SSL VPN login page does not display
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2010 09:07 AM
I have an ASA5510 that I am trying to set up for remote access using SSL VPN & clientless SSL VPN. I have followed the config guides on the Cisco website as well as the config guides elsewhere on the internet to no avail. I have a TAC case opened and have spoken with 4 engineers thus far. I have tried several software versions on the device and they all give the same result.
When going to https://(outside interface ip address), I receive the expected ssl certificate error, then I click to continue to the website, and the browser never loads a page. I can see the ssl negotiation in my debug, and it completes that portion. My http debug shows the get requests to https://(outside interface ip address)/+CSCOE+/index.html and/or logon.html, but the page never loads.
Has anyone ever seen this before---any ideas or what would be helpful in troubleshooting this further?
Thank you in advance!
J
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2010 10:43 PM
What OS and browser have you tested this on? What version code and what version of AnyConnect are you using?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2010 05:25 AM
OS & Browsers I have tried so far are Vista Ultimate SP1 w/ IE 7, Win XP SP 3 w/ IE 6 & Firefox, Win 7 w/ IE 8 & Chrome.
Code versions on my ASA that I have tried so far are 8.2.2, 8.0.5, and 7.0.8
I'm not sure that the AnyConnect version matters since the browser never gets to the point to where it should download it, but i have tried every version of the AnyConnect for windows client from 2.2 to the current 2.4
If I manually install the AnyConnect client on a machine, I am able to get a login prompt through the client, but end up getting an error message while it is "Establishing VPN Connection" that says "AnyConnect package missing or corrupt. Contact your administrator." But the package isnt missing nor is it corrupt....
If I enable AnyConnect on the inside interface, the whole thing works just fine--but whats the point if that if I'm already inside the firewall lol.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2010 08:33 AM
Would you mind posting your config, free of passwords and any other sensitive data?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2010 09:13 AM
The config is kind of messy now after fiddling with it, but here it is along
w/ a show ver.
I have IPSEC remote access vpn's working--connectivity is very slow. When I
create static translations and allow traffic through the firewall, for a
webserver for example, that is extremely slow as well via both https & http.
The internet connection at this location is a 15Mb ethernet connection
though & should not be as slow as it is.
Thanks for your time, help, & consideration.
James
###########################################################
ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name XXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX
passwd XXXXXXXXXXXXXXXXXXXXXXXXXXX
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.45.2 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
speed 100
duplex full
nameif inside
security-level 100
ip address XXX.XXX.5.6 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name ABCsolutions.com
dns server-group ABC.LOCAL
name-server XXX.XXX.2.70
name-server XXX.XXX.100.32
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OSW-INTERNET extended permit ip XXX.XXX.0.0 255.255.240.0 any
access-list TRE-INTERNET extended permit ip XXX.XXX.20.0 255.255.255.0 any
access-list TRE-INTERNET extended permit ip XXX.XXX.32.0 255.255.255.0 any
access-list TRE-INTERNET extended permit ip XXX.XXX.33.0 255.255.255.0 any
access-list TRO-INTERNET extended permit ip XXX.XXX.100.0 255.255.255.0 any
access-list TRO-INTERNET extended permit ip XXX.XXX.111.0 255.255.255.0 any
access-list TRO-INTERNET extended permit ip XXX.XXX.112.0 255.255.255.0 any
access-list TRO-INTERNET extended permit ip XXX.XXX.113.0 255.255.255.0 any
access-list LAV-INTERNET extended permit ip XXX.XXX.0.0 255.255.0.0 any
access-list LAV-INTERNET extended permit ip 10.3.1.0 255.255.255.0 any
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq
smtp
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2 eq
https
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2 eq
www
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq
https
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.13 eq
www
access-list INBOUND-INTERNET extended permit icmp any any
access-list INBOUND-INTERNET extended permit tcp host 67.183.30.29 host
XXX.XXX.45.13 eq 3389
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.2
access-list INBOUND-INTERNET extended permit ip XXX.XXX.5.16 255.255.255.240
any
access-list INBOUND-INTERNET extended permit tcp any host XXX.XXX.45.10 eq
https
access-list bypass extended permit ip XXX.XXX.0.0 255.255.0.0 XXX.XXX.5.16
255.255.255.240
access-list bypass extended permit ip 10.0.0.0 255.0.0.0 XXX.XXX.5.16
255.255.255.240
access-list outside_access_in extended permit tcp any host XXX.XXX.45.2
access-list REMOTE_ACCESS_TUNNELED_NETWORKS standard permit XXX.XXX.0.0
255.255.0.0
access-list REMOTE_ACCESS_TUNNELED_NETWORKS standard permit 10.0.0.0
255.0.0.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip local pool Default 192.168.200.10-192.168.200.50 mask 255.255.255.0
ip local pool IT_VPN_POOL XXX.XXX.5.17-XXX.XXX.5.30 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 XXX.XXX.45.3
global (outside) 2 XXX.XXX.45.4
global (outside) 3 XXX.XXX.45.5
global (outside) 4 XXX.XXX.45.6
global (outside) 5 interface
nat (outside) 5 XXX.XXX.5.16 255.255.255.240
nat (inside) 0 access-list bypass
nat (inside) 3 access-list TRO-INTERNET
nat (inside) 4 access-list LAV-INTERNET
nat (inside) 1 access-list OSW-INTERNET
nat (inside) 2 access-list TRE-INTERNET
static (inside,outside) XXX.XXX.45.10 XXX.XXX.5.7 netmask 255.255.255.255
static (inside,outside) XXX.XXX.45.13 XXX.XXX.2.37 netmask 255.255.255.255
access-group INBOUND-INTERNET in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.45.1 1
route inside 10.0.0.0 255.0.0.0 XXX.XXX.5.1 1
route inside XXX.XXX.0.0 255.255.0.0 XXX.XXX.5.1 1
route inside XXX.XXX.2.20 255.255.255.255 XXX.XXX.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 1440 burst-rate 400
average-rate 200
ssl encryption aes128-sha1 aes256-sha1
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value IT
svc ask enable default webvpn
group-policy ITSG_IPSEC internal
group-policy ITSG_IPSEC attributes
dns-server value XXX.XXX.2.70 XXX.XXX.100.32
vpn-tunnel-protocol IPSec
group-lock value ITSG_IPSEC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE_ACCESS_TUNNELED_NETWORKS
default-domain value ABCsolutions.local
username test password XXXXXXXXXXXXX encrypted privilege 0
username test attributes
vpn-group-policy DfltGrpPolicy
username cisco password XXXXXXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group Default type remote-access
tunnel-group Default general-attributes
address-pool Default
tunnel-group Default webvpn-attributes
group-alias ABC enable
group-url https://XXX.XXX.45.2/ABC enable
without-csd
tunnel-group ITSG_IPSEC type remote-access
tunnel-group ITSG_IPSEC general-attributes
address-pool IT_VPN_POOL
default-group-policy ITSG_IPSEC
password-management
tunnel-group ITSG_IPSEC ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:be8ef73f0c1aa75aa0fbb84e02e96dc2
: end
ciscoasa(config)# show ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 19 hours 13 mins
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision
0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0026.cb6f.02c0, irq 9
1: Ext: Ethernet0/1 : address is 0026.cb6f.02c1, irq 9
2: Ext: Ethernet0/2 : address is 0026.cb6f.02c2, irq 9
3: Ext: Ethernet0/3 : address is 0026.cb6f.02c3, irq 9
4: Ext: Management0/0 : address is 0026.cb6f.02c4, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 100
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: XXXXXXXXXXXXXXXXXX
Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration last modified by enable_15 at 16:50:32.198 UTC Sat Jan 23 2010
ciscoasa(config)#
On Sat, Jan 23, 2010 at 8:33 AM, busterswt <
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2010 11:25 AM
Hi James,
1) Let's try Clientless (aka.WebVPN )1st.
BTW: Win7 and IE8, MAC OSX 10.6 official support are only available in the upcoming ASA 8.3 version. Also if you are using the SLL AES cipphers on the ASA, IE6 doesn't support them. Or enable all the ASA ciphers momentarily, so regardless of the browser you try , at least an RC4 should be available.
The current/latest VPN supported platforms matrix is at http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html .
2) Enable console debugs "logging class auth console debugging", "logging class auth console debugging " , "logging enable "
3) based on your config go to https://ASA-FQDN or outside-IP ; use FireFox 3.x for example for your test. Enable both SSLV3 and TLSv on the browser.
4) Enter your credentials on the Webvpn Login and collect the debugs I mentioned and paste here.
5) If you can/want to send me your TAC case Ica nreview to see where we stand on this. I'm not in TAC but I can review the case .
Cheers,
Nelson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2012 04:25 AM
Hi James and Nelson,
I know it is pretty old,but the fact is that I am facing the same problem and as the James have not answered, I would the like to know if it has been solved, if so, how ?
I would help me a lot !!!
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 03:52 PM
I have noticed a couple of browsers that are exhibiting similar bahavior.
First, we use client certificates with 'both' certificate and AAA (LDAP). Cisco, by default, puts RC4 at the top of the list, and with most browsers it will be the chosen cipher. I have noticed that up-to-date Macs will terminate the connection (SSL reset) and refuse to submit a certificate. Not sure if Apple decided strong key negotiation was incompatible with a weak cipher, but as soon as RC4 was demoted and AES 128 was negotiated the Mac worked fine.
Now, on Chrome (seen in both 16 and 17) I am seeing this in the ASDM logs.
Device chooses cipher : AES128-SHA for the SSL session with client gap:208.179.252.194/60870
CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D).
SSL lib error. Function: SSL3_GET_RECORD Reason: decryption failed or bad record mac
CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D).
The two errors are obviously not related, but could you look in the ASDM logs and see if there are messages.
