful
6
Replies

SSL VPN Issues with Internet Explorer

Well, first you need 64-bit Internet Explorer to run web base VPN for SA500 series devices (we use SA540). After we figured that out, we still can't get past SSL VPN Client install on client computers. It either keeps reloading the webpage or just does nothing at all. Any insights?

Also, which CA are you guys using for SSL VPN? Godaddy's certificates aren't compatible as I just found out hard way.

1 ACCEPTED SOLUTION

Accepted Solutions
Tom Watts
Advisor

Hi Qasim,

The issue seems to be more localized with windows blocking everything. I actually spent considerable time working on this yesterday to finally make it work with a 64 bit vista and a 64 bit window 7 machines.

The few things I did to have some success;

Tools -> Internet Options -> Security -> Trusted Sites

  • Move to low
  • Disable protected mode
  • Click sites then add the SSL VPN page to be a trusted member
  • While adding the trusted site, uncheck "Require server verification for all sites on this zone"

Tools -> Internet Options -> Advanced -> Security section

  • Enable "Allow sofware to run or install even if the signature is invalid"

Additionally, you should download the Microsoft Visual C++ Distribution 2010 and ensure you're running the latest version of Java.

These are the things I had to do to allow Windows to let me connect. I hope this has some help for you.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

6 REPLIES 6
Tom Watts
Advisor

Hi Qasim,

The issue seems to be more localized with windows blocking everything. I actually spent considerable time working on this yesterday to finally make it work with a 64 bit vista and a 64 bit window 7 machines.

The few things I did to have some success;

Tools -> Internet Options -> Security -> Trusted Sites

  • Move to low
  • Disable protected mode
  • Click sites then add the SSL VPN page to be a trusted member
  • While adding the trusted site, uncheck "Require server verification for all sites on this zone"

Tools -> Internet Options -> Advanced -> Security section

  • Enable "Allow sofware to run or install even if the signature is invalid"

Additionally, you should download the Microsoft Visual C++ Distribution 2010 and ensure you're running the latest version of Java.

These are the things I had to do to allow Windows to let me connect. I hope this has some help for you.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Thanks Thomas. I'll give it a try.

Nope, I wasn't able to resolve this. Problems seems to be with IE version 8. I was surprised to see my Win7 X64 machines work without any workarounds. I am investigating this matter furthure and will keep you informed. Thanks.

Here's the error:

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)

Timestamp: Fri, 24 Aug 2012 14:46:13 UTC

Message: Overflow: 'XTunnel1.ServerPort'

Line: 259

Char: 1

Code: 0

Qasim, thank you for the continued effort to resolve your issue. Aside from the configuration that we have accomplished here

https://supportforums.cisco.com/thread/2168382

In addition, the resolution relied on the Active Directory, to set the SSL client accounts the same as the AD. But additionally modifying the computers with a router to allow the outside subnet in to the private network. You have also added any machine that runs Windows Server 2003R2 or later does not require any routes.

Thanks.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
mthomas1999
Beginner

Hey guys needs help with SSL VPN config.  I have ASA 5505 version 9.1 and setup SSL VPN which i can connect to locally but not from the internet.  From the internet i get prompted to access the secure https site then when i connect i get a blank page - connection was reset message.

Here is my config -

ZEPPELIN# show run

: Saved

:

ASA Version 9.1(1)

!

hostname ZEPPELIN

domain-name MIWEBPORTAL.com

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

ip local pool SSLVPNPool 172.19.19.20-172.19.19.29 mask 255.255.255.0

!

interface Ethernet0/0

description ISP-MODEM

switchport access vlan 20

!

interface Ethernet0/1

shutdown

!            

interface Ethernet0/2

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/3

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/4

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/5

description INTERNAL-NET

switchport access vlan 19

!

interface Ethernet0/6

description DMZ

switchport access vlan 99

!

interface Ethernet0/7

description DMZ

switchport access vlan 99

!            

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan19

description INTERNAL-NET

nameif MYNETWORK

security-level 100

ip address 172.19.19.1 255.255.255.0

!

interface Vlan20

description DHCP-MODEM-INTERNET

mac-address XXX.XXX.XXX

nameif INTERNET

security-level 0

ip address dhcp setroute

!

interface Vlan99

description DMZ-NET

no forward interface Vlan19

nameif MYDMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name MIWEBPORTAL.com

object network MYNETWORK

subnet 172.19.19.0 255.255.255.0

object network MYDMZ

subnet 192.168.99.0 255.255.255.0

object network Media-PC

host 172.19.19.29

description Media-PC

object network FOSCamera

host 172.19.19.99

object service USBCAM_SVC

service tcp source eq 20019 destination eq 20019

object network USBCamera

host 172.19.19.199

object network NETWORK_OBJ_172.19.19.16_28

subnet 172.19.19.16 255.255.255.240

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list MYNETWORK_access_in extended deny ip object Media-PC any

access-list MYNETWORK_access_in extended permit ip any any

access-list FOSCAM-in extended permit tcp any object FOSCamera eq 51999 log inactive

pager lines 24

logging enable

logging asdm informational

mtu MYNETWORK 1500

mtu INTERNET 1500

mtu MYDMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (MYNETWORK,INTERNET) source static any any destination static NETWORK_OBJ_172.19.19.16_28 NETWORK_OBJ_172.19.19.16_28 no-proxy-arp route-lookup

!

object network MYNETWORK

nat (MYNETWORK,INTERNET) dynamic interface

object network MYDMZ

nat (MYDMZ,INTERNET) dynamic interface

object network FOSCamera

nat (MYNETWORK,INTERNET) static interface service tcp 51999 51999

object network USBCamera

nat (MYNETWORK,INTERNET) static interface service tcp 52999 52999

access-group MYNETWORK_access_in in interface MYNETWORK

access-group FOSCAM-in in interface INTERNET

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 1999

http 172.19.19.0 255.255.255.0 MYNETWORK

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map INTERNET_map interface INTERNET

crypto ca trustpoint localtrust

enrollment self

subject-name CN=sslvpn.miwebportal.com

keypair sslvpnkey

crl configure

crypto ca trustpool policy

crypto ca certificate chain localtrust

certificate 456ad952

    3082020b 30820174 a0030201 02020445 6ad95230 0d06092a 864886f7 0d010105

    0500304a 311f301d 06035504 03131673 736c7670 6e2e6d69 77656270 6f727461

    6c2e636f 6d312730 2506092a 864886f7 0d010902 16185a45 5050454c 494e2e4d

    49574542 504f5254 414c2e63 6f6d301e 170d3134 30313230 31353030 31365a17

    0d323430 31313831 35303031 365a304a 311f301d 06035504 03131673 736c7670

    6e2e6d69 77656270 6f727461 6c2e636f 6d312730 2506092a 864886f7 0d010902

    16185a45 5050454c 494e2e4d 49574542 504f5254 414c2e63 6f6d3081 9f300d06

    092a8648 86f70d01 01010500 03818d00 30818902 818100dc e35bb0a1 1ff13a12

    05772cc7 50ec3c48 251749ca 3b724da9 7d9f90f9 e8d4fd85 9ee22d62 cc62275a

    ce637497 914d30a6 4c3420ac ef11582b 7d931f4f 0ef3be12 30f9a8d1 dcef2361

    25dd914b 31a6827d f33c6934 271d4dd9 ba422c0f ff3379dd da29211e 7e92d30c

    fb150022 a199b904 c41e8d9c 7ce54fa1 ce118b9e bd101b02 03010001 300d0609

    2a864886 f70d0101 05050003 8181009c 8ee9b89f f84aebd3 add84b20 6e8a5189

    7d4851cb 2a849e4f 48000537 7151661a f15d0abe 9a97540d fdc86946 c84ace41

    d54d9963 1ad05ae1 5044e2a0 62992d62 4dbbbd7e bc2558fe 9a1fed03 a4c8de2b

    79ffb5da 6bb9493d 30dfaa51 2c0d9765 a7c0f44b 7296c670 56515b1e cb342a8f

    ae04ccc1 3548debb d5435100 d6b47f

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable INTERNET client-services port 443

crypto ikev2 remote-access trustpoint localtrust

telnet timeout 5

ssh 172.19.19.0 255.255.255.0 MYNETWORK

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 691200

dhcpd ping_timeout 750

!

dhcpd address 172.19.19.18-172.19.19.28 MYNETWORK

dhcpd enable MYNETWORK

!

dhcpd address 192.168.99.9-192.168.99.19 MYDMZ

dhcpd enable MYDMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust MYNETWORK

ssl trust-point localtrust INTERNET

webvpn

enable MYNETWORK

enable INTERNET

anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1

anyconnect profiles AnyConnectSSL_client_profile disk0:/AnyConnectSSL_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy SSLGrpPolicy internal

group-policy SSLGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

webvpn

  url-list none

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_AnyConnectSSL internal

group-policy GroupPolicy_AnyConnectSSL attributes

wins-server none

dns-server value 172.19.19.1

vpn-tunnel-protocol ikev2 ssl-client

default-domain value MIWEBPORTAL.com

webvpn

  anyconnect profiles value AnyConnectSSL_client_profile type user

username MThomas-x password I3iNtAfVbtN12L4e encrypted privilege 15

tunnel-group AnyConnectSSL type remote-access

tunnel-group AnyConnectSSL general-attributes

address-pool SSLVPNPool

default-group-policy GroupPolicy_AnyConnectSSL

tunnel-group AnyConnectSSL webvpn-attributes

group-alias AnyConnectSSL enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a065cc3cb4d3de5eeaf81e7632cac831

: end