Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
6
Helpful
4
Replies

SSL vpn

ciscors
Level 1
Level 1

‎08-17-2007 09:07 AM - edited ‎02-21-2020 03:13 PM

When I'm connected to my ASA 7 with the VPN client and change a Windows route, I get this message:

SSL VPN connection was terminated due to an IP forwarding table modification and could not be automatically re-established.

Can I change this behavior? I'm the administrator of the ASA firewall

Thank you

Labels:
0 Helpful
4 Replies 4

carenas123
Level 5
Level 5

‎08-23-2007 08:48 AM

In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/web_vpn.html#wp1059082

lambiase
Level 1
Level 1

‎08-23-2007 09:21 AM

If you are trying to modify the routing table on the SSL VPN client host, this is normal behaviour. The SSL VPN client sets up routes based on the ASA's VPN configuration (split-tunneling).

Modifying the routes on the client host could be an attempt to subvert the security of the connection, so the client will monitor the route table, and, as you have noticed, disconnect you if it is modified.

If you require different routes on the client host your best option is to configure the split-tunneling to only include the routes of the protected network. Of course, this has other security implications.

ciscors
Level 1
Level 1
In response to lambiase

‎08-23-2007 09:25 AM

Basically this is a lab environment hence I need to add other routes to reach local hosts (not necessarily over the vpn tunnel. The SSL VPN client detects these changes and disconnects me. I wish there was an option on the ASA which could allow this. Even though it can be used to subvert, access lists can be used to protect against this. Also, NAT rules may already disallow this

0 Helpful

lambiase
Level 1
Level 1
In response to ciscors

‎08-23-2007 10:08 AM

Well, you could try setting up the split-tunneling for your testing.

In ASDM go to Remote Access VPN > Network (Client) Access > Group Policies, and open your policy. In the policy go to Advanced > Split Tunneling > Policy (the second item on that page) and you can choose from 'Tunnel All Networks', 'Tunnel Networks Listed Below' or 'Exclude Networks Listed Below'. Then for the Network List you will assign an ACL that contains the networks you want to tunnel or exclude.

But, you cannot change them on-the-fly on the SSL VPN client host.

0 Helpful
Customers Also Viewed These Support Documents