Solved: Re: Remote Access Clientless VPN Portal issue

Jay47110 · ‎04-07-2020

Hi,

I have a customer that has a few bookmarks to their Internal resources within their Clientless VPN portal. The users can access those internal resources through the Clientless VPN however, they are unable to access any dropdown menus, instead some html code appears in place of the dropdown text. Also, certain buttons on the resource webpage do not work properly i.e. when pressed either return an error or no response at all. The same resource is fully accessible over other VPNs.

There is a similar support ticket (https://community.cisco.com/t5/vpn/ssl-clientless-vpn-portal/td-p/2615390) where the following explanation is given: "ASA uses rewrite functions to hide the actual URLs and sometime some application/pages are not re-written properly, and they are not rendered correctly on the browser. Check if the ASA version is compatible with the application using (http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#pgfId-228100)"

The ASA used in this case is a 5516 with 9.8(4)10. The compatibility check URL above shows clientless VPNs from the ASA with 9.8 to be compatible with Chrome and Firefox. JAVA 8 is also installed on the PC.

Am I missing something? Is there any solution or a fix to this? Is this a bug that is fixed in a latest ios version?

I have managed to find a weird fix where I disable code rewrite for the bookmarked resources. This makes the bookmark unlink itself from the clientless VPN when opened and opens as a separate URL rather than opening with the clientless VPN, thus requiring Cisco Anyconnect client to be logged in simultaniously providing a split-list route. However, it is not a very neat fix and defeats the whole purpose of using a Clientless VPN.

Is there any proper fix to this?

Thanks and kind regards

Cristian Matei · ‎04-08-2020

Hi,

I've had similar issues with some deployments, most probably the problem was related to browser/Java. I fixed it by using Smart Tunnels, you may also disable URL rewrite as you'll be tunnelling traffic to a specific destination now through your browser.

Yes, technically speaking Smart Tunnels came as an evolution of port forwarding, but it doesn't mean you can't use it for HTTP/HTTPS traffic as well, especially with these incompatibilities.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎04-08-2020

Hi,

I understand that those web resources are functional when access via client-based VPN< but you have issues over cleintless SSL VPN, right?

Have you tried using Smart Tunnels for these apps, or disable the URL rewrite function?

Regards,

Cristian Matei.

Jay47110 · ‎04-08-2020

Hi Cristian,
Yes, that is correct. The resources are fully functional when accessing via client-based VPN but have issues over clientless. i.e. resource webpage not displaying correctly.
I have tried disabling the URL rewrite function which is what I refer to in the weird fix at the end of my main post. But when the URL rewrite is disabled for the resource, opening the URL unlinks itself from the webvpn and which makes it inaccessible unless the anyconnect client is also logged in providing it with a route back to the VPN.
Smart tunnels; I thought were only an option for specific applications like citrix etc and were an alternative to port-forwarding. The internal resources are simple http pages accessed via the bookmarks in the clientless portal.

Kind regards

Cristian Matei · ‎04-08-2020

Hi,

I've had similar issues with some deployments, most probably the problem was related to browser/Java. I fixed it by using Smart Tunnels, you may also disable URL rewrite as you'll be tunnelling traffic to a specific destination now through your browser.

Yes, technically speaking Smart Tunnels came as an evolution of port forwarding, but it doesn't mean you can't use it for HTTP/HTTPS traffic as well, especially with these incompatibilities.

Regards,

Cristian Matei.

Jay47110 · ‎04-08-2020

Thanks Cristian, I've got it to work using Smart Tunnel on Microsoft Internet Explorer. The resource webpage open and works as expected. Thanks again for the idea.
However, It only seems to work in Microsoft Internet Explorer and no other browser. Chrome and Edge seem to require a "Cisco SSL relay extension" that doesn't exist anywhere on the internet and Firefox just hangs on the Page waiting for it to load and finally giving the message "It has taken a while for SSL VPN Relay to load. You need to verify Java is enabled in your browser." I think it also requires the VPN relay extension.

Any idea where I can get the VPN relay for chrome/Firefox. As it is desired for the clientless VPN to work on Chrome.

Cristian Matei · ‎04-08-2020

Hi,

There have been several issues/bugs with Chrome and Smart Tunnel. Look in this guide for Smart Tunnel requirements, and test till you may find a working Chrome version. I would stick to the IE, at least it works, most of the times.

Regards,

Cristian Matei.

Jay47110 · ‎04-08-2020

Thanks Cristian. Appreciate your help in this.