09-20-2011 03:39 AM - edited 02-21-2020 05:36 PM
Hi,
I am testing SBL on anyconnect client v3.0.4235. The client connects fine when logged into windows, but the SBL keeps failing on connection. I have enabled logging on the ASDM and the session gets as far as negotiating the cipher, it then disconnects. I have also tried debugging the webvpn command in CLI and get no output whatsoever.
I have tried using both a wired and wireless connection. The Windows OS is XP 32 bit.
Once logged in to windows the client connects fine and all the login scripts work to map drives etc, so this proves that the anyconnectprofile.xml I am using is working. Could there be something in the xml profile or ASA config that I am missing to permit SBL to work ?
Any help would be greatly appreciated, I am at my wits end now as I cannot see why the SBL isn't processing correctly. At the moment I have to cancel the SBL connection window, log into the windows, then launch the anyconnect client once logged in.
ASA software version is 8.2(2).
Chris.
** Update - After carrying out some further logging, I can see that the SBL connection terminates just before you would expect the handshake for the TLSv1 session.
Solved! Go to Solution.
09-20-2011 06:18 AM
Does it fail right after the ASA sends its certificate?
Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).
If it's not self signed, is the issuing CA trusted in the machine store?
If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).
hth
Herbert
09-20-2011 05:51 AM
Does the SBL require a username password or are you using a token or certificate?
09-20-2011 06:18 AM
Does it fail right after the ASA sends its certificate?
Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).
If it's not self signed, is the issuing CA trusted in the machine store?
If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).
hth
Herbert
09-20-2011 07:56 AM
Hi guys.
The connection fails before I even get prompted for the username / passcode. We are using RSA authentication.
In the logs the first SSL handshake is completed and then gets terminated, much the same way as a normal SSL VPN starts, but the second DTLS handshake doesn't start, and the SBL window just shows a "Connection Attempt Failed" message.
09-21-2011 04:06 AM
Nice catch, glad it worked out.
09-21-2011 11:06 AM
Would putting this in the profile xml file work as well:
09-21-2011 11:52 PM
Hi Steven,
This settings was already enabled in the xml profile, but it till didn't work without placing the self signed certificate (with its FQDN as the CN) in the trusted root store for the machine.
09-21-2011 01:37 AM
Hi Herbert,
Your a life saver!
I created a new self signed certificate and placed this in the trusted root store on the local machine and it worked straight away. Why is this not explained in any part of the Cisco documentation ? I have spent days trying to figure out why SBL wouldnt work.
Thanks again. Chris.
09-30-2011 07:34 AM
Chris,
Can you clarify a little more on how you resolved this? I believe I am in the same boat here. I am unfortunately pretty clueless when it comes to certificates. Any chance I could get a step-by-step walkthrough on how you fixed this? I would really appreciate it.
Thanks.
10-06-2011 03:57 PM
Thanks for this post. Reading this and people 's response let us solve this same problem in our environment, which is on AnyConnect v2.5. I agree that it would be helpful if the Cisco doc would mention about Machine Cert storage. Indeed I have a support ticket with the Cisco TAC (before reading this post). After spending over an hour over the phone and WebEx with the Cisco TAC, we still didn't firuge out the problem. The Cisco TAC keep trying all different settings on my ASA, while I keep pointing to him about the Client machine Event Log message of Cert problem. Anyway, just want to say thanks.
And for other who don't know much about cert storage on Windows machine, I found this article via google search. It helps me to figure out how to put the cert. onto the machine storage space. FYI.
http://stackoverflow.com/questions/4728650/how-to-import-machine-certificate-into-the-personal-certificate-store-associated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide