03-26-2019 05:29 PM - edited 03-26-2019 07:51 PM
Hi All,
i have a question on why my cisco any connect page does not display when i tried accessing it. i have setup the SSL VPN on my Cisco firewall. i have followed all the steps on how to set it up but still my cisco any connect page does not display anything it will just give me a white page.
By the way i do have 2 ISPs connected to my firewall, would that also cause the problem? How to dedicate my SSL VPN into a single ISP?
Your advise is much appreciated.
Thank you so much
Solved! Go to Solution.
03-27-2019 08:37 AM
Harold,
It looks like you might have some NAT rules that translates 443 on the outside to a server (OWA I think) on the inside. This may cause the SSL session to be terminated on the inside server rather than the ASA. Can you check your NAT rules?
03-26-2019 05:37 PM
how do you attempt to connect to your ssl vpn? what hostname you using? and what does it resolve into?
03-26-2019 06:06 PM - edited 03-26-2019 07:35 PM
Hi Sir,
i have firewall.***itsolutions.com and it is already giving a cert. it just gives me a white blank page.
actually i have configured another ASA and it also have a SSL VPN through cisco anyconnect and i did not encounter any problem at all. I also tried accessing the Cisco Any Connect page via ISP IP.
Thanks
03-26-2019 08:23 PM
"By the way i do have 2 ISPs connected to my firewall, would that also cause the problem? How to dedicate my SSL VPN into a single ISP?"
This may be part of your problem. ASAs don't typically handle dual ISPs well for incoming traffic since they only have a single default route outbound. The traffic comes into ASA based on address where you are hosting the VPN page. If it is all setup on the VPN configuration, the ASA will reply to the client using the interface that is appropriate for the default route (i.e. your primary ISP). So the tcp 3-way handshake will never succeed.
One can use a second ISP for failover (route tracking and IP SLA etc.) or with policy-based routing (PBR) if you want to direct traffic to some known destinations down the second ISP. However if you have remote clients at random locations on the Internet you will always use the default route to reach them from the ASA, even if they arrive via the second ISP.
03-26-2019 09:05 PM
Hi Sir,
Thanks for this great info. So how can i select my primary ISP IP address to point to my SSL VPN configuration? Also, my public domain is also pointing to my Primary ISP IP address.
How can i bind the SSL VPN to strictly stick to the Primary IP Address?
Thanks
More Power!
03-26-2019 09:35 PM
You're welcome.
The primary setting is to enable the interface to listen for incoming remote access VPN connections:
webvpn enable outside
(assuming "outside" is the nameif of your primary ISP interface - otherwise substitute the actual nameif)
In ASDM that's what happens when you check the box in the remote access VPN connection profile to enable the VPN on the interface and apply the change.
In addition to that, for a full setup, you should have a public DNS entry that maps that interface IP Address to an FQDN and a certificate installed that has that FQDN as a Common Name (CN).
03-26-2019 10:10 PM
Hi Sir,
i have already did that via ASDM. But still not showing up in the web portal.
"OUTSIDE" is the main ISP and it has also FQDN registered with certificate.
03-27-2019 12:01 AM
Hmm ok. That covers the most common issues.
Can you share the output of "show run webvpn" and "show asp table socket | i 0.0.0.0"?
03-27-2019 08:37 AM
Harold,
It looks like you might have some NAT rules that translates 443 on the outside to a server (OWA I think) on the inside. This may cause the SSL session to be terminated on the inside server rather than the ASA. Can you check your NAT rules?
04-01-2019 07:38 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: