02-28-2013 07:38 AM
Hello,
I try to configure Anyconnect SSL on ASA 5520 (hot standby), 8.4(5), asdm 7.1(1)52.
The goal: users should login to the portalpage and download the Anyconnect client software that is already in place on disk0.
IPSec VPN Client access (certificate based) is allready working on the same interface, Anyconnect users should use the same authentication as IPSec Users. In this case it is x-auth via radius.
In ASDM I followed "Wizard -> Anyconnect VPN Wizard" but it is not working: the portalpage is not shown on https://<ASA-outside-adress>.
I would appreciate very much any idea that guides me the right direction.
Best Regards
Juergen
03-12-2013 07:29 AM
Now the Portalpage is working ... but only on the inside interface
Login, authentication and subsequent Anyconnect Client download is working, IP Adress is given by a local ASA pool ... still a problem: no packets are routet through the tunnel.
When connecting the outside interface, the https requests is timing out. The ASA logging shows
"Mar 12 15:23:44 fw-mytestasa : %ASA-7-710005: TCP request discarded from 200.200.200.200/4399 to INTERNET:123.123.123.123/443"
Any idea why the request to the INTERNET interface is discarded?
Best Regards
Juergen
03-12-2013 07:52 AM
sh run webvpn:
webvpn
enable inside
enable INTERNET
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 2 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-3.1.02026-k9.pkg 3 regex "Linux"
anyconnect enable
03-12-2013 07:33 PM
Hello Juergen,
That command should enable it on outside interface.
Are you still experiencing issues?
HTH.
Portu.
03-13-2013 02:34 AM
Hello Javier,
thanks a lot for your reply.
Are you still experiencing issues? --> Yes, still not working on the INTERNET interface. Strange is: there is no tcp handshake between clientpc and ASA, only the above metioned "TCP request discarded" logging message.
So there must be an interface depending way to enable/disable the webvpn/portalpage, the commands
webvpn
enable inside
enable INTERNET
obviously are not enougth.
Regards
Juergen
03-14-2013 11:13 AM
Juergen,
Would it be possible to reload this ASA?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide