08-20-2022 12:32 PM
I am trying to enable Clientless VPN, which was not setup before. After following an online guide, I've got everything ready for it to work, but when I try to open the website with the URL of the firewall (https://vpn.teleyemen.com.ye), it just gives me the word (Forbidden) and nothing else.
I have set it up to use certificate only authentication, which the connection asks for the first time I try to connect, but then I get (Forbidden) everytime I try to connect after that, regardless of the browser.
08-20-2022 12:38 PM
what Firewall and what code running, Do you have config snippet for us to understand what is configured ? (what you see Logs on the Firewall side)
I would suggest to re-look the config again.
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
some troubleshooting tips :
08-21-2022 12:03 PM
Firewall is Cisco ASA5555-X with FirePower Services (ASA code 9.13).
I see a lot of successful connection logs that eventually ends with disconnection.
msg=Aug 21 21:57:39 ASA : %ASA-6-725007: SSL session with client outside:82.114.168.121/3321 to 172.25.25.254/443 terminated
msg=Aug 21 21:57:39 ASA : %ASA-6-302014: Teardown TCP connection 406548997 for outside:82.114.168.121/3321 to identity:172.25.25.254/443 duration 0:00:00 bytes 145 TCP FINs from outside
msg=Aug 21 21:57:39 ASA : %ASA-6-725007: SSL session with client outside:82.114.168.121/3320 to 172.25.25.254/443 terminated
msg=Aug 21 21:57:39 ASA : %ASA-6-302014: Teardown TCP connection 406548996 for outside:82.114.168.121/3320 to identity:172.25.25.254/443 duration 0:00:00 bytes 145 TCP FINs from outside
msg=Aug 21 21:57:39 ASA : %ASA-6-725003: SSL client outside:82.114.168.121/3321 to 172.25.25.254/443 request to resume previous session
msg=Aug 21 21:57:39 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3321 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:39 ASA : %ASA-6-725003: SSL client outside:82.114.168.121/3320 to 172.25.25.254/443 request to resume previous session
msg=Aug 21 21:57:39 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3320 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:39 ASA : %ASA-6-302013: Built inbound TCP connection 406548997 for outside:82.114.168.121/3321 (82.114.168.121/3321) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:39 ASA : %ASA-6-302013: Built inbound TCP connection 406548996 for outside:82.114.168.121/3320 (82.114.168.121/3320) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:39 ASA : %ASA-6-725007: SSL session with client outside:82.114.168.121/3319 to 172.25.25.254/443 terminated
msg=Aug 21 21:57:39 ASA : %ASA-6-302014: Teardown TCP connection 406548856 for outside:82.114.168.121/3319 to identity:172.25.25.254/443 duration 0:00:00 bytes 145 TCP FINs from outside
msg=Aug 21 21:57:39 ASA : %ASA-6-302014: Teardown TCP connection 406548583 for outside:82.114.168.121/3318 to identity:172.25.25.254/443 duration 0:00:00 bytes 6172 TCP FINs from identity
msg=Aug 21 21:57:39 ASA : %ASA-6-725003: SSL client outside:82.114.168.121/3319 to 172.25.25.254/443 request to resume previous session
msg=Aug 21 21:57:39 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3319 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:39 ASA : %ASA-6-725007: SSL session with client outside:82.114.168.121/3318 to 172.25.25.254/443 terminated
msg=Aug 21 21:57:39 ASA : %ASA-6-302013: Built inbound TCP connection 406548856 for outside:82.114.168.121/3319 (82.114.168.121/3319) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:38 ASA : %ASA-6-725002: Device completed SSL handshake with client outside:82.114.168.121/3318 to 172.25.25.254/443 for TLSv1.2 session
msg=Aug 21 21:57:38 ASA : %ASA-6-725016: Device selects trust-point VPN.teleyemen.com.ye for client outside:82.114.168.121/3318 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:82.114.168.121/3318 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725008: SSL client outside:82.114.168.121/3318 to 172.25.25.254/443 proposes the following 10 cipher(s)
msg=Aug 21 21:57:38 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3318 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:38 ASA : %ASA-6-302013: Built inbound TCP connection 406548583 for outside:82.114.168.121/3318 (82.114.168.121/3318) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:38 ASA : %ASA-6-302014: Teardown TCP connection 406548562 for outside:82.114.168.121/3317 to identity:172.25.25.254/443 duration 0:00:00 bytes 4097 TCP FINs from outside
msg=Aug 21 21:57:38 ASA : %ASA-6-302014: Teardown TCP connection 406548561 for outside:82.114.168.121/3316 to identity:172.25.25.254/443 duration 0:00:00 bytes 4097 TCP FINs from outside
msg=Aug 21 21:57:38 ASA : %ASA-6-725016: Device selects trust-point VPN.teleyemen.com.ye for client outside:82.114.168.121/3317 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:82.114.168.121/3317 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725008: SSL client outside:82.114.168.121/3317 to 172.25.25.254/443 proposes the following 10 cipher(s)
msg=Aug 21 21:57:38 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3317 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:38 ASA : %ASA-6-725016: Device selects trust-point VPN.teleyemen.com.ye for client outside:82.114.168.121/3316 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:82.114.168.121/3316 to 172.25.25.254/443
msg=Aug 21 21:57:38 ASA : %ASA-7-725008: SSL client outside:82.114.168.121/3316 to 172.25.25.254/443 proposes the following 10 cipher(s)
msg=Aug 21 21:57:38 ASA : %ASA-6-725001: Starting SSL handshake with client outside:82.114.168.121/3316 to 172.25.25.254/443 for TLS session
msg=Aug 21 21:57:38 ASA : %ASA-6-302013: Built inbound TCP connection 406548562 for outside:82.114.168.121/3317 (82.114.168.121/3317) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:38 ASA : %ASA-6-302013: Built inbound TCP connection 406548561 for outside:82.114.168.121/3316 (82.114.168.121/3316) to identity:172.25.25.254/443 (172.25.25.254/443)
msg=Aug 21 21:57:38 ASA : %ASA-7-609001: Built local-host outside:82.114.168.121
I am not sure, but I am not sure I am able to find the website files for the Clientless VPN connection on the ASA. Do you have any idea where it should be located?
08-20-2022 02:06 PM
add DNS name of FW to Cert.
08-21-2022 11:53 AM
Already there in the certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide