cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2526
Views
0
Helpful
8
Replies

ASA: Port 443 conflict when turning on SSL-VPN even if HTTP server is running on another port

swscco001
Level 1
Level 1

Hello everybody,


I am configuring AnyConnect on customer's ASA5506 (9.12(4)) an as I want to

turn on SSL-VPN on the outside interface I got this:

cisco-asa-moers(config-webvpn)# enable outside ?

webvpn mode commands/options:
  tls-only  Specifies that only TLS is to be enabled. DTLS is disabled.
  <cr>
cisco-asa-moers(config-webvpn)# enable outside
ERROR: Port 443 on outside can not be configured due to conflict
INFO: WebVPN and DTLS are disabled on 'outside'.

I had changed the port for the web server before to 8443 for the ASDM and it

is working fine with this port:

http server enable 8443

I don't know why I have a conflict at the usage of port 443.

What would you do to prevent this conflict?

Attached you find the (adapted) configuration of the ASA.

Every hint is welcome!

Thanks a lot!



R.


 

8 Replies 8

@swscco001 

You've got a static NAT on the outside interface for tcp/443 (https).

 

If you've got a spare public IP address change that NAT to use that spare IP address instead, or use TLS RAVPN on another port or use IKEv2/IPSec instead of TLS.

 

HTH

Hi Rob,

 

thanks for the fast reply!

I overlook this NAT

Now I did the following:

cisco-asa-moers(config-webvpn)# port ?

webvpn mode commands/options:
  <1-65535>  The WebVPN server's SSL listening port. TCP port 443 is the
             default.
cisco-asa-moers(config-webvpn)# port 444
cisco-asa-moers(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

I think this should work when the users enter
https://<outside IP>:444
in the AnyConnect client, right?

Thanks!



Bye
R.

@swscco001 

If using AnyConnect you don't need to specify https://, just ipaddress:444 or fqdn:444

Hi Rob,


unfortunately it does not work. When I try to login via AnyConnect client 4.9 with:
<outside IP>:444
I get the window for entering username and password.

When I enter LOCAL username and password I just get a 'Login failed' message.

In the logging I don't see something as usual!

I made a capture and I see the ASA is using port 8443 instead 444!

These are the relevant config lines:

http server enable 8443
http server idle-timeout 30
...
webvpn
 port 444
 enable outside
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
...
tunnel-group AnyConnect(Moers) type remote-access
tunnel-group AnyConnect(Moers) general-attributes
 address-pool VPNPOOL
 authentication-server-group (inside) nalvonminden
 authorization-server-group nalvonminden
 authorization-server-group (inside) nalvonminden
 default-group-policy GroupPolicy_AnyConnect(Moers)
 authorization-required
tunnel-group AnyConnect(Moers) webvpn-attributes
 group-alias AnyConnect(Moers) enable
 group-alias AnyConnet(Moers)_Port444 enable
 group-url https://<outside IP>:444 enable
!


Do you have an idea why the ASA is using port 8443 instead 444?

Thanks a lot!



Bye

R.

@swscco001 

This works

 

tunnel-group RAVPN webvpn-attributes
group-url https://1.1.1.3:444/RAVPN

And in AnyConnect use 1.1.1.3:444/RAVPN

Hi Rob,

 

even after realizing your new configuration proposal it does not work unfortunately
when I enter in the AnyConnect client:
https://<outside IP>:444/AnyConnect(Moers)
or
<outside IP>:444/AnyConnect(Moers)

Again "Login failed" with LOCAL user/password.

The capture shows that the ASA is using port 8443 instead of 444.

I had never such problems with AnyConnect before.

I don't see something of the tunnel establishment in the logging, just in the capture.

Do you have still any idea to solve this issue?

Thanks a lot!



Bye
R.

olvs
Level 1
Level 1

same here  have you found the solution?

Try reset the asa this may solve issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: