Re: [OSL | CCIE_Security] [help plz] ASA SSL Clientless VPN - stuck !!! NOT working ( page is not showing / loading up !!! )

[Tyson Scott]

The debug in the beginning tells you the problem.  Look at the following
output.  I thought you were troubleshooting ASDM not WebVPN.  I am sorry I
didn't read the subject of this email.

 

SSL-VPNBOX(config)#
SSL-VPNBOX(config)# %ASA-6-302014: Teardown TCP connection 81 for
outside:1.1.1.2/1091 to identity:1.1.1.1/443 duration 0:01:58 bytes 0 TCP
Reset-I
%ASA-7-609002: Teardown local-host outside:1.1.1.2 duration 0:01:58
%ASA-7-609002: Teardown local-host identity:1.1.1.1 duration 0:01:58
%ASA-7-609001: Built local-host outside:1.1.1.2
%ASA-7-609001: Built local-host identity:1.1.1.1
%ASA-6-302013: Built inbound TCP connection 82 for outside:1.1.1.2/1093
(1.1.1.2/1093) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/1093 for
TLSv1session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:1.1.1.2/1093 proposes the following 8
cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no
shared cipher
%ASA-6-302014: Teardown TCP connection 82 for outside:1.1.1.2/1093 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I




What does that mean?  What does the ASA support and what does the client
propose?

 

What do you need to do to fix the problem?  Why is it that the ASA only
supports such a weak cipher?  What can you do to get it to support the same
ciphers as the client?

 

some good things to start with would be checking your key size "show crypto
key mypubkey rsa".  What is the size of your key length.  Create a new key
size of 2048.

 

First make sure time is accurate between the host and the ASA before
performing the following steps

 

domain-name ipexpert.com

 

crypto key generate rsa label SECURE  modulus 2048

crypto ca trustpoint SELF-SIGNED

     enroll self

     fqdn SSL-VPNBOX.ipexpert.com

     subject-name CN=SSL-VPNBOX.ipexpert.com,O=IPexpert,OU=Security
Student,L=China,ST=MI,C=US

     keypair SECURE

crypto ca enroll SELF-SIGNED noconfirm

ssl trust-point SELF-SIGNED outside

write mem

 

Test Again

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: kamran shakil [mailto:kamranshaki...@gmail.com] 
Sent: Monday, January 31, 2011 11:46 PM
To: Tyson Scott; Piotr Matusiak
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] [help plz] ASA SSL Clientless VPN - stuck
!!! NOT working ( page is not showing / loading up !!! )

 


Well, Tyson and Piotr, 

here is the error list  when i try to access https://1.1.1.1 

%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49334 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 90 for outside:1.1.1.2/49334 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 91 for outside:1.1.1.2/49335
(1.1.1.2/49335) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49335 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 91 for outside:1.1.1.2/49335 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 92 for outside:1.1.1.2/49336
(1.1.1.2/49336) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49336 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 92 for outside:1.1.1.2/49336 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 93 for outside:1.1.1.2/49337
(1.1.1.2/49337) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49337 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 93 for outside:1.1.1.2/49337 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 94 for outside:1.1.1.2/49338
(1.1.1.2/49338) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49338 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 94 for outside:1.1.1.2/49338 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 95 for outside:1.1.1.2/49339
(1.1.1.2/49339) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49339 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 95 for outside:1.1.1.2/49339 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 96 for outside:1.1.1.2/49340
(1.1.1.2/49340) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49340 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 96 for outside:1.1.1.2/49340 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 97 for outside:1.1.1.2/49341
(1.1.1.2/49341) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49341 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 97 for outside:1.1.1.2/49341 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 98 for outside:1.1.1.2/49342
(1.1.1.2/49342) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49342 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 98 for outside:1.1.1.2/49342 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I
%ASA-6-302013: Built inbound TCP connection 99 for outside:1.1.1.2/49343
(1.1.1.2/49343) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/49343 for
TLSv1 session.
%ASA-6-302014: Teardown TCP connection 99 for outside:1.1.1.2/49343 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I


and plus https://1.1.1.1:4043 do not respond as well, and i  believe 4043 is
for ASDM to launch and 443 is the web vpn launch , so i wanted to check
both.  it is confusing , since asdm is in flash and also anyconnect client
in flash and asa is fine as well. using version 8.2 , i pasted the full
config before.

regards,
Kamran.



On Mon, Jan 31, 2011 at 8:27 PM, Tyson Scott <tsc...@ipexpert.com> wrote:

Your HTTP server is running on 4043.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> 

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of kamran
shakil
Sent: Sunday, January 30, 2011 11:35 PM


To: ccie_security@onlinestudylist.com

Subject: [OSL | CCIE_Security] [help plz] ASA SSL Clientless VPN - stuck !!!
NOT working ( page is not showing / loading up !!! )

 

Dears,
I have a simple setup of ASA with 1 inside and 1 outside interface and even
no nat-control is enabled. Following is what i am having :- 

The browser FIREFOX or IE do not open the page when i try to browse either
http://1.1.1.1 or  https://1.1.1.1  !!!!
[But when i try to telnet 1.1.1.1 443  it connects and gives me the clue
that 443 is not blocked on 1.1.1.1 IP Address ] 


MY ASA VERSION IS : 8.2(1) , and on WINDOWS 7 PC , used  IE version
8.0.7600.16385  +  FIREFOX version 3.6.13 


FOLLOWING IS THE CONFIG:
======================

hostname SSL-VPNBOX
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 description *** NETWORK facing the OUTSIDE WORLD - directly coneccted to my
test pc 1.1.1.2/24***
 security-level 0
 ip address 1.1.1.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 2.2.2.2 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group WEBVPN
 name-server 136.1.121.1
 domain-name cisco.com
same-security-traffic permit inter-interface
access-list SSL extended permit tcp any any log 
access-list SSL extended permit icmp any any log 
access-list SSL extended permit udp any any log 
access-list WEBACCESS webtype permit url http://*.com:80
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
no nat-control
access-group SSL in interface outside
aaa authentication http console LOCAL 
http server enable 4043
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy WEBVPN internal
group-policy WEBVPN attributes
 vpn-tunnel-protocol webvpn
 webvpn
  filter value WEBACCESS
  url-entry enable
username WEBVPN password ioz3dgMc0MXqzvzX encrypted
username WEBVPN attributes
 group-lock value WEBVPN
username kamran password mk2g0NZxPq/cd0UW encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group WEBVPN type remote-access
tunnel-group WEBVPN general-attributes
 default-group-policy WEBVPN
tunnel-group WEBVPN webvpn-attributes
 group-alias WEBVPN enable
 dns-group WEBVPN
!
class-map inspection_default
 match default-inspection-traffic
!
!

route outside 0 0 1.1.1.2


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 









DEBUG OUTPUT :
================

When i run the command # debug webvpn , i get the following ERRORS on ASA
Console :

SSL-VPNBOX(config)#
SSL-VPNBOX(config)# %ASA-6-302014: Teardown TCP connection 81 for
outside:1.1.1.2/1091 to identity:1.1.1.1/443 duration 0:01:58 bytes 0 TCP
Reset-I
%ASA-7-609002: Teardown local-host outside:1.1.1.2 duration 0:01:58
%ASA-7-609002: Teardown local-host identity:1.1.1.1 duration 0:01:58
%ASA-7-609001: Built local-host outside:1.1.1.2
%ASA-7-609001: Built local-host identity:1.1.1.1
%ASA-6-302013: Built inbound TCP connection 82 for outside:1.1.1.2/1093
(1.1.1.2/1093) to identity:1.1.1.1/443 (1.1.1.1/443)
%ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/1093 for
TLSv1session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:1.1.1.2/1093 proposes the following 8
cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no
shared cipher
%ASA-6-302014: Teardown TCP connection 82 for outside:1.1.1.2/1093 to
identity:1.1.1.1/443 duration 0:00:00 bytes 7 TCP Reset-I



regards,
Kamran....

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com