10-02-2010 05:22 AM
I just read the the title "ASA 8.0 SSLVPN (WebVPN): Advanced Portal Customization" and confuse about three format of group-url in the following link;
--------------------------------------------------------------------------------------------------------------------------------------
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml
10-02-2010 07:37 AM
Three formats of group URL strings are supported from the above link:
1. https://asa.cisco.com/sslclient
2. https//sslclient.asa.cisco.com
3. https//171.69.37.70/sslclient
10-04-2010 12:02 PM
10-04-2010 07:46 PM
Hi Herbert,
I want to create two WebVPN service groups to DepartmentA and DepartmentB with ASA version 8.0(2) by using group-url because the advantage of using group-url over group-alias (group drop-down) is that group-url do not expose the group names as the latter method does.
I can successfully deploy the group-url in format of https://
My WebVPN configuration is
My Microsoft Windows host file is
The IP address is the same for "departmenta.company.com" and "departmentb.company.com.
When I enters the https://departmenta.company.com or https://departmentb.company.com group-url into a browser in order to connect to the ASA, I can't connect to the appropriate tunnel-group and fall back to tunnel-group DefaultWEBVPNGroup. Please guide me how to fix this issue.
Regards,
Pipatpong
10-05-2010 01:58 PM
Thanks for clarifying. I tried this in the lab today, but it worked fine for both URLs.
When you have only one group-url in your config, does that one work?
How do you determine whether you land on the right tunnel group?
What does "show vpn-sessiondb webvpn" show?
Herbert
10-06-2010 08:19 AM
Hi Herbert,
Yes, I use "show vpn-sessiondb webvpn" to determine whether my WebVPN session land on the right tunnel group and group-policy. What is the ASA version you are using in your lab? Do you modify Microsoft Windows "host file" to mapping FQDN of the ASA to IP address of the ASA interface on which webvpn is enabled.
Windows host file is
I'm not testing for only one group-url in my configure yet. I will update for my test result to you soon. Thanks you so much for your update.
Thanks and Regards,
Pipatpong
10-06-2010 12:20 PM
Yes I defined the same 2 names in my windows hosts file. I was testing with 8.3(2) and just tried 8.0(5) as well, which works fine.
8.0(2) is quite old so you may want to try 8.0(5).
hth
Herbert
10-06-2010 02:20 PM
Did some more digging - you are probably hitting this bug:
CSCsj20475 WebVPN: Group-URL fails without a /
This is fixed in 8.0(3) and later. To test you could try adding a / to the group-url, i.e.
group-url https://departmentA.company.com/ enable
But even if that works, I still highly recommend going to 8.0(5).
cheers
Herbert
10-07-2010 09:55 AM
Hi Herbert,
I just upgrade my ASA from 8.0(2) to 8.0(5) and it works fine for group-url. Thank you so much for your great support and excellent update.
Thanks and Regards,
Pipatpong
01-25-2012 03:24 AM
Oh, I just use ASA8.0(2), I spend whole days to trying to fix it up,Thank you very much for your answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide