ASA5505: The installer was not able to start the Cisco VPN Client when using SSL VPN

I am having a problem on our ASA5505 where when a user logs it in tries to install the SSL VPN client but the java gets an error as shown on the attached picture and then it immediatly goes to a web page which displays "
The installer was not able to start the Cisco VPN Client".

I have upgraded to 8.0.(4)3 and ADSM version 6.1(5)
I have obtained the sslclient-win- client and decompressed the zip file and uploaded the .pkg to the ASA and configured it to use it as the client.
Also in the ZIP file was stcie.exe which I have tried running but it has not helped.

I am running Vista SP1
: Saved
ASA Version 8.0(4)3 
hostname asa5505
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address X.X.0.3 
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.164 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server X.X.1.9
access-list vpnstaff_splitTunnelAcl standard permit X.X.0.0 
access-list inside_nat0_outbound extended permit ip X.X.0.0 X.X.110.0 
access-list inside_nat0_outbound extended permit ip X.X.0.0 
access-list inside_access_in extended permit tcp any interface inside eq ssh 
access-list inside_access_in extended permit ip host X.X.1.9 any 
access-list inside_access_in extended permit ip host X.X.251.1 any 
access-list inside_access_in extended deny ip any any log disable 
access-list VPNACL_staff remark File2
access-list VPNACL_staff extended permit ip any host X.X.1.9 
access-list VPNACL_staff remark temppdc
access-list VPNACL_staff extended permit ip any host X.X.1.5 
access-list VPNACL_staff remark printers
access-list VPNACL_staff extended permit ip any X.X.10.0 
access-list VPNACL_exact remark 3ex servers
access-list VPNACL_exact extended permit ip any X.X.2.0 
access-list VPNACL_exact extended permit udp any host X.X.1.9 eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool staffssl X.X.110.100-X.X.110.200 mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group inside_access_in in interface inside
route outside XXX.XXX.XXX.161 1
route inside X.X.140.0 X.X.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http X.X.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh X.X.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server X.X.1.9 source inside prefer
tftp-server inside X.X.1.9 asa5505-confg
 enable outside
 svc image disk0:/stc.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLstaff internal
group-policy SSLstaff attributes
 wins-server value X.X.1.5
 dns-server value X.X.1.9
 vpn-idle-timeout 15
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnstaff_splitTunnelAcl
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default svc timeout 15
username ptanner password XXXXXXXXXXXXXX encrypted
username ptanner attributes
 vpn-group-policy SSLstaff
 vpn-filter none
username gblades password XXXXXXXXXXXXX encrypted privilege 15
username gblades attributes
 vpn-group-policy SSLstaff
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
  svc ask none default svc
username exact password XXXXXXXXXXXXX encrypted
username exact attributes
 vpn-group-policy SSLstaff
 vpn-filter value VPNACL_exact
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 service-type remote-access
  svc ask none default svc
username msimpson password XXXXXXXXXXXXX encrypted
username msimpson attributes
 vpn-group-policy SSLstaff
 vpn-filter value VPNACL_staff
tunnel-group SSLstaff type remote-access
tunnel-group SSLstaff general-attributes
 address-pool staffssl
 default-group-policy SSLstaff
tunnel-group SSLstaff webvpn-attributes
 hic-fail-group-policy SSLstaff
 nbns-server X.X.1.5 timeout 2 retry 2
 group-alias Staff enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

LVL 36
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is the user trying to use Mozilla/Firefox or using IE?
Mozilla doesn't handle Java very well.
Is user using Vista or XP? I have yet to get this vpn client to work on Vista, but it works well on XP.
Have you tried using the Anyconnect client?
grbladesAuthor Commented:
I have tried using both IE and Firefox.
I am using a Vista SP1 box but before the upgrade I was having problems with XP but havnt tried it again since the upgrade.

Is the anyconnect client the client that would be used on my older PIX 515 box?
I think I have version 6 somewhere but using SSL would be more preferable. The people who manage one of our servers will need to use it and they much prefer to use ssl because aparently they have issue when they have to have different vpn client installed on their computers at the same time.
Unfortunately, PIX does not support SSL, only the ASA's do.
Anyconnect only works with SSL and ASA 8.x
Understand. I have to use virtual machine workstations to use different VPN clients. It's an easy solution where I don't make my clients jump through hoops on their end to accomodate me.
Try again with IE, XP, and use the pre-install .msi to pre-install it on your PC.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

grbladesAuthor Commented:
A bit of a misunderstanding I think. I meant is anyconnect the same client that I can use with the PIX 515. However since you say it only works with the ASA and ASA 8.x then I assume not.

I saw an exe file in the ssl client zip file I received I tried running it as it appears to be a preinstall for the client.
It didnt help though but there might be a problem with it and vista since I cant deinstall it either.

I will get a copy of the msi preinstall and a copy of anyconnect from our supplier and let you know how I get on.
Yes, the .exe is a pre-install for the AnyConnect VPN client.
It is not the same as the Cisco VPN client that you use with the PIX.
i have no problems using Anyconnect and Vista.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What version of Java are you using?  I ran into a similar problem when I was using Version 6 Update 10.  I went back to Update 7 and no longer had a problem.
grbladesAuthor Commented:
I was originally using the basic version 6 (no update) that came with vista as it hadnt prompted me for an update.
I told it to check for an update and it installed Update 7.

Tried that again using IE but it still didnt work.
grbladesAuthor Commented:
Received the anyconnect client a couple of weeks ago but havent had time to install and configure it yet. As it is likely to be a while I will close the question now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.