Solved: Client and Clientless order of operations question

TCAM · ‎03-15-2013

It may be a simple question but I couldn't figure it out. If we configure AnyConnect (Client) and WebVPN (Clientless) on the same "outside" interface, how does ASA know the incoming connection should land on which tunnel-group? I mean "IF" we are using the default setting? Not using group-url, group-alias or certificate-profile-map. What is the default order of operations?

Thanks

Javier Portuguez · ‎03-15-2013

Hi Joe,

That happens during the SSL negotiation. The information about the Web browser is sent and that's how the ASA determines the session type.

When it is AnyConnect, you could see the following in the logs:

CSTP state = HEADER_PROCESSING

http_parse_cstp_method()

...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'

webvpn_cstp_parse_request_field()

...input: 'Host: 10.198.16.132'

Processing CSTP header line: 'Host: 10.198.16.132'

webvpn_cstp_parse_request_field()

...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.02040'

Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.02040'

Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.1.02040'

There is no specific order operation, AFAIK. The ASA simply procceses the session according to the parameters sent by the user agent.

HTH.

Portu.

View solution in original post

Javier Portuguez · ‎03-15-2013

Hi Joe,

That happens during the SSL negotiation. The information about the Web browser is sent and that's how the ASA determines the session type.

When it is AnyConnect, you could see the following in the logs:

CSTP state = HEADER_PROCESSING

http_parse_cstp_method()

...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'

webvpn_cstp_parse_request_field()

...input: 'Host: 10.198.16.132'

Processing CSTP header line: 'Host: 10.198.16.132'

webvpn_cstp_parse_request_field()

...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.02040'

Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.02040'

Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.1.02040'

There is no specific order operation, AFAIK. The ASA simply procceses the session according to the parameters sent by the user agent.

HTH.

Portu.

TCAM · ‎03-15-2013

Cool, Thanks Portu!!! It was bugging me for a while, now I can let it goes.

TCAM · ‎03-15-2013

Sorry, one more question. What if we configured with 2 or more tunnel-groups for clientless, how does ASA know which one should the connection land on? via drop-down list (group-alias) may be?

Javier Portuguez · ‎03-15-2013

That is correct.

If the client does not point to any specific tunnel-group, then the connection will hit the default group.

So, for more than one, you would need to use a group-alias, group-url or even a certificate-map.

HTH.

Portu.

TCAM · ‎03-15-2013

Thanks. What debug command you were using to reveal the SSL negotiation outputs?

Javier Portuguez · ‎03-15-2013

debug webvpn svc 255

TCAM · ‎03-15-2013

255 gives many outputs, to cut it down, can we just use 128? will that be good enough?

Javier Portuguez · ‎03-15-2013

Joe,

It will be at your convenience