Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2943
Views
0
Helpful
12
Replies

Clientless VPN - ActiveX

Ricardo Lemus
Level 1
Level 1

‎05-24-2012 08:50 PM

Hello there,

We are facing a bug with our ASA 5500 series (version 8.5.26) and the Internet explorer when the users connect to ssl vpn and they are not able to connect to the network resources like their PCs and the cisco portforwarder keep asking for its installation

Any idea about this? We already updated the ASA bersion ans installed in the user's computers the Microsoft kill bit patch.

Sent from Cisco Technical Support Android App

Labels:
0 Helpful
12 Replies 12

Vishnu Sharma
Level 1
Level 1

‎05-28-2012 06:11 AM

Hi Ricardo,

Are you sure if it is 8.5.26? I think you are referring to 8.2(5.26) correct me if I am wrong.

Disable UAC and add the site to which you are connecting under trusted sites: for ex.

If you are still facing this issue then please try to uninstall MS  update: 2695962 and let me know if this works without any issues.

If yes then definitely we would like to have a look into this. Also let me know if this is happening on one machine or on multiple machines.

Thanks,

Vishnu Sharma

0 Helpful

Ricardo Lemus
Level 1
Level 1
In response to Vishnu Sharma

‎05-29-2012 07:32 AM

Hello Vishnu,

Thanks for your email.

I just copied the sh version output and got this Cisco Adaptive Security Appliance Software Version 8.2(5)

You mentioned something about disable UAC, could you please explain me what that is?

I’ve also been working with Leonardo Guzman and I told him that we are right now in middle of the biggest event in our Organization and we cannot afford another downtime in order to perform any other action in our firewall, so if we can get this done after the first week of June would be great.

Thanks a lot

Ricardo Lemus

Department of Information Technology Services

Secretariat of Administration and Finances

Organization of American States

1889 F St. , NW -Washington D.C.

T: (202) 458-3153

F: (202) 458-6212

RLemus@oas.org

www.oas.org

0 Helpful

Eric.Goulden
Level 1
Level 1
In response to Ricardo Lemus

‎05-31-2012 07:52 AM

Got this same issue with the Cisco Portforwarder ActiveX-control install in a loop. I have ASA Version 8.4(2) and it seems to have become an issue with this  MS  update: 2695962. Yes removing this update works are a temporary workaround.  Adding the site as a trusted site alone does not work. What version of ASA resolves this?

0 Helpful

Ricardo Lemus
Level 1
Level 1
In response to Eric.Goulden

‎05-31-2012 08:25 AM

Hello Eric,

Thanks for your comments.

Here is a link where you can see the version and its fix release. In my case I need to upgrade the version from 8.2 (5) to 8.2 (5.26)

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

Affected Version

First Fixed Release

Recommended Release

Cisco ASA 7.0

Not Vulnerable

Migrate to 7.2 or later

Cisco ASA 7.1

Vulnerable

Vulnerable; Migrate to 7.2 or later

Cisco ASA 7.2

7.2(5.6)

7.2(5.7)

Cisco ASA 8.0

8.0(5.26)

Migrate to 8.2(5.26) or later

Cisco ASA 8.1

8.1(2.53)

Migrate to 8.2(5.26) or later

Cisco ASA 8.2

8.2(5.18)

8.2(5.26)

Cisco ASA 8.3

8.3(2.28)

Migrate to 8.4(3.8) or later

Cisco ASA 8.4

8.4(2.16)

8.4(3.8)

Cisco ASA 8.5

Not Vulnerable

8.5(1.7)

Cisco ASA 8.6

8.6(1.1)

8.6(1.1)

0 Helpful

Eric.Goulden
Level 1
Level 1
In response to Ricardo Lemus

‎05-31-2012 09:05 AM

Thanks for that information. I will try and do mine tomorrow am and see if that fixes my issues. Did you upgrade yours and have no issues?

0 Helpful

Ricardo Lemus
Level 1
Level 1
In response to Eric.Goulden

‎05-31-2012 09:20 AM

No yet! As a workaround we send a notification to our remote users to use another browser instead of IE.

Please let me know how that upgrade works in your side. I did one upgrade couple weeks ago and had some VPN profiles changed, so just be careful and run a backup

Thanks

ricardo

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to Ricardo Lemus

‎05-31-2012 11:50 AM

Hi Ricardo,

I think this should work on 8.2(5.26) however couls you please share the screenshot of the error that you are getting.

Thanks,

Vishnu Sharma

0 Helpful

Eric.Goulden
Level 1
Level 1
In response to Vishnu Sharma

‎06-01-2012 06:53 PM

Ricardo, Thanks for that heads up on the vpn. Since I was on 8.4.2 I wanted to install the 8.4.(3.8) as recommended. But you can no longer get 8.4(3.8). Had to go with 8.4.4. What a nighmare that turned into. Well Got to 8.4.4 and one user was still having the same Active X issue that I tested with early am, so not sure if this is included in this fix with this firmware. Then I noticed my site to site vpn had not come up. A massive fight all day long with that. Checking profiles and settings. Everything look good. Well this firewall would not respond to the other side Ike request, and in the end pulled the pin with Cisco Tac on the phone and downgraded back to 8.4.2 and the vpn came up right away. 

Vishnu, Should 8.4.4 include the active X fix? Sorry Ricardo for the highjack.

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to Eric.Goulden

‎06-02-2012 10:04 AM

Hi Eric,

If you go through the Softwares and Fixes section of the link that Ricardo shared:

I see that you upgraded to 8.4.4 and still some users are facing this issue. Ideally this should be fixed in 8.4.4 because 8.4.x series is a higher version as compared to the 8.4(3.x) series however it is a totally new mainline series as well. So, any version higher in the same interim series will have the fix for this issue. In this case, you can upgrade to 8.4(3.9) which is of the same series 8.4(3.x) and is higher than 8.4(3.8). I will never suggest you to go to a different series when the fix of this bug is not mentioned clearly for any code in that range. I know that 8.4(3.8) is not available on Cisco website but you can download the asa843-9-k8.bin from Cisco website and it should fix this issue.

Let me know if this helps.

Thanks,

Vishnu Sharma

0 Helpful

John Peterson
Level 1
Level 1

‎06-03-2012 02:45 AM

Just to let you know, I had a client who was also having a similar issue with active x after the ms update. I updated their 5505 to 8.4.4 as 8.4.3 was removed from the download site and it fixed the bug. I was going from the new nat version.

Sent from Cisco Technical Support iPhone App

0 Helpful

Ricardo Lemus
Level 1
Level 1

‎07-09-2012 06:35 PM

Hello guys,

Just i quick update on this. There is another issue we are facing and you can read it here http://tools.cisco.com/squish/3c196

It's about a new bug in the version 8.2(5). It is the bug CSCtt96550.

The image version which could fix both bugs is 8.4(3.8) I will be upgrading from 8.2(5) on Friday and then i will let you know.

FYI there some changes on the NAT rules, now their format will be different

Sent from Cisco Technical Support Android App

0 Helpful

Ricardo Lemus
Level 1
Level 1
In response to Ricardo Lemus

‎07-23-2012 07:45 AM

Hello guys,

Final we found out the best version for this ActiveX issue. It is 8.4(3) 8

Before you guys update your infrastrucuture, please be aware the changing of the NAT rules. Here is a good link to undersatand how they will.

http://tools.cisco.com/squish/Cac0A

Now, once you understand all these changes, you're good to go and then what you need to do on the user machine is just install the micrsofot patch that can be found in the following link:

http://support.microsoft.com/kb/2695962

Have a great week

ricardo

0 Helpful
Customers Also Viewed These Support Documents