Solved: Re: Cisco IOS SSL VPN Not Working - Internet Explorer

goulin · ‎12-02-2010

Hi All,

I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901

Below is the config snippet:

------------

!

username vpntest password XXXXX

aaa authentication login default local
!
!
!
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
!
!
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
        quit
!
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
!
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
!
login-message "Enter the magic words..."
!
port-forward "PortForwardList"
   local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
!
policy group SSL-Policy
   port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice

------------

I've tried:

*Enabling SSL 2.0 in IE

*Adding the site to the Trusted Sites in IE

*Adding it to the list of sites allowed to use Cookies

At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?

Thanks

rahgovin · ‎12-03-2010

Hi,

I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.

Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

View solution in original post

rahgovin · ‎12-03-2010

Hi,

I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.

Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

goulin · ‎12-03-2010

Hi,

Thanks for the reply. Turns out it was the cipher, didn't realise that IE doesn't support AES! Oh well, back to 3DES now.

Thanks for your help!

jasonhumes · ‎03-12-2012

Hi

How did you correct this issue? We're seeing the same thing, but I can't seem to find the CLI command to view or change the HTTP cipher.

Thanks

J

rahgovin · ‎03-12-2012

It should be "ssl encryption" command under the webvpn gateway config.

webvpn gateway <>

ssl encryption 3des-sha1