ā05-24-2012 08:50 PM
Hello there,
We are facing a bug with our ASA 5500 series (version 8.5.26) and the Internet explorer when the users connect to ssl vpn and they are not able to connect to the network resources like their PCs and the cisco portforwarder keep asking for its installation
Any idea about this? We already updated the ASA bersion ans installed in the user's computers the Microsoft kill bit patch.
Sent from Cisco Technical Support Android App
ā05-28-2012 06:11 AM
Hi Ricardo,
Are you sure if it is 8.5.26? I think you are referring to 8.2(5.26) correct me if I am wrong.
Disable UAC and add the site to which you are connecting under trusted sites: for ex.
If you are still facing this issue then please try to uninstall MS update: 2695962 and let me know if this works without any issues.
If yes then definitely we would like to have a look into this. Also let me know if this is happening on one machine or on multiple machines.
Thanks,
Vishnu Sharma
ā05-29-2012 07:32 AM
Hello Vishnu,
Thanks for your email.
I just copied the sh version output and got this Cisco Adaptive Security Appliance Software Version 8.2(5)
You mentioned something about disable UAC, could you please explain me what that is?
Iāve also been working with Leonardo Guzman and I told him that we are right now in middle of the biggest event in our Organization and we cannot afford another downtime in order to perform any other action in our firewall, so if we can get this done after the first week of June would be great.
Thanks a lot
Ricardo Lemus
Department of Information Technology Services
Secretariat of Administration and Finances
Organization of American States
1889 F St. , NW -Washington D.C.
T: (202) 458-3153
F: (202) 458-6212
RLemus@oas.org
www.oas.org
ā05-31-2012 07:52 AM
Got this same issue with the Cisco Portforwarder ActiveX-control install in a loop. I have ASA Version 8.4(2) and it seems to have become an issue with this MS update: 2695962. Yes removing this update works are a temporary workaround. Adding the site as a trusted site alone does not work. What version of ASA resolves this?
ā05-31-2012 08:25 AM
Hello Eric,
Thanks for your comments.
Here is a link where you can see the version and its fix release. In my case I need to upgrade the version from 8.2 (5) to 8.2 (5.26)
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
Affected Version
First Fixed Release
Recommended Release
Cisco ASA 7.0
Not Vulnerable
Migrate to 7.2 or later
Cisco ASA 7.1
Vulnerable
Vulnerable; Migrate to 7.2 or later
Cisco ASA 7.2
7.2(5.6)
7.2(5.7)
Cisco ASA 8.0
8.0(5.26)
Migrate to 8.2(5.26) or later
Cisco ASA 8.1
8.1(2.53)
Migrate to 8.2(5.26) or later
Cisco ASA 8.2
8.2(5.18)
8.2(5.26)
Cisco ASA 8.3
8.3(2.28)
Migrate to 8.4(3.8) or later
Cisco ASA 8.4
8.4(2.16)
8.4(3.8)
Cisco ASA 8.5
Not Vulnerable
8.5(1.7)
Cisco ASA 8.6
8.6(1.1)
8.6(1.1)
ā05-31-2012 09:05 AM
Thanks for that information. I will try and do mine tomorrow am and see if that fixes my issues. Did you upgrade yours and have no issues?
ā05-31-2012 09:20 AM
No yet! As a workaround we send a notification to our remote users to use another browser instead of IE.
Please let me know how that upgrade works in your side. I did one upgrade couple weeks ago and had some VPN profiles changed, so just be careful and run a backup
Thanks
ricardo
ā05-31-2012 11:50 AM
Hi Ricardo,
I think this should work on 8.2(5.26) however couls you please share the screenshot of the error that you are getting.
Thanks,
Vishnu Sharma
ā06-01-2012 06:53 PM
Ricardo, Thanks for that heads up on the vpn. Since I was on 8.4.2 I wanted to install the 8.4.(3.8) as recommended. But you can no longer get 8.4(3.8). Had to go with 8.4.4. What a nighmare that turned into. Well Got to 8.4.4 and one user was still having the same Active X issue that I tested with early am, so not sure if this is included in this fix with this firmware. Then I noticed my site to site vpn had not come up. A massive fight all day long with that. Checking profiles and settings. Everything look good. Well this firewall would not respond to the other side Ike request, and in the end pulled the pin with Cisco Tac on the phone and downgraded back to 8.4.2 and the vpn came up right away.
Vishnu, Should 8.4.4 include the active X fix? Sorry Ricardo for the highjack.
ā06-02-2012 10:04 AM
Hi Eric,
If you go through the Softwares and Fixes section of the link that Ricardo shared:
I see that you upgraded to 8.4.4 and still some users are facing this issue. Ideally this should be fixed in 8.4.4 because 8.4.x series is a higher version as compared to the 8.4(3.x) series however it is a totally new mainline series as well. So, any version higher in the same interim series will have the fix for this issue. In this case, you can upgrade to 8.4(3.9) which is of the same series 8.4(3.x) and is higher than 8.4(3.8). I will never suggest you to go to a different series when the fix of this bug is not mentioned clearly for any code in that range. I know that 8.4(3.8) is not available on Cisco website but you can download the asa843-9-k8.bin from Cisco website and it should fix this issue.
Let me know if this helps.
Thanks,
Vishnu Sharma
ā06-03-2012 02:45 AM
Just to let you know, I had a client who was also having a similar issue with active x after the ms update. I updated their 5505 to 8.4.4 as 8.4.3 was removed from the download site and it fixed the bug. I was going from the new nat version.
Sent from Cisco Technical Support iPhone App
ā07-09-2012 06:35 PM
Hello guys,
Just i quick update on this. There is another issue we are facing and you can read it here http://tools.cisco.com/squish/3c196
It's about a new bug in the version 8.2(5). It is the bug CSCtt96550.
The image version which could fix both bugs is 8.4(3.8) I will be upgrading from 8.2(5) on Friday and then i will let you know.
FYI there some changes on the NAT rules, now their format will be different
Sent from Cisco Technical Support Android App
ā07-23-2012 07:45 AM
Hello guys,
Final we found out the best version for this ActiveX issue. It is 8.4(3) 8
Before you guys update your infrastrucuture, please be aware the changing of the NAT rules. Here is a good link to undersatand how they will.
http://tools.cisco.com/squish/Cac0A
Now, once you understand all these changes, you're good to go and then what you need to do on the user machine is just install the micrsofot patch that can be found in the following link:
http://support.microsoft.com/kb/2695962
Have a great week
ricardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide