Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

SBL - Does it actually work?

langleys25
Level 1
Level 1

‎01-23-2012 12:38 PM

Hi All,

We have just started moving over to Client SSL VPN Connections. We have this working really well and all our users are able to connect using the AnyConnect client and we are happy it is setup the way we want it.

We decided we would now go to the next step and start using SBL. Looking at the basics, it seemed a simple enought process.

All our clients are Windows 7 with a few XP machines dotted around. Everything is 32-bit.

We did a bit of research and read a lot of the Cisco documentation and decided to give it a try. We went through thr steps and configured the ASA to enable SBL (vpngina, client profile etc). We then picked a handful of machines to test it on. We connected to the ASA via AnyConnect client and sure enough SBL had been installed.

Now the trouble starts. When you turn the machine on we get the VPN logn prompt but when you select the host, it just says connection to host failed. If we bypass the SBL screen and logon normally, we can still use AnyConnect client perfectly. Looking in the Event Viewer, all we can see of any significance is

CTRANSPORT_ERROR_UNTRUSTED_CERT_DISALLOWED_WITH_SBL

We do not use certificates. Do I assume that SBL cannot function unless you purchase a trusted certificate or is this message a red herring, or is there a workaround?

Many thanks in advance.

Labels:
0 Helpful
2 Replies 2

langleys25
Level 1
Level 1

‎01-25-2012 12:56 AM

The solution to this for anyone that's interested was to create a self-signed certificate on the ASA and then install it into the Laptop's Machine Trusted Roots store.

It would be nice for Cisco to document this. SBL will not work without a trusted certificate although the Cisco VPN Client does. I have not seen this mentioned in any of the Cisco documentation I have read.

0 Helpful

chia hao chang
Level 1
Level 1
In response to langleys25

‎05-18-2012 08:00 AM

is it really resolved the problem ?

i created asa self-signed certificate and export it,

then install to my client's PC trusted roots store

anyway, SBL still not working

it still show "connection attempt failed"

anyone could help me

thanks

0 Helpful
Customers Also Viewed These Support Documents