12-30-2022 10:22 AM
Hello,
I had updated a small office ASA 5508-X back in July, and had not needed VPN access again until recently. The version I updated to was 9.16(3). I generally use ASDM for management. I really only want to support AnyConnect VPN's, though I still have a bit of IPSEC left over from previous testing. I have an Apex license that is current, though I am only testing one VPN client right now.
When I use my credentials that have worked for years, I get a User Not Authorized for AnyConnect Client Access..... I look at the ASA logs, and it is now telling me that I logged in just fine, but:
AnyConnect Client <174.209.xxx.xxx> attempted to connect on an interface with webvpn disabled. Interface : <outside>.
I don't care much in general about clientless webvpn, but I made sure all webvpn was enabled on that interface (client and clientless) in both ASDM and from the CLI. I also changed it to support just SSL client access, and it still gives the exact same error. I have included a config dump of some of the critical webvpn and client pieces below.
Note that I did see CSCwc37256 which describes a similar issue, so I just upgraded to the latest update (9.a16(4) asa9-16-4-9-lfbff-k8) but no joy.
webvpn
port 8443
enable outside
enable inside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.05111-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value <mydns1> <mydns2>
vpn-tunnel-protocol ssl-client
group-lock value MainAdminGrp
default-domain value mydomain.net
webvpn
anyconnect ssl rekey time 240
anyconnect ssl rekey method new-tunnel
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect ask none default anyconnect
group-policy GroupPolAdmin internal
group-policy GroupPolAdmin attributes
banner value Hi!
dns-server value <mydns1>
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
default-domain value xxxx
address-pools value Shorter6Group
webvpn
anyconnect ssl compression lzs
group-policy GroupPolicy6 internal
group-policy GroupPolicy6 attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev2 ssl-client
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
file-browsing disable
file-entry disable
http-proxy disable
url-entry disable
svc ask none default svc
always-on-vpn profile-setting
username ME attributes
vpn-group-policy GroupPolAdmin
password-storage disable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Shorter6Group
tunnel-group MainAdminGrp type remote-access
tunnel-group MainAdminGrp general-attributes
address-pool Shorter6Group
default-group-policy GroupPolAdmin
tunnel-group MainAdminGrp webvpn-attributes
goup-alias Main enable
.... etc
Any thoughts on what to do next would be appreciated. I did not want to try falling back to the pre-error image unless I had to because of security issues.
Solved! Go to Solution.
12-31-2022 03:29 AM - edited 12-31-2022 03:30 AM
One thing i noticed is you are not using standard port 8443 - as per I know if you like to change the port
you need to disable no enable outside (I do not think you need an inside interface here in your config - until your requirement is different)
then you change port 8443 - then enable outside and test.
Also, make sure when the client initiates a connection it should initiate connect to port 8443 (by default HTTPS means 443)
example :
12-31-2022 03:29 AM - edited 12-31-2022 03:30 AM
One thing i noticed is you are not using standard port 8443 - as per I know if you like to change the port
you need to disable no enable outside (I do not think you need an inside interface here in your config - until your requirement is different)
then you change port 8443 - then enable outside and test.
Also, make sure when the client initiates a connection it should initiate connect to port 8443 (by default HTTPS means 443)
example :
12-31-2022 04:32 PM
BB,
Thank you for the reply! I saw that as an option in the bug report, but I had 2 other things (AnyConnect firmware download and one other) on 443, so I decided to wait on that. At the moment, I have rolled back 2 versions to 9.16(2) (I believe), and the VPN works but ASDM does not... pretty sure the latter is just one of the JAVA related security settings, but have not had time to track it down yet again.
I will probably go ahead back to (3), as that is where VPN first failed, and will see if changing that port helps. It is all very odd, and looks a lot like that bug report, but that was not resolved either by bouncing the webvpn service or upgrading to (4). I wonder about the DAP, since I had never done much with that in the past and it may help with (new?) conflicts with using ASDM and AnyConnect at the same time, but I have not been able to find anything definitive yet.
Anyway, many thanks and I'll probably move to 16(3) or (4) and try that tomorrow.
-Mike
12-31-2022 05:38 PM
but ASDM does not - this looks like different issue - what is the ASDM version ?
have you checked the ASDM version compatibility :
ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b
01-02-2023 07:16 AM
BB,
Thank you again.. ASDM is 7.17 (1-155). It has actually been working, or seeming to work, just fine with 9.16(3) and I believe (4), and I thought I had verified it. .. just looked at release notes, and I think it should at lest be fully compatible with 9.16(3). I usually pull them down at the same time to be sure. It doesn't look like it will work with the older version (2), which was one of the things I figured was wrong there. I was not going to spend much effort on getting that older version to work. Hopefully, later today I'll restore it to (3) or (4) and get back to the SSL Issue, and re-visit the port number assignments. Thanks!! -Mike
01-01-2023 02:15 AM
ASDM and WebVPN Enabled on the Same Interface of the ASA - Cisco
if change the WebVPN port not work. return it to default and instead change the ASDM HTTP port.
01-02-2023 07:23 AM
I had seen that note, but had more-or-less ignored it I am afraid, as both had been working fine on 9.16(2) with things configured as they are, but it looks like they changed something. I will likely try both. Certainly bouncing the webvpn service did not help. Again, I will be restoring 9.16 (3) or (4) later today, and will probably update ASDM, since it may even be something in the older version that is interfering with my configuration. One thing at a time, however.
I see that the OpenJRE version of ASDM describes it as "integrated". Does that mean I don't have to download and compile OpenJRE? That is what it looked like last time I looked into it <grin> I don't use Java for anything else these days. Anyway, thanks and I'll post what seems to get it working (if I do).
01-02-2023 07:44 AM - edited 01-02-2023 07:45 AM
Also, make sure ports are not idnetical for ASDM and VPN
also, disable web vpn inside the interface if not required.
01-02-2023 02:04 PM
So.. I believe I have things working, and was slogging through a number of mostly self-induced issues. The primary one to start with was that the WEBVPN port had moved, either by me or something else, to the 8443 port. So, to use it for AnyConnect, I had to tell it to connect on that port (which it finally did). I prefer 443 as default for users, so I moved it back. I disabled it on inside.
Other issues: When I changed configs, I realized I had not fixed the ASDM link in the older image, which pointed to one that I had deleted. ASDM launcher could not do the version test (it would be nice if it told us that). I found that fairly quickly withe the JAVA console debugger.
Another issue was modifying the Ports, at least in the newer version of ASDM, removed the links to the client images.
There were likely some other issues with ASDM versions and signatures. I went straight back to (4) and updated ASDM (tftp) just to be sure so I am not sure what other than the link pointer finally fixed it completely.
ASDM now seems to run fine, as does AnyConnect. I have simply not seen any ASDM/WEBVPN/AnyConnect conflicts, and it is still not clear to me how you can make ASDM connect on a different port... and if I read things correctly, the URL takes care of that anyway. I have ASDM and AnyConnect connected now, all on 443's. The only think I want WebVPN to do is allow client download, so I have it pretty well disabled to the extent possible. Not sure what they plan on that score once webvpn is "deprecated", since AnyConnect seems to utilize that (SSL-Client).
I still need to test some settings, but your pointers were a great help!
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide