Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
2
Replies

SSL VPN using ASA 5520 in cluster mode - several problems

Go to solution
mchockalingam
Level 1
Level 1

‎07-22-2008 11:30 AM - last edited on ‎02-21-2020 11:47 PM by Community Manager

I have configured 2 ASA 5520s in cluster mode for load balancing. I connect using anyconnect and I download the client the first time and everything works fine except outlook. I am not sure why outlook does not work.

The second problem is after the anyconnect client is installed on your machine, it remembers which ASA (say ASA2) it connected first and the GUI shows the IP address of ASA2 instead of the virtual IP of the cluster. I want users to always connect using the virtual IP.

The third problem I have is there is a default SSL VPN group and I want all users to use that group. In the initial web page, there is a drop down menu that shows only this group but I still want to disable that pull down menu.

Any suggestions?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎07-23-2008 11:52 AM

To disable the drop down menu, you can disable it with the command

webvpn

no tunnel-group-list enable

This will take care of your last issue.

***************************

You can create a profile for the Anyconnect client with the server name that you want to connect with and push that through the ASA which will solve your virtual IP problem.

**************************

With regard to Outlook, do you use any specific ports that can be used by the ASA to do inspection. Take a look at the inspection list on the ASA and maybe try to disable inspection and see if it works.

*****************************

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎07-23-2008 11:52 AM

To disable the drop down menu, you can disable it with the command

webvpn

no tunnel-group-list enable

This will take care of your last issue.

***************************

You can create a profile for the Anyconnect client with the server name that you want to connect with and push that through the ASA which will solve your virtual IP problem.

**************************

With regard to Outlook, do you use any specific ports that can be used by the ASA to do inspection. Take a look at the inspection list on the ASA and maybe try to disable inspection and see if it works.

*****************************

0 Helpful

Go to solution
mchockalingam
Level 1
Level 1
In response to ggilbert

‎07-24-2008 02:58 PM

Thank you very much for your help.

The no tunnel-group-list enable did the trick. I have a profile now that solved connecting to the virtual IP.

As far as outlook goes, I think it is the MTU problem. I also have problem with web browsing. On one PC, I have IPSec VPN client installed which comes with SET MTU utility and I set the MTU to 1300 for cisco anyconnect vpn connection and it solved the problem.

On another machine, I do not have any MTU utility and I did not want to change any registry settings. Plus, I cannot expect everyone in my company to change the settings on their PC.

I wonder why my MTU setting on the outside interface of the ASA to 1300 did not take effect? DO I need to change the MTU for SSL VPN connections some place else?

Any ideas?

0 Helpful
Customers Also Viewed These Support Documents