Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5794
Views
10
Helpful
3
Replies

WebVPN Portal Page not loading

Anish Chauhan
Level 1
Level 1

‎11-20-2012 02:58 AM

Hi,

I'm performing a migration from an ASA5520 running version 8.04 to an ASA5525-X running 8.6.

The issue I had was that whilst all of the SSL VPN portal configuration was migrated the initial portal page does does not load. I thought that this could be to do with ASDM and WebVPN both being enabled on the outside interface and so I tried changing the port used for ASDM and disabled the ASDM altogether on the outside - but still to no avail.

Could this have something to do with the fact that you can no longer just point your browser at the outside interface of the firewall to get to the ADSM? Does some configuration need to change for the ASA to accept connections on the outside interface?

The basic WebVPN access as it stands right now is:

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

With some specific dynamic access records such as the below:

dynamic-access-policy-record DfltAccessPolicy

description "Web portal"

webvpn

  port-forward disable

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

  svc ask enable default svc

If checked out loads of documentation but can't see why this isnt working.

Thanks, Anish

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎11-20-2012 02:48 PM

Hi Anish,

What do you mean by "the initial portal page does not load"?

What do you see?

Show run http?

Please do:

ASA(config)# clear configure dynamic-access-policy-record DfltAccessPolicy

HTH.

Please rate any helpful posts

0 Helpful

Anish Chauhan
Level 1
Level 1

‎11-22-2012 03:08 PM

Hi

Thanks for the response.  However I worked out why the page wasnt' loading.  As usual I got very little from the IE page but using google chrome gave me the following error message:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Which lead me to do a bit more digging :- if you run the sho ssl command, the output you get is something along the lines of the following:

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: des-sha1

Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1

As you can see the only enable SSL cipher is des-sha1.  So in changing my configuration to support other methods of SSL encryption using the command below:

FW(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

My VPN portal page burst into life!

Anish

Javier Portuguez
Level 9
Level 9
In response to Anish Chauhan

‎11-22-2012 05:55 PM

Anish,

Yes, IE does not display the CIPHER mismatch.

I am glad to know you found the solution.

Please mark this post as answered so others will learn from it.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents