ASA 8.0(2) QEMU WebVPN/AnyConnect HOWTO
Page 1 of 1

Author:  study4fr33 [ Wed Oct 17, 2012 3:22 pm ]
Post subject:  ASA 8.0(2) QEMU WebVPN/AnyConnect HOWTO

After wasting my nerves for a few months with the QEMU emulation of ASA 8.0 I finally figured out how to run WebVPN seamlessly. It works after reboots (unlike other solutions I've seen which make ASA crash and lose its startup config and flash contents when WebVPN is enabled), it doesn't take 100 attempts to make it work and most importantly - allows you to have AnyConnect working without an issue. Here is how it goes:

1) Get the asa802-full_tuned_v3.rar seems like the most advanced 8.0 image available, links and guides for emulating ASA available in other topics in this forum. The setup below is tested under Ubuntu.

2) I create an empty Flash HDD:

qemu-img create FLASH 256M

3) Start ASA. The startup scripts will format and initialize the flash drive. Go directly to single mode without jumping to the shell and creating pointless directories as shown in numerous guides and videos all over the net.

4) There will be tons of files in the flash already (no idea what and why created them):

ciscoasa# sh flash:
--#--  --length--  -----date/time------  path
    5  4096        Oct 17 2012 14:35:54  .private
   23  1982        Oct 17 2012 14:34:49  .private/startup-config
   26  0           Oct 17 2012 14:35:53  .private/mode.dat
   27  0           Oct 17 2012 14:35:54  .private/DATAFILE
    6  4096        Oct 17 2012 14:34:46  soft
    7  4096        Oct 17 2012 14:34:46  boot
    8  4096        Oct 17 2012 14:34:48  csco_config
    9  4096        Oct 17 2012 14:34:48  csco_config/97
   10  4096        Oct 17 2012 14:36:03  csco_config/97/bookmarks
   39  848         Oct 17 2012 14:36:03  csco_config/97/bookmarks/Template
   11  4096        Oct 17 2012 14:36:03  csco_config/97/customization
   38  23666       Oct 17 2012 14:36:03  csco_config/97/customization/Template
   12  4096        Oct 17 2012 14:34:48  csco_config/97/webcontent
   13  4096        Oct 17 2012 14:35:55  csco_config/locale
   14  4096        Oct 17 2012 14:35:55  csco_config/locale/LC_MESSAGES
   31  2864        Oct 17 2012 14:35:55  csco_config/locale/LC_MESSAGES/PortForwarder.po
   34  18061       Oct 17 2012 14:35:55  csco_config/locale/LC_MESSAGES/webvpn.po
   37  896         Oct 17 2012 14:35:55  csco_config/locale/LC_MESSAGES/banners.po
   15  4096        Oct 17 2012 14:34:49  csco_config/locale/fr
   16  4096        Oct 17 2012 14:35:55  csco_config/locale/fr/LC_MESSAGES
   30  2430        Oct 17 2012 14:35:55  csco_config/locale/fr/LC_MESSAGES/customization.po
   33  4149        Oct 17 2012 14:35:55  csco_config/locale/fr/LC_MESSAGES/PortForwarder.po
   36  29961       Oct 17 2012 14:35:55  csco_config/locale/fr/LC_MESSAGES/webvpn.po
   17  4096        Oct 17 2012 14:34:49  csco_config/locale/ja

These files, for some reason, make the ASA crash when enabling WebVPN. Error messages vary from "Restarting system." to:

ERROR: log directory non-existent: No such file or directory
ERROR: creating minidump file/var/log//recovery-event.451.20121017.143000. No such file or directory
ERROR: log directory non-existent: No such file or directory
ERROR: creating minidump file/var/log//recovery-event.451.20121017.143000. No such file or directory

The error message you are going to see depends on which guide you follow. Some tell you to create a /var/log folder, others tell you to create /mnt/disk0/var/log and /mnt/disk0/csco_config/97/webcontent folder. Probably this worked but with some other image in the past but with this particular image these are pointless operations.

5) Instead simply delete everything in flash:
ciscoasa# delete /recursive flash:*

Delete filename [*]?

Examine files in directory disk0:/.private? [confirm]

Delete disk0:/.private/startup-config? [confirm]

Delete disk0:/.private/mode.dat? [confirm]

Delete disk0:/.private/DATAFILE? [confirm]

Delete disk0:/.private? [confirm]

Examine files in directory disk0:/boot? [confirm]

Delete disk0:/boot/grub.conf? [confirm]

Delete disk0:/boot? [confirm]

Examine files in directory disk0:/csco_config? [confirm]

Examine files in directory disk0:/csco_config/97? [confirm]

Examine files in directory disk0:/csco_config/97/bookmarks? [confirm]

Delete disk0:/csco_config/97/bookmarks/Template? [confirm]

Delete disk0:/csco_config/97/bookmarks? [confirm]

Examine files in directory disk0:/csco_config/97/customization? [confirm]

Delete disk0:/csco_config/97/customization/Template? [confirm]

Delete disk0:/csco_config/97/customization? [confirm]

Examine files in directory disk0:/csco_config/97/webcontent? [confirm]

Delete disk0:/csco_config/97/webcontent? [confirm]

Delete disk0:/csco_config/97? [confirm]

Examine files in directory disk0:/csco_config/locale? [confirm]

Examine files in directory disk0:/csco_config/locale/LC_MESSAGES? [confirm]

Delete disk0:/csco_config/locale/LC_MESSAGES/PortForwarder.po? [confirm]

Delete disk0:/csco_config/locale/LC_MESSAGES/webvpn.po? [confirm]

Delete disk0:/csco_config/locale/LC_MESSAGES/banners.po? [confirm]

Delete disk0:/csco_config/locale/LC_MESSAGES? [confirm]

Examine files in directory disk0:/csco_config/locale/fr? [confirm]

Examine files in directory disk0:/csco_config/locale/fr/LC_MESSAGES? [confirm]

Delete disk0:/csco_config/locale/fr/LC_MESSAGES/customization.po? [confirm]

Delete disk0:/csco_config/locale/fr/LC_MESSAGES/PortForwarder.po? [confirm]

Delete disk0:/csco_config/locale/fr/LC_MESSAGES/webvpn.po? [confirm]

Delete disk0:/csco_config/locale/fr/LC_MESSAGES? [confirm]

Delete disk0:/csco_config/locale/fr? [confirm]

Examine files in directory disk0:/csco_config/locale/ja? [confirm]

Examine files in directory disk0:/csco_config/locale/ja/LC_MESSAGES? [confirm]

Delete disk0:/csco_config/locale/ja/LC_MESSAGES/customization.po? [confirm]

Delete disk0:/csco_config/locale/ja/LC_MESSAGES/PortForwarder.po? [confirm]

Delete disk0:/csco_config/locale/ja/LC_MESSAGES/webvpn.po? [confirm]

Delete disk0:/csco_config/locale/ja/LC_MESSAGES? [confirm]

Delete disk0:/csco_config/locale/ja? [confirm]

Delete disk0:/csco_config/locale/clean.8.0.done? [confirm]

Delete disk0:/csco_config/locale? [confirm]

Delete disk0:/csco_config? [confirm]

Examine files in directory disk0:/var? [confirm]

Examine files in directory disk0:/var/log? [confirm]

Examine files in directory disk0:/var/log/fr? [confirm]

Delete disk0:/var/log/fr? [confirm]

Examine files in directory disk0:/var/log/ja? [confirm]

Delete disk0:/var/log/ja? [confirm]

Delete disk0:/var/log? [confirm]

Delete disk0:/var? [confirm]

Press "y" at each step to confirm the deletion and make sure flash is empty:

ciscoasa# sh flash:
--#--  --length--  -----date/time------  path
No files in directory

6) The full tuned image mentioned above provisions a "boot config disk0:/.private/startup-config" command in the startup config and if you are as careless as I am you have already deleted the .private folder which holds the startup config. Recreate it and save your config (a few extra files will be created in flash as well as you'll see):

ciscoasa# mkdir disk0:/.private/

Create directory filename [/.private/]?

Created dir disk0:/.private/
ciscoasa# wr
Building configuration...
Cryptochecksum: 73cd033e 8d092b54 365f6c63 42e63b75

2054 bytes copied in 11.120 secs (186 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed

ciscoasa# sh flash:
--#--  --length--  -----date/time------  path
   40  4096        Oct 17 2012 14:37:48  .private
   41  2054        Oct 17 2012 14:37:48  .private/startup-config
   43  0           Oct 17 2012 14:37:48  .private/DATAFILE
   42  4096        Oct 17 2012 14:37:48  boot

268136448 bytes total (268103680 bytes free)

7) Now you are good to go for WebVPN and most importantly - AnyConnect. The guides I've seen will lead you best case to a working WebVPN by some miracle, but also this comes with the bonus of a corrupted flash drive which will prevent you from copying the AnyConnect image to flash and enabling it under webvpn configuration mode.

ciscoasa# conf t
ciscoasa(config)# hostname ASA1
ASA1(config)# interface Ethernet0/0
ASA1(config-if)#  nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)#  security-level 0
ASA1(config-if)#  ip address
ASA1(config-if)# webvpn
ASA1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA1(config-webvpn)# sh flash:
--#--  --length--  -----date/time------  path
   40  4096        Oct 17 2012 14:37:48  .private
   41  2054        Oct 17 2012 14:37:48  .private/startup-config
   43  0           Oct 17 2012 14:37:48  .private/DATAFILE
   42  4096        Oct 17 2012 14:37:48  boot

ciscoasa(config-webvpn)#  enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.

ASA1(config-if)# copy tftp:// flash:

Address or name of remote host []?

Source filename [anyconnect-win-2.4.1012-k9.pkg]?

Destination filename [anyconnect-win-2.4.1012-k9.pkg]?

Accessing tftp://!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.4.1012-k9.pkg...

ASA1(config)# webvpn
ASA1(config-webvpn)# svc image disk0:/anyconnect-win-2.4.1012-k9.pkg
ASA1(config-webvpn)# svc enable
ASA1(config-webvpn)# sh webvpn svc

exec mode commands/options:
  image  Show information about an SSL VPN Client image file
  |      Output modifiers
ASA1(config-webvpn)# sh webvpn svc
1. disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  CISCO STC win2k+
  Thu 12/17/2009 15:47:55.45

1 SSL VPN Client(s) installed

8) I'm using XP with SP3, AnyConnect 2.4, Firefox 3.6 and IE8 for my tests. Download latest JRE 1.6 and if you have another version disable it from the Java Control Panel. On top of that go to Control Panel - Java, then click the Advanced tab, open Secutity-General from the tree list. Uncheck "Enable blacklist revocation check". Otherwise the ASA JRE fails to launch as it's blacklisted.

I played a little but with the 8.4 QEMU image and I believe these issues are solved in it but seems like nobody cares about 8.0 anymore. Would be nice if someone can repack a v4 of the abovementioned image with the changes enabling WebVPN and AnyConnect, but I guess this will never happen, so the only way to fix this is manually by following the steps above. Enjoy!

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group