Re: Clientless SSL VPN internal HTTPS self signed web server

hegegabor · ‎01-21-2011

Hi,

We want to use internal https webservers in the Clientless VPN.

The https servers have self signed certificates.

When the users try to access to the webservers there is only a gray or white window.

There is one relevant message in the asa log:

%ASA-7-710005: TCP request discarded from "webserver"/443 to inside:"ASA inside interface"/60234

What could be the problem, the certificate?

I saw that ASA supports only trusted sites, is it true?

I thried to install the CA cert but not helped.

any idea?
Gabor

Nicolas Fournier · ‎01-25-2011

Hi Gabor,

The ASA shouldn't worry about the certificate which is presented by the server.

I just tried to connect to HTTPS sites with self signed certificates through clientless WebVPN on my lab ASA and it worked fine.

Could you maybe take a capture of the communication between the IP of the Inside interface of your ASA and the Web server to see what is going on when you try to access it?

To do so, here is what you need to do:

access-list cap_acl permit ip
access-list cap_acl permit ip
capture cap access-list cap_acl interface outside packet-length 1500

After typing those commands, try to browse the internal web server from the clientless portal.
Issue a "show cap cap" to see if the packets are arriving.
If so, retrieve the traces by opening a browser to https:///capture/cap/pcap and see what you have there as it might give you a hint of why this is failing.
You need to have http access configured on your ASA from the host you are trying to retrieve the traces from.
Don't forget to stop the capture after the test: "no cap cap"

Regards,

Nicolas