cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2946
Views
0
Helpful
12
Replies

Clientless VPN - ActiveX

Ricardo Lemus
Level 1
Level 1

Hello there,

We are facing a bug with our ASA 5500 series (version 8.5.26) and the Internet explorer when the users connect to ssl vpn and they are not able to connect to the network resources like their PCs and the cisco portforwarder keep asking for its installation

Any idea about this? We already updated the ASA bersion ans installed in the user's computers the Microsoft kill bit patch.

Sent from Cisco Technical Support Android App

12 Replies 12

Vishnu Sharma
Level 1
Level 1

Hi Ricardo,

Are you sure if it is 8.5.26? I think you are referring to 8.2(5.26) correct me if I am wrong.

Disable UAC and add the site to which you are connecting under trusted sites: for ex.

If you are still facing this issue then please try to uninstall MS  update: 2695962 and let me know if this works without any issues.

If yes then definitely we would like to have a look into this. Also let me know if this is happening on one machine or on multiple machines.

Thanks,

Vishnu Sharma

Hello Vishnu,

Thanks for your email.

I just copied the sh version output and got this Cisco Adaptive Security Appliance Software Version 8.2(5)

You mentioned something about disable UAC, could you please explain me what that is?

Iā€™ve also been working with Leonardo Guzman and I told him that we are right now in middle of the biggest event in our Organization and we cannot afford another downtime in order to perform any other action in our firewall, so if we can get this done after the first week of June would be great.

Thanks a lot

Ricardo Lemus

Department of Information Technology Services

Secretariat of Administration and Finances

Organization of American States

1889 F St. , NW -Washington D.C.

T: (202) 458-3153

F: (202) 458-6212

RLemus@oas.org

www.oas.org

Got this same issue with the Cisco Portforwarder ActiveX-control install in a loop. I have ASA Version 8.4(2) and it seems to have become an issue with this  MS  update: 2695962. Yes removing this update works are a temporary workaround.  Adding the site as a trusted site alone does not work. What version of ASA resolves this?

Hello Eric,

Thanks for your comments.

Here is a link where you can see the version and its fix release. In my case I need to upgrade the version from 8.2 (5) to 8.2 (5.26)

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

Affected Version

First Fixed Release

Recommended Release

Cisco ASA 7.0

Not Vulnerable

Migrate to 7.2 or later

Cisco ASA 7.1

Vulnerable

Vulnerable; Migrate to 7.2 or later

Cisco ASA 7.2

7.2(5.6)

7.2(5.7)

Cisco ASA 8.0

8.0(5.26)

Migrate to 8.2(5.26) or later

Cisco ASA 8.1

8.1(2.53)

Migrate to 8.2(5.26) or later

Cisco ASA 8.2

8.2(5.18)

8.2(5.26)

Cisco ASA 8.3

8.3(2.28)

Migrate to 8.4(3.8) or later

Cisco ASA 8.4

8.4(2.16)

8.4(3.8)

Cisco ASA 8.5

Not Vulnerable

8.5(1.7)

Cisco ASA 8.6

8.6(1.1)

8.6(1.1)

Thanks for that information. I will try and do mine tomorrow am and see if that fixes my issues. Did you upgrade yours and have no issues?

No yet! As a workaround we send a notification to our remote users to use another browser instead of IE.

Please let me know how that upgrade works in your side. I did one upgrade couple weeks ago and had some VPN profiles changed, so just be careful and run a backup

Thanks

ricardo

Hi Ricardo,

I think this should work on 8.2(5.26) however couls you please share the screenshot of the error that you are getting.

Thanks,

Vishnu Sharma

Ricardo, Thanks for that heads up on the vpn. Since I was on 8.4.2 I wanted to install the 8.4.(3.8) as recommended. But you can no longer get 8.4(3.8). Had to go with 8.4.4. What a nighmare that turned into. Well Got to 8.4.4 and one user was still having the same Active X issue that I tested with early am, so not sure if this is included in this fix with this firmware. Then I noticed my site to site vpn had not come up. A massive fight all day long with that. Checking profiles and settings. Everything look good. Well this firewall would not respond to the other side Ike request, and in the end pulled the pin with Cisco Tac on the phone and downgraded back to 8.4.2 and the vpn came up right away. 

Vishnu, Should 8.4.4 include the active X fix? Sorry Ricardo for the highjack.

Hi Eric,

If you go through the Softwares and Fixes section of the link that Ricardo shared:

I see that you upgraded to 8.4.4 and still some users are facing this issue. Ideally this should be fixed in 8.4.4 because 8.4.x series is a higher version as compared to the 8.4(3.x) series however it is a totally new mainline series as well. So, any version higher in the same interim series will have the fix for this issue. In this case, you can upgrade to 8.4(3.9) which is of the same series 8.4(3.x) and is higher than 8.4(3.8). I will never suggest you to go to a different series when the fix of this bug is not mentioned clearly for any code in that range. I know that 8.4(3.8) is not available on Cisco website but you can download the asa843-9-k8.bin from Cisco website and it should fix this issue.

Let me know if this helps.

Thanks,

Vishnu Sharma

John Peterson
Level 1
Level 1

Just to let you know, I had a client who was also having a similar issue with active x after the ms update. I updated their 5505 to 8.4.4 as 8.4.3 was removed from the download site and it fixed the bug. I was going from the new nat version.

Sent from Cisco Technical Support iPhone App

Ricardo Lemus
Level 1
Level 1

Hello guys,

Just i quick update on this. There is another issue we are facing and you can read it here http://tools.cisco.com/squish/3c196

It's about a new bug in the version 8.2(5). It is the bug CSCtt96550.

The image version which could fix both bugs is 8.4(3.8) I will be upgrading from 8.2(5) on Friday and then i will let you know.

FYI there some changes on the NAT rules, now their format will be different

Sent from Cisco Technical Support Android App

Hello guys,

Final we found out the best version for this ActiveX issue. It is 8.4(3) 8

Before you guys update your infrastrucuture, please be aware the changing of the NAT rules. Here is a good link to undersatand how they will.

http://tools.cisco.com/squish/Cac0A

Now, once you understand all these changes, you're good to go and then what you need to do on the user machine is just install the micrsofot patch that can be found in the following link:

http://support.microsoft.com/kb/2695962

Have a great week

ricardo