Re: [AusNOG] Weird Cisco SSLVPN issues from what appears to be from Telstra 4G users
On Fri, Jun 28, 2019 at 10:59 AM Beeson, Ayden wrote: > > We are a Telstra 4G / Anyconnect SSL VPN shop and I haven't heard of any > complaints for this issue. Are you using Anyconnect, or just using the > clientless VPN? > > Are they 100% using the 4G connection and not accidentally on hotel / public > Wi-Fi that might have a captive portal on it? I didn't think Anyconnect even > had a portal detection feature, I've never seen one on any versions I have > run. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html > There might be a portal check feature if it does have one that is failing to > reach your ASA/VPN termination gear, even though the actual connection is > fine. I'm not aware of specifics around a mechanism if one exists so that’s > speculation at best, but maybe ICMP reachability etc? https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html#anc9 As per doc, Anyconnect report the captive portal if after HTTPS certificate failure it gets unexpected HTTP code from the server. > > On 26/6/19, 1:18 pm, "AusNOG on behalf of Drikus Brits" > wrote: > > Howdy, > > Have anybody else picked up weird issues regarding SSLVPN connections. > We've had a bunch of customers complaining about getting popups > claiming that the user is behind a captive portal and needs to > authenticate/resolve connectivity issues first before the SSLVPN > software can connect. > > a bit spread thing trying to locate the exact reason, but seems it is > very erratic with customers scattered. > > cheers, > > Drikus > Brennan IT > ___ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog > > > ___ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog -- SY, Jen Linkova aka Furry ___ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Weird Cisco SSLVPN issues from what appears to be from Telstra 4G users
The AnyConnect client does captive portal detection but you will only see it if you are using the many options available via the xml config file. The options in the client itself are very limited. On Fri, 28 Jun 2019 at 10:58, Beeson, Ayden wrote: > We are a Telstra 4G / Anyconnect SSL VPN shop and I haven't heard of any > complaints for this issue. Are you using Anyconnect, or just using the > clientless VPN? > > Are they 100% using the 4G connection and not accidentally on hotel / > public Wi-Fi that might have a captive portal on it? I didn't think > Anyconnect even had a portal detection feature, I've never seen one on any > versions I have run. > > There might be a portal check feature if it does have one that is failing > to reach your ASA/VPN termination gear, even though the actual connection > is fine. I'm not aware of specifics around a mechanism if one exists so > that’s speculation at best, but maybe ICMP reachability etc? > > Cheers, > Ayden > > > On 26/6/19, 1:18 pm, "AusNOG on behalf of Drikus Brits" < > ausnog-boun...@lists.ausnog.net on behalf of drikusin...@gmail.com> wrote: > > Howdy, > > Have anybody else picked up weird issues regarding SSLVPN connections. > We've had a bunch of customers complaining about getting popups > claiming that the user is behind a captive portal and needs to > authenticate/resolve connectivity issues first before the SSLVPN > software can connect. > > a bit spread thing trying to locate the exact reason, but seems it is > very erratic with customers scattered. > > cheers, > > Drikus > Brennan IT > ___ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog > > > ___ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog > ___ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Weird Cisco SSLVPN issues from what appears to be from Telstra 4G users
We are a Telstra 4G / Anyconnect SSL VPN shop and I haven't heard of any complaints for this issue. Are you using Anyconnect, or just using the clientless VPN? Are they 100% using the 4G connection and not accidentally on hotel / public Wi-Fi that might have a captive portal on it? I didn't think Anyconnect even had a portal detection feature, I've never seen one on any versions I have run. There might be a portal check feature if it does have one that is failing to reach your ASA/VPN termination gear, even though the actual connection is fine. I'm not aware of specifics around a mechanism if one exists so that’s speculation at best, but maybe ICMP reachability etc? Cheers, Ayden On 26/6/19, 1:18 pm, "AusNOG on behalf of Drikus Brits" wrote: Howdy, Have anybody else picked up weird issues regarding SSLVPN connections. We've had a bunch of customers complaining about getting popups claiming that the user is behind a captive portal and needs to authenticate/resolve connectivity issues first before the SSLVPN software can connect. a bit spread thing trying to locate the exact reason, but seems it is very erratic with customers scattered. cheers, Drikus Brennan IT ___ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog ___ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
