Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5412
Views
0
Helpful
9
Replies

Anyconnect v3 SBL not working

Go to solution
cbeswick
Level 1
Level 1

‎09-20-2011 03:39 AM - edited ‎02-21-2020 05:36 PM

Hi,

I am testing SBL on anyconnect client v3.0.4235. The client connects fine when logged into windows, but the SBL keeps failing on connection. I have enabled logging on the ASDM and the session gets as far as negotiating the cipher, it then disconnects. I have also tried debugging the webvpn command in CLI and get no output whatsoever.

I have tried using both a wired and wireless connection. The Windows OS is XP 32 bit.

Once logged in to windows the client connects fine and all the login scripts work to map drives etc, so this proves that the anyconnectprofile.xml I am using is working. Could there be something in the xml profile or ASA config that I am missing to permit SBL to work ?

Any help would be greatly appreciated, I am at my wits end now as I cannot see why the SBL isn't processing correctly. At the moment I have to cancel the SBL connection window, log into the windows, then launch the anyconnect client once logged in.

ASA software version is 8.2(2).

Chris.

** Update - After carrying out some further logging, I can see that the SBL connection terminates just before you would expect the handshake for the TLSv1 session.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎09-20-2011 06:18 AM

Does it fail right after the ASA sends its certificate?

Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).

If it's not self signed, is the issuing CA trusted in the machine store?

If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).

hth

Herbert

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Christopher Bell
Level 4
Level 4

‎09-20-2011 05:51 AM

Does the SBL require a username password or are you using a token or certificate? 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎09-20-2011 06:18 AM

Does it fail right after the ASA sends its certificate?

Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).

If it's not self signed, is the issuing CA trusted in the machine store?

If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).

hth

Herbert

0 Helpful

Go to solution
cbeswick
Level 1
Level 1
In response to Herbert Baerten

‎09-20-2011 07:56 AM

Hi guys.

The connection fails before I even get prompted for the username / passcode. We are using RSA authentication.

In the logs the first SSL handshake is completed and then gets terminated, much the same way as a normal SSL VPN starts, but the second DTLS handshake doesn't start, and the SBL window just shows a "Connection Attempt Failed" message.

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to Herbert Baerten

‎09-21-2011 04:06 AM

Nice catch, glad it worked out.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
sjbdallas
Level 1
Level 1
In response to Herbert Baerten

‎09-21-2011 11:06 AM

Would putting this in the profile xml file work as well:

All

0 Helpful

Go to solution
cbeswick
Level 1
Level 1
In response to sjbdallas

‎09-21-2011 11:52 PM

Hi Steven,

This settings was already enabled in the xml profile, but it till didn't work without placing the self signed certificate (with its FQDN as the CN) in the trusted root store for the machine.

0 Helpful

Go to solution
cbeswick
Level 1
Level 1

‎09-21-2011 01:37 AM

Hi Herbert,

Your a life saver!

I created a new self signed certificate and placed this in the trusted root store on the local machine and it worked straight away. Why is this not explained in any part of the Cisco documentation ? I have spent days trying to figure out why SBL wouldnt work.

Thanks again. Chris.

0 Helpful

Go to solution
rmcgovern07
Level 1
Level 1

‎09-30-2011 07:34 AM

Chris,

Can you clarify a little more on how you resolved this? I believe I am in the same boat here. I am unfortunately pretty clueless when it comes to certificates. Any chance I could get a step-by-step walkthrough on how you fixed this? I would really appreciate it.

Thanks.

0 Helpful

Go to solution
raymng
Level 1
Level 1

‎10-06-2011 03:57 PM

Thanks for this post.  Reading this and people 's response let us solve this same problem in our environment, which is on AnyConnect v2.5.  I agree that it would be helpful if the Cisco doc would mention about Machine Cert storage.  Indeed I have a support ticket with the Cisco TAC (before reading this post).  After spending over an hour over the phone and WebEx with the Cisco TAC, we still didn't firuge out the problem.  The Cisco TAC keep trying all different settings on my ASA, while I keep pointing to him about the Client machine Event Log message of Cert problem.  Anyway, just want to say thanks. 

And for other who don't know much about cert storage on Windows machine, I found this article via google search.  It helps me to figure out how to put the cert. onto the machine storage space.  FYI.

http://stackoverflow.com/questions/4728650/how-to-import-machine-certificate-into-the-personal-certificate-store-associated

0 Helpful
Customers Also Viewed These Support Documents