Pages

Wednesday, December 9, 2015

Troubleshooting Clientless SSL VPN


State the problem
Identify possibilities
Use the tools to isolate
Correct without causing harm


Existing Config :
connection-profile : eng-con
connection-profile alias : eng-con-alias
user: end-user
Group: eng-group

1st step: check route and reachability to ASA from user
ping asa1.cbtnuggets.com : name resolution is working but no connectivity

Check interfaces on ASA
int g0/0
no shut

ping from ASA to user
its working

In client browser issue:
https://asa1.cbtnuggets.com

provide conn-profile , username and password

Issue : 
We are able to login but web bookmarks are not accessible
close this browser completely and open once again

https://asa1.cbtnuggets.com
now we are able to access SSH still web bookmarks are greyed out

show vpn-sessiondb webvpn

check group associated with conn-profile in ASDM
Monitoring -> VPN -> VPN statistics -> sessions

Now verify group policy

Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Group policies
eng-group

Now check book-mark list
go to portal -> book-marks

Go to eng-group -> more options
you can see web type ACL is configured.

Remove web type ACL

log off and long on
eng-con-alias
user
password

Still, cisco’s public web server is greyed out

go to the bookmark list, to access cisco website we are using url instead of ip.

In conn profile -> servers ->
use google DNS name-server  8.8.8.8
Now cisco url is accessible

We can disable the content re-write for all http traffic

Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Advanced -> content rewrite

uncheck the enable content rewrite
rule number 1
no-hhtp
http://*

Issue :
Say we have 10000 SSL clients. 9000 are able to connect and rest 1000 are not able to connect but able to ping.

Check
Configuration -> Remote access VPN -> Clienteles SSL VPN Access -> Advanced -> SSL settings

check if browser support all kind of configured ciphers

Issue :
using the wrong conn profile and a valid username
since username is tied to correct group he will be able to login

we don’t want this user to come to wrong conn-profile

we can lock down the user if he don’t come in using eng-conn profile

Configuration -> Remote access VPN -> AAA/Local Users -> Local Users

Now user will not able to login in with wrong conn-profile










No comments:

Post a Comment