ā02-24-2021 02:10 AM
Hello everybody,
I am configuring AnyConnect on customer's ASA5506 (9.12(4)) an as I want to
turn on SSL-VPN on the outside interface I got this:
cisco-asa-moers(config-webvpn)# enable outside ? webvpn mode commands/options: tls-only Specifies that only TLS is to be enabled. DTLS is disabled. <cr> cisco-asa-moers(config-webvpn)# enable outside ERROR: Port 443 on outside can not be configured due to conflict INFO: WebVPN and DTLS are disabled on 'outside'.
I had changed the port for the web server before to 8443 for the ASDM and it
is working fine with this port:
http server enable 8443
I don't know why I have a conflict at the usage of port 443.
What would you do to prevent this conflict?
Attached you find the (adapted) configuration of the ASA.
Every hint is welcome!
Thanks a lot!
R.
ā02-24-2021 02:17 AM
You've got a static NAT on the outside interface for tcp/443 (https).
If you've got a spare public IP address change that NAT to use that spare IP address instead, or use TLS RAVPN on another port or use IKEv2/IPSec instead of TLS.
HTH
ā02-24-2021 04:23 AM
Hi Rob,
thanks for the fast reply!
I overlook this NAT
Now I did the following:
cisco-asa-moers(config-webvpn)# port ? webvpn mode commands/options: <1-65535> The WebVPN server's SSL listening port. TCP port 443 is the default. cisco-asa-moers(config-webvpn)# port 444 cisco-asa-moers(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'.
I think this should work when the users enter
https://<outside IP>:444
in the AnyConnect client, right?
Thanks!
Bye
R.
ā02-24-2021 04:30 AM
If using AnyConnect you don't need to specify https://, just ipaddress:444 or fqdn:444
ā02-24-2021 05:34 AM
Hi Rob,
unfortunately it does not work. When I try to login via AnyConnect client 4.9 with:
<outside IP>:444
I get the window for entering username and password.
When I enter LOCAL username and password I just get a 'Login failed' message.
In the logging I don't see something as usual!
I made a capture and I see the ASA is using port 8443 instead 444!
These are the relevant config lines:
http server enable 8443 http server idle-timeout 30 ... webvpn port 444 enable outside hsts enable max-age 31536000 include-sub-domains no preload anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 3 anyconnect enable tunnel-group-list enable cache disable error-recovery disable ... tunnel-group AnyConnect(Moers) type remote-access tunnel-group AnyConnect(Moers) general-attributes address-pool VPNPOOL authentication-server-group (inside) nalvonminden authorization-server-group nalvonminden authorization-server-group (inside) nalvonminden default-group-policy GroupPolicy_AnyConnect(Moers) authorization-required tunnel-group AnyConnect(Moers) webvpn-attributes group-alias AnyConnect(Moers) enable group-alias AnyConnet(Moers)_Port444 enable group-url https://<outside IP>:444 enable !
Do you have an idea why the ASA is using port 8443 instead 444?
Thanks a lot!
Bye
R.
ā02-24-2021 06:00 AM
This works
tunnel-group RAVPN webvpn-attributes
group-url https://1.1.1.3:444/RAVPN
And in AnyConnect use 1.1.1.3:444/RAVPN
ā02-24-2021 07:03 AM
Hi Rob,
even after realizing your new configuration proposal it does not work unfortunately
when I enter in the AnyConnect client:
https://<outside IP>:444/AnyConnect(Moers)
or
<outside IP>:444/AnyConnect(Moers)
Again "Login failed" with LOCAL user/password.
The capture shows that the ASA is using port 8443 instead of 444.
I had never such problems with AnyConnect before.
I don't see something of the tunnel establishment in the logging, just in the capture.
Do you have still any idea to solve this issue?
Thanks a lot!
Bye
R.
ā02-25-2021 09:29 AM
same here have you found the solution?
ā02-27-2021 06:44 PM
Try reset the asa this may solve issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide