Cisco ASA - HTTP to HTTPS redirection.

You can use “HTTP to HTTPS redirection” for WebVPN, ASDM, etc. Please take a look at command reference for “http redirect” command.

ASA# conf t
ASA(config)# http redirect outside 80
ASA(config)# end
ASA# sh run http
http server enable
http redirect outside 80
ASA#

BTW, if you have HTTP server disabled (for example, you do not use ASDM), it’s fine because “http server enable” is NOT required for http redirection feature.

Cisco ASA - Clientless SSL VPN (WebVPN) and anyconnect-essentials.

During applying new license on ASA you get the following warning:

**********************************************************************
WARNING: AnyConnect Essentials license active. Basic VPN support is
in effect. For specific details, please refer to Cisco AnyConnect VPN
Client Administrator Guide.
**********************************************************************

If you apply license with anyconnect-essentials enabled, ASA will turn it on automatically. That means if you have SSL VPN (WebVPN) configured on your production VPN server, after applying new license SSL VPN users will get “Clientless (browser) SSL VPN access is not allowed.” error.

%ASA-6-734001: DAP: User user, Addr ipaddr, Connection connection: The following DAP records were selected for this connection: DAP record names
 %ASA-4-722049: Group group User user IP ip Session terminated: SVC not enabled or invalid image on the ASA.

Note, that 722049 is an error and ASDM marks this message as amber. BTW, the list of all available syslog messages can be found here.

To restore functionality:

conf t
 webvpn
  no anyconnect-essentials

Some general info from CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 > Clientless SSL VPN Overview:

• The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.

• Note: With the AnyConnect Essentials license, VPN users can use a Web browser to log in, and download and start (WebLaunch) the AnyConnect client.

• The AnyConnect client software offers the same set of client features, whether it is enabled by this license or an AnyConnect Premium SSL VPN Edition license.

• The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment license. You can, however, run AnyConnect Essentials and AnyConnect Premium licenses on different ASAs in the same network.

• By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other licenses by using the no anyconnect-essentials command.

SolarWinds - How to create a chart for active WebVPN sessions. [TESTED]

Real quick. The same as I did before for AnyConnect sessions, but for a another OID - CISCO-REMOTE-ACCESS-MONITOR-MIB::crasWebvpnNumSessions.0 - 1.3.6.1.4.1.9.9.392.1.3.38.0 - The number of currently active Webvpn sessions.

The same as you can get from CLI:

ASA# show vpn-sessiondb webvpn

Session Type: WebVPN

Username     : username               Index        : 4
Public IP    : 172.16.1.2
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 2686857                Bytes Rx     : 162442
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 18:02:49 UTC Fri Feb 6 2015
Duration     : 0h:06m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ASA#

Admin area