• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5380
  • Last Modified:

ASA5505: The installer was not able to start the Cisco VPN Client when using SSL VPN

I am having a problem on our ASA5505 where when a user logs it in tries to install the SSL VPN client but the java gets an error as shown on the attached picture and then it immediatly goes to a web page which displays "
The installer was not able to start the Cisco VPN Client".

I have upgraded to 8.0.(4)3 and ADSM version 6.1(5)
I have obtained the sslclient-win-1.1.4.179 client and decompressed the zip file and uploaded the .pkg to the ASA and configured it to use it as the client.
Also in the ZIP file was stcie.exe which I have tried running but it has not helped.

I am running Vista SP1
: Saved
:
ASA Version 8.0(4)3 
!
hostname asa5505
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address X.X.0.3 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.164 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server X.X.1.9
 domain-name linguaphone-intranet.co.uk
access-list vpnstaff_splitTunnelAcl standard permit X.X.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip X.X.0.0 255.255.0.0 X.X.110.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip X.X.0.0 255.255.0.0 192.168.0.0 255.255.255.0 
access-list inside_access_in extended permit tcp any interface inside eq ssh 
access-list inside_access_in extended permit ip host X.X.1.9 any 
access-list inside_access_in extended permit ip host X.X.251.1 any 
access-list inside_access_in extended deny ip any any log disable 
access-list VPNACL_staff remark File2
access-list VPNACL_staff extended permit ip any host X.X.1.9 
access-list VPNACL_staff remark temppdc
access-list VPNACL_staff extended permit ip any host X.X.1.5 
access-list VPNACL_staff remark printers
access-list VPNACL_staff extended permit ip any X.X.10.0 255.255.255.0 
access-list VPNACL_exact remark 3ex servers
access-list VPNACL_exact extended permit ip any X.X.2.0 255.255.255.0 
access-list VPNACL_exact extended permit udp any host X.X.1.9 eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool staffssl X.X.110.100-X.X.110.200 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.161 1
route inside X.X.140.0 255.255.255.0 X.X.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http X.X.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh X.X.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server X.X.1.9 source inside prefer
tftp-server inside X.X.1.9 asa5505-confg
webvpn
 enable outside
 svc image disk0:/stc.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLstaff internal
group-policy SSLstaff attributes
 wins-server value X.X.1.5
 dns-server value X.X.1.9
 vpn-idle-timeout 15
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnstaff_splitTunnelAcl
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default svc timeout 15
username ptanner password XXXXXXXXXXXXXX encrypted
username ptanner attributes
 vpn-group-policy SSLstaff
 vpn-filter none
username gblades password XXXXXXXXXXXXX encrypted privilege 15
username gblades attributes
 vpn-group-policy SSLstaff
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 webvpn
  svc ask none default svc
username exact password XXXXXXXXXXXXX encrypted
username exact attributes
 vpn-group-policy SSLstaff
 vpn-filter value VPNACL_exact
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 service-type remote-access
 webvpn
  svc ask none default svc
username msimpson password XXXXXXXXXXXXX encrypted
username msimpson attributes
 vpn-group-policy SSLstaff
 vpn-filter value VPNACL_staff
tunnel-group SSLstaff type remote-access
tunnel-group SSLstaff general-attributes
 address-pool staffssl
 default-group-policy SSLstaff
tunnel-group SSLstaff webvpn-attributes
 hic-fail-group-policy SSLstaff
 nbns-server X.X.1.5 timeout 2 retry 2
 group-alias Staff enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:ebb04ae27a4b65080eb3f76b120ebe1f
: end

Open in new window

sslvpnerror.jpg
0
grblades
Asked:
grblades
  • 4
  • 3
1 Solution
 
lrmooreCommented:
Is the user trying to use Mozilla/Firefox or using IE?
Mozilla doesn't handle Java very well.
Is user using Vista or XP? I have yet to get this vpn client to work on Vista, but it works well on XP.
Have you tried using the Anyconnect client?
0
 
grbladesAuthor Commented:
I have tried using both IE and Firefox.
I am using a Vista SP1 box but before the upgrade I was having problems with XP but havnt tried it again since the upgrade.

Is the anyconnect client the client that would be used on my older PIX 515 box?
I think I have version 6 somewhere but using SSL would be more preferable. The people who manage one of our servers will need to use it and they much prefer to use ssl because aparently they have issue when they have to have different vpn client installed on their computers at the same time.
0
 
lrmooreCommented:
Unfortunately, PIX does not support SSL, only the ASA's do.
Anyconnect only works with SSL and ASA 8.x
Understand. I have to use virtual machine workstations to use different VPN clients. It's an easy solution where I don't make my clients jump through hoops on their end to accomodate me.
Try again with IE, XP, and use the pre-install .msi to pre-install it on your PC.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
grbladesAuthor Commented:
A bit of a misunderstanding I think. I meant is anyconnect the same client that I can use with the PIX 515. However since you say it only works with the ASA and ASA 8.x then I assume not.

I saw an exe file in the ssl client zip file I received I tried running it as it appears to be a preinstall for the client.
It didnt help though but there might be a problem with it and vista since I cant deinstall it either.

I will get a copy of the msi preinstall and a copy of anyconnect from our supplier and let you know how I get on.
0
 
lrmooreCommented:
Yes, the .exe is a pre-install for the AnyConnect VPN client.
It is not the same as the Cisco VPN client that you use with the PIX.
i have no problems using Anyconnect and Vista.
0
 
marchaycookCommented:
What version of Java are you using?  I ran into a similar problem when I was using Version 6 Update 10.  I went back to Update 7 and no longer had a problem.
0
 
grbladesAuthor Commented:
I was originally using the basic version 6 (no update) that came with vista as it hadnt prompted me for an update.
I told it to check for an update and it installed Update 7.

Tried that again using IE but it still didnt work.
0
 
grbladesAuthor Commented:
Received the anyconnect client a couple of weeks ago but havent had time to install and configure it yet. As it is likely to be a while I will close the question now.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now