Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2860
Views
0
Helpful
8
Replies

ASA: Port 443 conflict when turning on SSL-VPN even if HTTP server is running on another port

swscco001
Level 3
Level 3

‎02-24-2021 02:10 AM

Hello everybody,


I am configuring AnyConnect on customer's ASA5506 (9.12(4)) an as I want to

turn on SSL-VPN on the outside interface I got this:

cisco-asa-moers(config-webvpn)# enable outside ?

webvpn mode commands/options:
  tls-only  Specifies that only TLS is to be enabled. DTLS is disabled.
  <cr>
cisco-asa-moers(config-webvpn)# enable outside
ERROR: Port 443 on outside can not be configured due to conflict
INFO: WebVPN and DTLS are disabled on 'outside'.

I had changed the port for the web server before to 8443 for the ASDM and it

is working fine with this port:

http server enable 8443

I don't know why I have a conflict at the usage of port 443.

What would you do to prevent this conflict?

Attached you find the (adapted) configuration of the ASA.

Every hint is welcome!

Thanks a lot!



R.


 

Labels:
Preview file
34 KB
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎02-24-2021 02:17 AM

@swscco001 

You've got a static NAT on the outside interface for tcp/443 (https).

 

If you've got a spare public IP address change that NAT to use that spare IP address instead, or use TLS RAVPN on another port or use IKEv2/IPSec instead of TLS.

 

HTH

0 Helpful

swscco001
Level 3
Level 3
In response to Rob Ingram

‎02-24-2021 04:23 AM

Hi Rob,

 

thanks for the fast reply!

I overlook this NAT

Now I did the following:

cisco-asa-moers(config-webvpn)# port ?

webvpn mode commands/options:
  <1-65535>  The WebVPN server's SSL listening port. TCP port 443 is the
             default.
cisco-asa-moers(config-webvpn)# port 444
cisco-asa-moers(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

I think this should work when the users enter
https://<outside IP>:444
in the AnyConnect client, right?

Thanks!



Bye
R.

0 Helpful

Rob Ingram
VIP
VIP

‎02-24-2021 04:30 AM

@swscco001 

If using AnyConnect you don't need to specify https://, just ipaddress:444 or fqdn:444

0 Helpful

swscco001
Level 3
Level 3
In response to Rob Ingram

‎02-24-2021 05:34 AM

Hi Rob,


unfortunately it does not work. When I try to login via AnyConnect client 4.9 with:
<outside IP>:444
I get the window for entering username and password.

When I enter LOCAL username and password I just get a 'Login failed' message.

In the logging I don't see something as usual!

I made a capture and I see the ASA is using port 8443 instead 444!

These are the relevant config lines:

http server enable 8443
http server idle-timeout 30
...
webvpn
 port 444
 enable outside
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
...
tunnel-group AnyConnect(Moers) type remote-access
tunnel-group AnyConnect(Moers) general-attributes
 address-pool VPNPOOL
 authentication-server-group (inside) nalvonminden
 authorization-server-group nalvonminden
 authorization-server-group (inside) nalvonminden
 default-group-policy GroupPolicy_AnyConnect(Moers)
 authorization-required
tunnel-group AnyConnect(Moers) webvpn-attributes
 group-alias AnyConnect(Moers) enable
 group-alias AnyConnet(Moers)_Port444 enable
 group-url https://<outside IP>:444 enable
!


Do you have an idea why the ASA is using port 8443 instead 444?

Thanks a lot!



Bye

R.

0 Helpful

Rob Ingram
VIP
VIP

‎02-24-2021 06:00 AM

@swscco001 

This works

 

tunnel-group RAVPN webvpn-attributes
group-url https://1.1.1.3:444/RAVPN

And in AnyConnect use 1.1.1.3:444/RAVPN

0 Helpful

swscco001
Level 3
Level 3
In response to Rob Ingram

‎02-24-2021 07:03 AM

Hi Rob,

 

even after realizing your new configuration proposal it does not work unfortunately
when I enter in the AnyConnect client:
https://<outside IP>:444/AnyConnect(Moers)
or
<outside IP>:444/AnyConnect(Moers)

Again "Login failed" with LOCAL user/password.

The capture shows that the ASA is using port 8443 instead of 444.

I had never such problems with AnyConnect before.

I don't see something of the tunnel establishment in the logging, just in the capture.

Do you have still any idea to solve this issue?

Thanks a lot!



Bye
R.

0 Helpful

olvs
Level 1
Level 1

‎02-25-2021 09:29 AM

same here  have you found the solution?

0 Helpful

MHM Cisco World
VIP
VIP

‎02-27-2021 06:44 PM

Try reset the asa this may solve issue.

0 Helpful
Customers Also Viewed These Support Documents