cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5412
Views
0
Helpful
9
Replies

Anyconnect v3 SBL not working

cbeswick
Level 1
Level 1

Hi,

I am testing SBL on anyconnect client v3.0.4235. The client connects fine when logged into windows, but the SBL keeps failing on connection. I have enabled logging on the ASDM and the session gets as far as negotiating the cipher, it then disconnects. I have also tried debugging the webvpn command in CLI and get no output whatsoever.

I have tried using both a wired and wireless connection. The Windows OS is XP 32 bit.

Once logged in to windows the client connects fine and all the login scripts work to map drives etc, so this proves that the anyconnectprofile.xml I am using is working. Could there be something in the xml profile or ASA config that I am missing to permit SBL to work ?

Any help would be greatly appreciated, I am at my wits end now as I cannot see why the SBL isn't processing correctly. At the moment I have to cancel the SBL connection window, log into the windows, then launch the anyconnect client once logged in.

ASA software version is 8.2(2).

Chris.

** Update - After carrying out some further logging, I can see that the SBL connection terminates just before you would expect the handshake for the TLSv1 session.

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Does it fail right after the ASA sends its certificate?

Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).

If it's not self signed, is the issuing CA trusted in the machine store?

If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).

hth

Herbert

View solution in original post

9 Replies 9

Does the SBL require a username password or are you using a token or certificate? 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Herbert Baerten
Cisco Employee
Cisco Employee

Does it fail right after the ASA sends its certificate?

Is the ASA certificate self signed? If so, is it in the trusted roots in the machine store (not the user store, SBL uses the machine store!).

If it's not self signed, is the issuing CA trusted in the machine store?

If that's not it, check the event log (eventvwr.exe -> applications and services logs -> Cisco Anyconnect).

hth

Herbert

Hi guys.

The connection fails before I even get prompted for the username / passcode. We are using RSA authentication.

In the logs the first SSL handshake is completed and then gets terminated, much the same way as a normal SSL VPN starts, but the second DTLS handshake doesn't start, and the SBL window just shows a "Connection Attempt Failed" message.

Nice catch, glad it worked out.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Would putting this in the profile xml file work as well:

All

Hi Steven,

This settings was already enabled in the xml profile, but it till didn't work without placing the self signed certificate (with its FQDN as the CN) in the trusted root store for the machine.

cbeswick
Level 1
Level 1

Hi Herbert,

Your a life saver!

I created a new self signed certificate and placed this in the trusted root store on the local machine and it worked straight away. Why is this not explained in any part of the Cisco documentation ? I have spent days trying to figure out why SBL wouldnt work.

Thanks again. Chris.

rmcgovern07
Level 1
Level 1

Chris,

Can you clarify a little more on how you resolved this? I believe I am in the same boat here. I am unfortunately pretty clueless when it comes to certificates. Any chance I could get a step-by-step walkthrough on how you fixed this? I would really appreciate it.

Thanks.

raymng
Level 1
Level 1

Thanks for this post.  Reading this and people 's response let us solve this same problem in our environment, which is on AnyConnect v2.5.  I agree that it would be helpful if the Cisco doc would mention about Machine Cert storage.  Indeed I have a support ticket with the Cisco TAC (before reading this post).  After spending over an hour over the phone and WebEx with the Cisco TAC, we still didn't firuge out the problem.  The Cisco TAC keep trying all different settings on my ASA, while I keep pointing to him about the Client machine Event Log message of Cert problem.  Anyway, just want to say thanks. 

And for other who don't know much about cert storage on Windows machine, I found this article via google search.  It helps me to figure out how to put the cert. onto the machine storage space.  FYI.

http://stackoverflow.com/questions/4728650/how-to-import-machine-certificate-into-the-personal-certificate-store-associated