08-17-2015 01:58 PM - edited 02-21-2020 08:24 PM
I have an SSL anyconnect VPN set up on my 5510, but I cannot get the feature that allows users on the outside log into the page and download the AnyConnect client to come up. Can anyone tell me what commands I'd have to enter to enable that portal?
08-17-2015 02:08 PM
Easier if you could share a sanitized copy of your configuration and we can tell you what's missing.
In general you need an image referenced in the configuration, an identity certificate present and bound to the outside interface, client services enabled, a connection profile and group policy.
So .. lots of things could be incorrectly setup.
08-17-2015 02:26 PM
08-17-2015 05:56 PM
What do users see when they browse to the outside address or FQDN using https?
Somewhere I would expect to see a command like:
ssl trust-point ASDM_TrustPoint0 outside
08-18-2015 06:02 AM
I have this line: ssl trust-point ASDM_TrustPoint2 outside
When I navigate to the page, nothing shows up. When I ping the page from outside the firewall, pings return, but again, the portal doesn't appear.
08-18-2015 08:26 AM
Ok, so I got the web portal working. I realized you can't have the asdm page and the webvpn page going to the same address. What I need to do now is get the ASDM working with the firewall again.
I get a "cannot open device" error. The only thing I see different is the asdm version. When I go to the right homepage I get offered to download and install asdm, so I'm thinking I need to update the asdm version?
7.1(5) on my 5520 compared to 6.2(1) on the 5510. It's just strange because I was able to get into both of them when I originally started configuring the VPN, so I don't know why configuring the VPN would have the unintended consequence of downgrading the ASDM.
08-18-2015 08:49 AM
It is very hard for me to imagine a scenario where configuring VPN would result in downgrade of ASDM. Running ASDM is dependent on having the appropriate version of ASDM on the disk and having the config command for ASDM point to that file.
So what version of ASDM is on disk0? And what file does the config command for ASDM point to?
HTH
Rick
08-18-2015 10:46 AM
I went to the SSL VPN service page, it shows 6.2(1). I SSH into the 5510, the asdm-715 image is in there. I delete it out for safe measure and re-transfer it. Then I set it to be the asdm image and delete out the asdm-621.bin file.
I go back to the SSL VPN service page, it still shows 6.2(1)! And it still won't let me connect in from my other ASDM application already running. When I try to add it as another device I get "could not open device". When I try to download the launcher from the 6.2(1) page and connect in, it gives me an "unable to connect".
Either there's something I'm missing here or just I need to reboot the device to get it working properly.
08-18-2015 02:37 PM
A reboot wouldn't hurt after all the changes in and out - sometimes certain settings fail to "take" even though it is documented that reboot is not required. You migft also clear your browser cache or try using an incognito session to make sure you aren't pulling up cached content.
As far as AnyConnect and ASDM interoperability, both can be accessed from the same address.
The FQDN corresponding to your IP address is used for AnyConnect. (There is the option of further specifying URL strings for individual connection profiles in lieu of the dropdown list but that's seldom used in my experience.)
If you allow ASDM ("http enable"... command) to that interface, you would further need to specify /admin after the FQDN if SSL VPN (AnyConnect-based) is also enabled for that interface. If there's no AnyConnect profile associated with the interface and ASDM is allowed, the the ASA will redirect your address (without /admin) to include the string "admin/public/index.html".
08-18-2015 09:00 PM
Marvin, the reboot didn't fix the issue, which is disappointing. I have this firewall set up like my 5520. The inside and outside interface addresses will bring up the SSL VPN service page (log in, download the AC client) while the asdm page is the inside address followed by a high port number.
Even after the reboot, the asdm page is still showing 6.2(1) even though the bin file for it doesn't even exist on the device anymore! If for some reason that page shows the wrong version but really is running the right version, I'm not sure what the issue is.
08-19-2015 06:07 AM
08-19-2015 06:52 AM
Thanks for the new copy of the config. I have looked at it and do not see obvious problems. I would like to be sure that I have a correct understanding of the current issue. Is it correct that now the AnyConnect VPN is working ok? Is it correct that ASDM will now run and show the ASA but indicates the wrong version?
HTH
Rick
08-19-2015 06:54 AM
Richard, the anyconnect VPN is working now. I can get to that SSL VPN Service login page and login now fine. I can get to the ASDM page (where you can download the ASDM client or run it in the browser) but no matter what option I choose I cannot connect in. Besides those two options, I can't connect in from another ASDM application I already have on my machine (Win 7). I have the ASDM software installed on my Win 8 machine and I tried there, it also wouldn't let me connect in.
08-19-2015 07:38 AM
@Marvin Rhoads and Richard, i have similar issue using Cisco ASA 5515-x when am connecting through windows XP using IE8 i can connect and get to my remote local network but when i used windows 7 with IE11 it will display this message on my browser
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://x.x.x. again. If this error persists, contact your site administrator
08-19-2015 07:38 AM
@Medy, this looks like a separate issue from my issue as I can't even connect in with the ASDM program and my browser doesn't throw up those or any error messages.
Please start your own thread with the specifics of your case so someone can help you more accurately.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide