Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4752
Views
19
Helpful
17
Replies

Webvpn--some webs are not loading

Go to solution
hanwucisco
Level 1
Level 1

‎10-28-2012 04:32 PM

I've created a Webvpn, using asa, so that the remote users can log into the ASA and from there visit the webs on the Internet. Most of the webs work fine. But some are not. For example, Yahoo email, everytime when the users put their credentials for yahoo email and try to log in, the page stays there never can log in.

I wonder whether any of you have met this issue before and shed some light?

thanks,

Han

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-28-2012 06:41 PM

Hi Han,

Is this related to an ASA?

Have you tried with smart-tunnel?

ASA: Smart Tunnel using ASDM Configuration Example

So you can create bookmarks with the smart-tunnel option enabled.

Thanks.

Portu.

Please rate any helpful posts

View solution in original post

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-30-2012 06:53 AM

Han,

You are right, make sure the user gets the correct group-policy and therefore the proper URL list (bookmarks).

Thanks.

Portu.

View solution in original post

17 Replies 17

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-28-2012 06:41 PM

Hi Han,

Is this related to an ASA?

Have you tried with smart-tunnel?

ASA: Smart Tunnel using ASDM Configuration Example

So you can create bookmarks with the smart-tunnel option enabled.

Thanks.

Portu.

Please rate any helpful posts

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-28-2012 07:32 PM

Portu,

My understanding of smart tunnels is that they are used for internal applications, that is, the applications inside the ASA. But my case is a bit different. these are Yahoo mails and gmails.

Correct me if i am wrong.

thanks,

han

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-28-2012 07:41 PM

Han,

Smart-tunnels are used when a page does not load properly (possible issues with the content rewrite of the ASA).

This feature does not differentiate between an internal or an external web page / site.

Let me know.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-28-2012 09:04 PM

Portu,

I tried using, under group policies\portal\smart tunnel, i unchecked the "smart tunnel policy" and selected "use tunnel for all network traffic". It is still the same. the yahoo mail page becomes white and stays there when i am trying to log in.

Is the configuration of tunnel i configured correct?

thanks,

Han

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-29-2012 06:04 AM

Han,

Please create the bookmark first like this:

Then you apply this bookmark to the specific group-policy.

So when you connect to the Web portal you see something like:

* I tested this with IE 8 & 9.

Portu.

Please rate any helpful posts.

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-29-2012 01:57 PM

Portu, thanks first. I just tried. And i created a book mark to test, checked the "enalbe smart tunnel". After i created it, i unchecked the Inherent under grouppolicy\portal\ , and selected the list i just created.

However, when i tested from a user side, the user cannot see any bookmarks.

thanks,

Han

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-29-2012 03:28 PM

Han,

It sounds like it is not properly configured.

Please share:

show run webvpn

show run tunnel-group specific_profile

show run group-policy specific_policy

Thanks.

Portu.

Please rate any helpful posts

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-29-2012 04:42 PM

Portu, thanks,

ASA#sh run webvpn
webvpn
enable outside
smart-tunnel network www.yahoo.com host www.yahoo.com===>this one I created before the last testing, so it should be irrelevant

When I ran "show run tunnel-group newgroup", it says,
ASA #sh run tunnel-group newgroup
ERROR: Invalid tunnel group name

So, i ran the following instead,

ASA#show run tunnel-group
tunnel-group SSLVPNPROFILE type remote-access
tunnel-group SSLVPNPROFILE general-attributes
default-group-policy newgroup


ASA#show run group-policy newgroup
group-policy newgroup internal
group-policy newgroup attributes
vpn-tunnel-protocol webvpn
webvpn
  url-list value YahooEmail

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-29-2012 05:14 PM

Han,

The problem here is that your users are connecting to the default group since you do not have any group-url or alias.

Please do this:

webvpn

     tunnel-group-list enable

!

tunnel-group SSLVPNPROFILE webpvn-attributes

     group-alias SSL_VPN enable

!

When they go to the Web Portal will see a menu with this "Alias", which points them to the correct group.

Let me know.

Portu.

Please rate any helpful posts

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-29-2012 06:19 PM

Portu,

I added these two. And the user could see the menu. But after login, it still has no bookmarks. I only configure "newgroup" on that ASA.

thanks,

Han

ASA# sh run | b group-policy newgroup attr

group-policy newgroup attributes

vpn-tunnel-protocol webvpn

webvpn

  url-list value YahooEmail

username TEST password suKbc9XyagnMAVa2 encrypted

tunnel-group SSLVPNPROFILE type remote-access

tunnel-group SSLVPNPROFILE general-attributes

default-group-policy newgroup

tunnel-group newgroup type remote-access

tunnel-group newgroup webvpn-attributes

group-alias newgroup enable

!

class-map inspection_default

match default-inspection-traffic

!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to hanwucisco

‎10-29-2012 09:16 PM

Han,

Please insert an image of your bookmark configured on ASDM.

Also once connected, please issue:

show vpn-sessiondb webvpn

Thanks.

Portu.

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to Javier Portuguez

‎10-29-2012 09:55 PM

I did, it is still the same. But the command reveals much info. I put the two into bold. the group policy doesnt look right, does it? and i then look at the connectinos files on ASDM, there are four of them there, all enabled.

1. DefaultRAGroup

2. SSLVPNPROFILE

3. DefaultWEBVPNGroup

4.newgroup===>this is the one i am using.

Session Type: WebVPN

Username     : YYY                   Index        : 47
Public IP    : ABC.EFG.XYZ.103
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 109515                 Bytes Rx     : 17644
Group Policy : DfltGrpPolicy          Tunnel Group : newgroup
Login Time   : 03:26:57 UTC Tue Oct 30 2012
Duration     : 0h:00m:29s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ASA(config-tunnel-webvpn)#

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to hanwucisco

‎10-29-2012 10:16 PM

It looks like that could be the problem. Portu,

Hold on, I'll let you know.

thanks,

Han

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents