cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

187
Views
10
Helpful
5
Replies
Beginner

Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

Hi,

We have configured anyconnect vpn on our Firepower 4k firewall running on ASA OS 9.8 and we are able to connect the VPN successfuly through Cisco Anyconnect Client.

We have a requirement to push the anyconnect vpn client to our customers through the Firewall which is configured with multicontext specifically for the customers.
However, we get "Internal Server Error" when we try to do HTTPS to the Anyconnect VPN IP of Firewall. Same VPN is working fine and getting connected when use secure anyconnect client explicitly.
We checked several forums and learned that Web launch or Web services for Anyconnect VPN was not supported on the firewall with multicontext mode. However would like to re-validate whether this feature is currently supported on multicontext mode for a particular OS version or not yet ? If yes then what is the road map.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

There is AnyConnect support and AnyConnect image download support with ASA multiple context mode.

However, there is not (to my knowledge) currently support for the Web UI as a means to login and get the initial AnyConnect image. That's as of the current ASA 9.13(1) release.

Cisco doesn't publish feature roadmap information publicly.

5 REPLIES 5
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

Hi,

I tested this myself recently on my ASA running 9.9, I receive the same error message. Debug confirms the error "Clientless access has been blocked because it is not supported in Multi-context mode". There is an open bug here with no fix yet available.

I've checked the recent release notes and there is no mention of this feature being supported yet either.


HTH

VIP Advocate

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

Documentation would suggest AnyConnect RA VPN is supported in multiple context mode starting with ASA 9.5.2

Note: From 9.5.2 multi-context based virtualization support for VPN Remote Access (RA) connections to the ASA.

From 9.6.2 we have support for Flash Virtulaization which means we can have Anyconnect image per context.

 

Check this link for further information and configuration:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

--
Please remember to rate and select a correct answer
VIP Advocate

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

More documentation:  https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#ID-2172-00000128

 

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

     

  • Centralized AnyConnect image configuration

     

  • AnyConnect image upgrade

     

  • Context Resource Management for AnyConnect connections

     

Note   

The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality

The ASA acts as a SAML Service Provider.

Clientless SSL VPN conditional debugging

You can debug logs by filtering, based on the filter condition sets, and can then better analyze them.

We introduced the following additions to the debug command:

  • [no] debug webvpn condition user <user name>

     

  • [no] debug webvpn condition group <group name>

     

  • [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]

     

  • [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]

     

  • debug webvpn condition reset

     

  • show debug webvpn condition

     

  • show webvpn debug-condition

     

Clientless SSL VPN cache disabled by default

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.

webvpn
   cache
      no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache

--
Please remember to rate and select a correct answer
Beginner

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

Thanks. But it does not work when we try to access via HTTPS to the anyconnect VPN IP where we want to download and install Anyconnect client. Instead we observe certificate error followed by the "Internal server error" display page.
I have raised a case with TAC to understand if it is actually supported for multicontext since there has been discussion on feature enhancement request for the same but not sure if its available now or in the roadmap.
Highlighted
Hall of Fame Master

Re: Browser Web launch Error for Anyconnect VPN Client in ASA Multicontext mode

There is AnyConnect support and AnyConnect image download support with ASA multiple context mode.

However, there is not (to my knowledge) currently support for the Web UI as a means to login and get the initial AnyConnect image. That's as of the current ASA 9.13(1) release.

Cisco doesn't publish feature roadmap information publicly.