WEB VPN, Error contacting host when trying to browse server
Hi!
I'm having some issues when I try to browse a file server (or any other pc) from the WEB VPN portal on a Cisco ASA5505.
Sometimes I am prompted for login, and after logging in I am able to list the shared folders, but when I try to enter the folder I get a message saying "Error contacting host". Other times I am not even able to list the shared folders - I get the "Error contacting host" immediately.
File server running Windows 2003 Std Server R2 (AD/DC) , clients use Vista with IE8. When I establish SSL VPN connection using Cisco AnyConnect I have no problems accessing files or folders on the same server.
It would be nice to be able to browse files/folders without installing anything on the client computer, therefore the need for the directory browsing via web.
Attached is my running config.
I'm having some issues when I try to browse a file server (or any other pc) from the WEB VPN portal on a Cisco ASA5505.
Sometimes I am prompted for login, and after logging in I am able to list the shared folders, but when I try to enter the folder I get a message saying "Error contacting host". Other times I am not even able to list the shared folders - I get the "Error contacting host" immediately.
File server running Windows 2003 Std Server R2 (AD/DC) , clients use Vista with IE8. When I establish SSL VPN connection using Cisco AnyConnect I have no problems accessing files or folders on the same server.
It would be nice to be able to browse files/folders without installing anything on the client computer, therefore the need for the directory browsing via web.
Attached is my running config.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(2)
!
hostname CiscoGate
domain-name domain.local
enable password xxxxxxxxxxxxxx encrypted
multicast-routing
names
name 192.168.20.10 Mediaserver01 description Windows media server
name 192.168.20.21 DRAC description DRAC access for server
name 192.168.20.1 CiscoGate description Cisco gate
name 192.168.20.0 Inside-domain
name xxx.xxx.xxx.xxx external IP
!
interface Vlan1
description Office Vlan
nameif inside
security-level 100
ip address CiscoGate 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ospf cost 10
!
interface Vlan22
description Intermediate mgt interface
shutdown
nameif MgtAdmin
security-level 100
ip address 192.168.21.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 22
!
passwd XXXXXXXXXXXXXXXXXX encrypted
banner login Logging into $(hostname).$(domain) the gate to eOperations
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Mediaserver
name-server 212.33.135.184
name-server 212.33.133.33
name-server 212.33.131.67
name-server 192.168.10.17
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object router-advertisement
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5061
port-object eq 5062
port-object eq 5063
port-object eq 5064
access-list MgtAdmin_access_in extended permit ip any any inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 77.241.105.96 255.255.255.248
access-list outside_access_in extended permit ip Inside-domain 255.255.255.0 any
access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 Inside-domain 255.255.255.0 inactive
access-list outside_access_in extended permit ip 192.168.11.0 255.255.255.0 Inside-domain 255.255.255.0 inactive
access-list outside_access_in extended permit ip Inside-PXO 255.255.255.0 Inside-domain 255.255.255.0
access-list outside_access_in extended permit icmp 192.168.11.0 255.255.255.0 Inside-domain 255.255.255.0 object-group DM_INLINE_ICMP_1
access-list outside_access_in extended permit tcp any host project.domain.com eq https
access-list outside_access_in extended permit tcp any host sip.domain.com object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp host sip.domain.com host AV-Matrix eq 3389 inactive
access-list outside_access_in extended permit tcp any host project.domain.com eq www
access-list outside_access_in extended permit tcp any host project.domain.com eq 1755
access-list outside_access_in extended permit udp any host project.domain.com eq 1755
access-list inside_authentication extended permit tcp any any inactive
access-list inside_access_in extended permit ip Inside-domain 255.255.255.0 Inside-domain 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-domain 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-domain 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-domain 255.255.255.0 Inside-domain 255.255.255.0
access-list inside_nat0_outbound extended permit ip host mediaserver Inside-domain 255.255.255.128
access-list inside_nat0_outbound extended permit ip host mediaserver 192.168.20.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip host 192.168.20.31 host sip.domain.com
access-list inside_access_in_1 extended permit ip 192.168.11.0 255.255.255.0 Inside-domain 255.255.255.0 inactive
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit icmp Inside-domain 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_access_in_1 extended permit ip Inside-domain 255.255.255.0 host project.domain.com
access-list VPNs_splitTunnelAcl standard permit Inside-domain 255.255.255.0
access-list MgtAdmin_nat0_outbound extended permit ip any 192.168.20.64 255.255.255.224
access-list MgtAdmin_nat0_outbound extended permit ip any Inside-domain 255.255.255.128
access-list outside_3_cryptomap extended permit ip Inside-domain 255.255.255.0 192.168.10.0 255.255.255.0 inactive
access-list VPN_splitTunnelAcl standard permit host Mediaserver
access-list VPNtest_splitTunnelAcl standard permit host Mediaserver
access-list DefaultRAGroup_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MgtAdmin 1500
ip local pool OutsideVPNs 192.168.20.50-192.168.20.70 mask 255.255.255.0
ip local pool VPNInside 192.168.20.71-192.168.20.90 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 Inside-domain 255.255.255.0 dns
nat (MgtAdmin) 0 access-list MgtAdmin_nat0_outbound
static (inside,outside) tcp project.domain.com 3389 Mediaserver 3389 netmask 255.255.255.255
static (inside,outside) tcp project.domain.com https Mediaserver https netmask 255.255.255.255
static (inside,outside) tcp project.domain.com 1755 Mediaserver 1755 netmask 255.255.255.255
static (inside,outside) udp project.domain.com 1755 Mediaserver 1755 netmask 255.255.255.255
static (inside,outside) tcp domain.com www Mediaserver 81 netmask 255.255.255.255 dns
static (inside,outside) tcp project.domain.com www Mediaserver 100 netmask 255.255.255.255
static (inside,outside) udp project.domain.com 554 Mediaserver 554 netmask 255.255.255.255
static (inside,outside) sip.domain.com 192.168.20.31 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
access-group MgtAdmin_access_in in interface MgtAdmin
!
router rip
passive-interface MgtAdmin
version 1
!
route outside 0.0.0.0 0.0.0.0 77.241.105.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
network-acl inside_authentication
network-acl outside_access_in
webvpn
url-list value OfficeIntra
aaa-server Mediaserver protocol radius
max-failed-attempts 5
aaa-server Mediaserver host Mediaserver
key XXXX
radius-common-pw XXXX
aaa authentication enable console LOCAL
aaa authentication match inside_authentication inside LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 6
http server enable
http 192.168.11.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http Inside-domain 255.255.255.0 inside
http 192.168.21.0 255.255.255.0 MgtAdmin
snmp-server location Mediaserver
snmp-server contact XXXX
snmp-server community XXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start
sysopt noproxyarp MgtAdmin
auth-prompt prompt User known
auth-prompt accept Known user ok
auth-prompt reject Not ok
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec fragmentation after-encryption MgtAdmin
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn CiscoGate
subject-name CN=CiscoGate
ip-address xxx.xxx.xxx.xxx
no client-types
proxy-ldc-issuer
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn CiscoGate
subject-name CN=CiscoGate
ip-address xxx.xxx.xxx.xxx
keypair LOCAL-CA-SERVER
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn CiscoGate.domain.local
subject-name CN=CiscoGate.domain.local
serial-number
ip-address xxx.xxx.xxx.xxx
keypair LOCAL-CA-SERVER
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca server
shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820265 308201ce a0030201 02020131 300d0609 2a864886 f70d0101 04050030
46311030 0e060355 04031307 50584f47 61746531 32301406 092a8648 86f70d01
09021607 50584f47 61746530 1a06092a 864886f7 0d010908 130d3737 2e323431
2e313035 2e393830 1e170d30 38303630 32313130 3934365a 170d3138 30353331
31313039 34365a30 46311030 0e060355 04031307 50584f47 61746531 32301406
092a8648 86f70d01 09021607 50584f47 61746530 1a06092a 864886f7 0d010908
130d3737 2e323431 2e313035 2e393830 819f300d 06092a86 4886f70d 01010105
0003818d 00308189 02818100 c4430f2a 4eb6f309 a6eca89b f48d4ab4 e90497a9
2c28220f a0f83b98 cd1c6469 1c93252d db1cc74b 07e0e517 c2b146f8 0dbc6c8d
c5ba33b2 41357cf7 e220b1f2 c6613484 c81dae2c 0e4864d8 400c055c 0cc688fd
5190b6ef 553e88f6 d3624078 0cd32f45 bbb7f1f3 8e7bc613 0a793583 3128f8bc
946be939 7bf57623 38075249 02030100 01a36330 61300f06 03551d13 0101ff04
05300301 01ff300e 0603551d 0f0101ff 04040302 0186301f 0603551d 23041830
16801422 29c1c341 fba881ba 2800db67 1e69c849 d6c5dc30 1d060355 1d0e0416
04142229 c1c341fb a881ba28 00db671e 69c849d6 c5dc300d 06092a86 4886f70d
01010405 00038181 00bce40e 762b40f6 d6d9d30d 827a348f 86630fab e233e054
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
30820211 3082017a a0030201 02020101 300d0609 2a864886 f70d0101 04050030
1c311a30 18060355 04031311 50584f47 6174652e 50584f2e 6c6f6361 6c301e17
0d303830 36303231 31343330 385a170d 31313036 30323131 34333038 5a301c31
1a301806 03550403 13115058 4f476174 652e5058 4f2e6c6f 63616c30 819f300d
c22bff5d dc0b1d2f e25d57f2 87dac210 6e327da4 716a517f 75222dee 347ba4d8
bee57e6e 5c15dabf f704bb0d b56b55c6 5fa754d0 03aefc48 64011f18 05f3a3ec
d5eb3436 8684ed3a f7bb501a 4a02105c ee654e10 cbd80cb5 02030100 01a36330
61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302
0186301f 0603551d 23041830 1680140c c1f83836 a2b8731c bb3390d0 46bfd253
66cdc030 1d060355 1d0e0416 04140cc1 f83836a2 b8731cbb 3390d046 bfd25366
e482015a 2a8ca854 f6f9b89c 776ab0ef e9a17121 0efaeaed 8db818c4 d39e0154
0e5aea78 045b6ebb 771810af f34f0c0a 753885c3 9df995fb fb2bde72 c8cbd8af
d7048178 0e5ea08b b9734dbd dee1a0b9 2bdeb7bb fb
quit
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet Inside-domain 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns Mediaserver 212.33.135.184
dhcpd auto_config outside vpnclient-wins-override
dhcpd option 4 ip 129.240.64.3
!
dhcpd address 192.168.20.100-192.168.20.200 inside
dhcpd dns Mediaserver 212.33.133.33 interface inside
dhcpd wins Mediaserver interface inside
dhcpd lease 39600 interface inside
dhcpd domain domain.local interface inside
dhcpd enable inside
!
dhcpd dns Mediaserver interface outside
dhcpd domain domain.com interface outside
dhcpd update dns both interface outside
dhcpd option 6 ip Mediaserver interface outside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 129.240.64.3 source outside
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.2.0140-k9.pkg 2
svc image disk0:/anyconnect-macosx-powerpc-2.2.0140-k9.pkg 3
svc profiles OfficeVPN disk0:/OfficeVPN.xml
svc profiles SBL disk0:/AnyConnectProfile.xml
svc enable
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 OFFICE-SSLVPN
group-policy SSLClientGrpPolicy internal
group-policy SSLClientGrpPolicy attributes
wins-server value 192.168.20.10
dns-server value 192.168.20.10 212.33.131.67
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelall
split-tunnel-network-list value VPNs_splitTunnelAcl
webvpn
url-list value OfficeIntra
svc modules value vpngina
svc profiles value SBL
svc ask enable default webvpn
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
wins-server value 192.168.20.10
dns-server value 192.168.20.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.local
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNs_splitTunnelAcl
default-domain value domain.local
split-dns value 192.168.20.10
msie-proxy method no-modify
address-pools value OutsideVPNs
client-firewall none
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.20.10
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value domain.local
vlan none
address-pools value VPNInside
client-firewall none
group-policy DfltGrpPolicy attributes
wins-server value 192.168.20.10
dns-server value 192.168.20.10 212.33.131.67
vpn-tunnel-protocol IPSec svc
split-tunnel-network-list value VPNs_splitTunnelAcl
webvpn
url-list value OFFICEIntra
group-policy OfficeVPNs internal
group-policy OfficeVPNs attributes
wins-server value 192.168.20.10
dns-server value 192.168.20.10 212.33.131.67
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNs_splitTunnelAcl
default-domain value domain.local
msie-proxy local-bypass enable
vlan none
webvpn
url-list value OfficeIntra
svc keep-installer installed
svc profiles value OfficeVPN
customization value Office
hidden-shares none
file-entry enable
file-browsing enable
url-entry enable
group-policy SBL internal
group-policy SBL attributes
webvpn
svc modules value vpngina
svc profiles value SBL
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.20.10
dns-server value 192.168.20.10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value domain.local
webvpn
svc ask enable default webvpn
username vpn-toin password XXXXXXXXXXXXXXXXX== nt-encrypted
username vpn-toin attributes
service-type remote-access
username Admin password XXXXXXXXXXXXXXX encrypted privilege 15
username user password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNInside
address-pool OutsideVPNs
authentication-server-group Mediaserver
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy DefaultRAGroup_2
strip-realm
strip-group
authorization-dn-attributes CN
tunnel-group DefaultRAGroup webvpn-attributes
group-alias sSSL disable
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization Office
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool OutsideVPNs
dhcp-server CiscoGate
tunnel-group TunnelGroup1 webvpn-attributes
group-alias PKAsTunnel disable
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
tunnel-group OFFICEWEB type remote-access
tunnel-group OFFICEWEB general-attributes
address-pool OutsideVPNs
authentication-server-group Mediaserver
default-group-policy VPN
dhcp-server CiscoGate
tunnel-group OFFICEWEB webvpn-attributes
hic-fail-group-policy SSLClientGrpPolicy
customization OFFICE
group-alias Public disable
tunnel-group OFFICEWEB ipsec-attributes
pre-shared-key *
tunnel-group OFFICEWEB ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group OFFICE-SSLVPN type remote-access
tunnel-group OFFICE-SSLVPN general-attributes
address-pool VPNInside
authentication-server-group Mediaserver LOCAL
default-group-policy OFFICEVPNs
dhcp-server CiscoGate
authorization-required
tunnel-group OFFICE-SSLVPN webvpn-attributes
customization OFFICE
group-alias OFFICE enable
tunnel-group OFFICE-SSLVPN ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
tunnel-group OFFICE-SSLVPN ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group OFFICE-SSLVPN2 type remote-access
tunnel-group OFFICE-SSLVPN2 general-attributes
address-pool VPNInside
default-group-policy OFFICEVPNs
dhcp-server CiscoGate
tunnel-group OFFICE-SSLVPN2 webvpn-attributes
group-alias OFFICEBackup enable
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:
: end
ASKER
I tried compatibility mode, no success. I had it working, but after modifying the VPN profile in use to accept Client SSL connections instead of IPSEC it stopped working.
Unfortunately I cannot remember which settings I changed, so I was hoping someone had experience with this type of problem.
AnyConnect is the primary way to connect, but sometimes users are out of office without their laptop and need to access files on the server. The users cannot install any applications due to GPO restrictions, and therefore WEB VPN is the only solution.
I can also add that when I try to browse the network i get a message saying: "Failed to retrieve domains"
Unfortunately I cannot remember which settings I changed, so I was hoping someone had experience with this type of problem.
AnyConnect is the primary way to connect, but sometimes users are out of office without their laptop and need to access files on the server. The users cannot install any applications due to GPO restrictions, and therefore WEB VPN is the only solution.
I can also add that when I try to browse the network i get a message saying: "Failed to retrieve domains"
CSCsl94183 Bug Details
ASA- Clientless webvpn 'error contacting host' accessing CIFS shares
Symptom:
Customer browsing CIFS links through clientless webvpn or clicking the link for 'browse the entire network' may get the following message:
'Error Contacting Host'
Conditions:
Workaround:
Re-loading the ASA resolves the issue.
Further Problem Description:
A capture on the interface between the ASA and the CIFS server being accessed will reveal no traffic is destined to that server from the ASA.
CSCsl94183 Bug Details
ASA- Clientless webvpn 'error contacting host' accessing CIFS shares
Symptom:
Customer browsing CIFS links through clientless webvpn or clicking the link for 'browse the entire network' may get the following message:
'Error Contacting Host'
Conditions:
Workaround:
Re-loading the ASA resolves the issue.
Further Problem Description:
A capture on the interface between the ASA and the CIFS server being accessed will reveal no traffic is destined to that server from the ASA.
Status
Fixed
Severity
3 - moderate
Last Modified
In Last Year
Product
Cisco ASA 5500 Series Adaptive Security Appliances
Technology
1st Found-In
8.0(2)
8.0(3)
Fixed-In
8.0(3.11)
8.1(1.2)
8.0(103.9)
So, please upgrade the software and see if the problem has been solved !
A/
ASA- Clientless webvpn 'error contacting host' accessing CIFS shares
Symptom:
Customer browsing CIFS links through clientless webvpn or clicking the link for 'browse the entire network' may get the following message:
'Error Contacting Host'
Conditions:
Workaround:
Re-loading the ASA resolves the issue.
Further Problem Description:
A capture on the interface between the ASA and the CIFS server being accessed will reveal no traffic is destined to that server from the ASA.
CSCsl94183 Bug Details
ASA- Clientless webvpn 'error contacting host' accessing CIFS shares
Symptom:
Customer browsing CIFS links through clientless webvpn or clicking the link for 'browse the entire network' may get the following message:
'Error Contacting Host'
Conditions:
Workaround:
Re-loading the ASA resolves the issue.
Further Problem Description:
A capture on the interface between the ASA and the CIFS server being accessed will reveal no traffic is destined to that server from the ASA.
Status
Fixed
Severity
3 - moderate
Last Modified
In Last Year
Product
Cisco ASA 5500 Series Adaptive Security Appliances
Technology
1st Found-In
8.0(2)
8.0(3)
Fixed-In
8.0(3.11)
8.1(1.2)
8.0(103.9)
So, please upgrade the software and see if the problem has been solved !
A/
ASKER
I've tried restarting the router (pulled power), no success - I guess I should try a software update - will I loose all my settings if I do?
I inherited this system and I haven't had the time to figure out all the settings, neither do I have sufficient "cisco knowledge" to reconfigure the router from scratch.
I inherited this system and I haven't had the time to figure out all the settings, neither do I have sufficient "cisco knowledge" to reconfigure the router from scratch.
Hi,
Safe the configuratinon with the command: "write mem [enter]"
For sure, make copy the output of the command "show run" and paste it to notepad and save it.
A/
Safe the configuratinon with the command: "write mem [enter]"
For sure, make copy the output of the command "show run" and paste it to notepad and save it.
A/
ASKER
OK I've backed up my config, but when I run the upgrade wizard in the ASDM it looks like you need some sort of support contract to be able to get firmware updates. We bought the router 2 years ago - is there any other way to get hold of the upgrade?
All I'm looking for is a fix for this WEB VPN issue. Now when I pull the power on the router I am able to browse the server for a couple of hours, then the problem returns.
All I'm looking for is a fix for this WEB VPN issue. Now when I pull the power on the router I am able to browse the server for a couple of hours, then the problem returns.
They only legal way to get the upgrades are through Cisco with a valid support contract.
ASKER
I contacted Cisco and recovered my service contract. Upgradet to version 8.0(4). Still same error.
What could be causing this?
What could be causing this?
I am running version 8(0)4.16 code on ASA 5510 devices and experiencing the same problem.
ASKER
After upgrading the ASA it looks like the error still occurs after a couple of hours - browsing works fine for a couple of hours after reloading router.
Hi,
Please try with IE6 and FireFox Browser !
Also I want to know the svc version you'r using. (dir disk0: [enter]). If not the newest one please update/grade.
A/
Please try with IE6 and FireFox Browser !
Also I want to know the svc version you'r using. (dir disk0: [enter]). If not the newest one please update/grade.
A/
ASKER
Wow - it actually works with FireFox - seems to be an IE8 issue then? Below is the results of "dir disk0:" Which service version is running?
Result of the command: "dir disk0:"
Directory of disk0:/
156 -rwx 8386560 19:12:34 Mar 04 2008 asa723-k8.bin
157 -rwx 4181246 19:13:02 Mar 04 2008 securedesktop-asa-3.2.1.10
158 -rwx 398305 19:13:16 Mar 04 2008 sslclient-win-1.1.0.154.pk
159 -rwx 6287244 19:14:40 Mar 04 2008 asdm-523.bin
66 drwx 4096 11:48:16 Jan 25 2009 crypto_archive
161 -rwx 14524416 00:01:04 Apr 02 2008 asa802-k8.bin
162 -rwx 6889764 00:05:56 Apr 02 2008 asdm-602.bin
163 -rwx 3219872 00:06:48 Apr 02 2008 securedesktop-asa-3.2.0.13
164 -rwx 2206062 00:07:52 Apr 02 2008 sslclient-win-1.1.4.176-an
62 drwx 4096 08:48:26 Apr 04 2008 log
165 -rwx 89 22:41:04 Aug 20 2009 dap.xml
166 drwx 4096 07:26:21 Sep 07 2009 LOCAL-CA-SERVER
167 -rwx 2154944 14:05:44 Apr 16 2009 anyconnect-win-2.2.0140-k9
168 -rwx 502 15:10:54 Mar 30 2009 AnyConnectProfile.xml
169 -rwx 14137344 15:11:30 Sep 03 2009 asa804-k8.bin
170 -rwx 3412522 14:08:00 Apr 16 2009 anyconnect-macosx-i386-2.2
171 -rwx 3446536 14:08:28 Apr 16 2009 anyconnect-macosx-powerpc-
126849024 bytes total (56348672 bytes free)
Result of the command: "dir disk0:"
Directory of disk0:/
156 -rwx 8386560 19:12:34 Mar 04 2008 asa723-k8.bin
157 -rwx 4181246 19:13:02 Mar 04 2008 securedesktop-asa-3.2.1.10
158 -rwx 398305 19:13:16 Mar 04 2008 sslclient-win-1.1.0.154.pk
159 -rwx 6287244 19:14:40 Mar 04 2008 asdm-523.bin
66 drwx 4096 11:48:16 Jan 25 2009 crypto_archive
161 -rwx 14524416 00:01:04 Apr 02 2008 asa802-k8.bin
162 -rwx 6889764 00:05:56 Apr 02 2008 asdm-602.bin
163 -rwx 3219872 00:06:48 Apr 02 2008 securedesktop-asa-3.2.0.13
164 -rwx 2206062 00:07:52 Apr 02 2008 sslclient-win-1.1.4.176-an
62 drwx 4096 08:48:26 Apr 04 2008 log
165 -rwx 89 22:41:04 Aug 20 2009 dap.xml
166 drwx 4096 07:26:21 Sep 07 2009 LOCAL-CA-SERVER
167 -rwx 2154944 14:05:44 Apr 16 2009 anyconnect-win-2.2.0140-k9
168 -rwx 502 15:10:54 Mar 30 2009 AnyConnectProfile.xml
169 -rwx 14137344 15:11:30 Sep 03 2009 asa804-k8.bin
170 -rwx 3412522 14:08:00 Apr 16 2009 anyconnect-macosx-i386-2.2
171 -rwx 3446536 14:08:28 Apr 16 2009 anyconnect-macosx-powerpc-
126849024 bytes total (56348672 bytes free)
ASKER
Ooops - not quite. Seems like the WEB VPN access works periodically - now when I try firefox it throws the same error message; error contacting host. I've also tried IE 7 - same error.
Can you confirm that this is happening on all your servers. In otherwords, create a share on another server and check if you can replicate the "Error Contacting Host" message.
In addition, I would like to know if all of you are experiencing this problem accessing CIFS shares immediately behind the SSL VPN termination point, or if the CIFS shares are on machines connected via L2L tunnels to the SSL VPN terminating firewall?
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share?
OR
SSL-Enabled Browser ----> SSL Terminating Device(ASAor Router) -----------L2L tunnel ------> CIFS Share?
In my case, I am noticing that newly-created shares and administrative shares are still accessible (i.e. prompt for credentials). I am focusing some attention on the CIFS server as well. Will try a reboot of the server.
Finally, we have some file synchronization software on this server, so I will consider that as well as I troubleshoot the issue.
G
In addition, I would like to know if all of you are experiencing this problem accessing CIFS shares immediately behind the SSL VPN termination point, or if the CIFS shares are on machines connected via L2L tunnels to the SSL VPN terminating firewall?
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share?
OR
SSL-Enabled Browser ----> SSL Terminating Device(ASAor Router) -----------L2L tunnel ------> CIFS Share?
In my case, I am noticing that newly-created shares and administrative shares are still accessible (i.e. prompt for credentials). I am focusing some attention on the CIFS server as well. Will try a reboot of the server.
Finally, we have some file synchronization software on this server, so I will consider that as well as I troubleshoot the issue.
G
Results
Restart of Server - no change
Disabling of File Sync Software - no change
Activating Standby NIC / Disabling Original NIC - now able to browse CIFS shares :)
Wondering if this is also going to be a temporary fix to the issue
Restart of Server - no change
Disabling of File Sync Software - no change
Activating Standby NIC / Disabling Original NIC - now able to browse CIFS shares :)
Wondering if this is also going to be a temporary fix to the issue
FYI, I am now able to access CIFS shares in both scenarios:
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share?
OR
SSL-Enabled Browser ----> SSL Terminating Device(ASAor Router) -----------L2L tunnel ------> CIFS Share?
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share?
OR
SSL-Enabled Browser ----> SSL Terminating Device(ASAor Router) -----------L2L tunnel ------> CIFS Share?
ASKER
My setup is:
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share
I get the same error accessing 3 different CIFS shares (1 windows 2003 AD/DC, 2x Vista workstations). Sometimes I am prompted for username/passord. Other times I just get the error connecting to host.
As of right now it is working. 20 minutes ago it wasn't and I haven't done anything to any servers/workstations.
Tried restarting server - no change in stability.
SSL-Enabled Browser --->SSL Terminating Device (ASA or Router) ------> CIFS share
I get the same error accessing 3 different CIFS shares (1 windows 2003 AD/DC, 2x Vista workstations). Sometimes I am prompted for username/passord. Other times I just get the error connecting to host.
As of right now it is working. 20 minutes ago it wasn't and I haven't done anything to any servers/workstations.
Tried restarting server - no change in stability.
ASKER
Apparently there's a 8.2.1.ED version out there for ASA5505. Maybe an upgrade to this later version will solve the problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
WebVPN client (java download) doesn't work well with Vista at all, either. I have to keep a XP/IE7 virtual machine ready just for connecting to clients with WebVPN only. AnyConnect is vastly preferred. It is a quick, painless one-time install.