Recover from Hosts File Errors When Using Application Access
To prevent hosts file errors that can interfere with Application Access, close the Application Access window properly when you finish using Application Access. To do so, click the close icon.
When Application Access terminates abnormally, the hosts file remains in a Clientless SSL VPN-customized state. Clientless SSL VPN checks the state the next time you start Application Access by searching for a hosts.webvpn file. If it finds one, a Backup HOSTS File Found error message appears, and Application Access is temporarily switched off.
If Application Access is stopped improperly, you leave the remote access client/server applications in limbo. If you try to start these applications without using Clientless SSL VPN, they may malfunction. You may find that hosts that you normally connect to are unavailable. This situation could commonly occur if you run applications remotely from home, fail to quit the Application Access window before shutting down the computer, then try to run the applications later from the office.
The following errors can occur if you do not close the Application Access window properly:
The next time you try to start Application Access, it may be switched off; you receive a Backup HOSTS File Found error message.
The applications themselves may be switched off or malfunction, even when you are running them locally.
These errors can result from terminating the Application Access window in any improper way. For example:
Your browser crashes while you are using Application Access.
A power outage or system shutdown occurs while you are using Application Access.
You minimize the Application Access window while you are working, then shut down your computer with the window active (but minimized).
The hosts file on your local system maps IP
addresses to hostnames. When you start Application Access, Clientless SSL VPN
modifies the hosts file, adding Clientless SSL VPN-specific entries. Stopping
Application Access by properly closing the Application Access window returns
the file to its original state.
Before invoking Application Access...
hosts file is in original state.
When Application Access starts....
Clientless SSL VPN copies the hosts file to hosts.webvpn, thus
creating a backup.
Clientless SSL VPN then edits the hosts file, inserting
Clientless SSL VPN-specific information.
When Application Access stops...
Clientless SSL VPN copies the backup file to the
hosts file, thus
restoring the hosts file to its original state.
Clientless SSL VPN deletes hosts.webvpn.
After finishing Application Access...
hosts file is in original state.
Microsoft anti-spyware software blocks changes that the port
forwarding Java applet makes to the hosts file. See
for information on how to allow hosts file changes when using
Reconfigure a Host’s
File Automatically Using Clientless SSL VPN
If you are able to connect to your remote access server, follow
these steps to reconfigure the host’s file and re-enable both Application
Access and the applications.
Start Clientless SSL VPN and log in.
Applications Access link.
Choose one of the following options:
Restore from backup—Clientless SSL VPN forces a proper
shutdown. It copies the hosts.webvpn backup file to the
restoring it to its original state, then deletes hosts.webvpn. You then have to
restart Application Access.
Do nothing—Application Access does not start. The remote
access home page reappears.
Delete backup—Clientless SSL VPN deletes the hosts.webvpn
file, leaving the hosts file in its Clientless SSL VPN-customized state. The
hosts file settings
are lost. Application Access then starts, using the Clientless SSL
VPN-customized hosts file as the new original. Choose this option only if you
are unconcerned about losing hosts file settings. If you or a program you use
may have edited the hosts file after Application Access has shut down
improperly, choose one of the other options, or edit the hosts file manually.
Reconfigure Hosts File Manually
If you are not able to connect to your remote access server from your current location, or if you have customized the hosts file and do not want to lose your edits, follow these steps to reconfigure the hosts file and reenable both Application Access and the applications.
Locate and edit your hosts file. The most common location is c:\windows\sysem32\drivers\etc\hosts.
Check to see if any lines contain the string: # added by WebVpnPortForward If any lines contain this string, your hosts file is Clientless SSL VPN-customized. If your hosts file is Clientless SSL VPN-customized, it looks similar to the following example:
server1 # added by WebVpnPortForward
server1.example.com invalid.cisco.com # added by WebVpnPortForward
server2 # added by WebVpnPortForward
server2.example.com invalid.cisco.com # added by WebVpnPortForward
server3 # added by WebVpnPortForward
server3.example.com invalid.cisco.com # added by WebVpnPortForward
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to hostnames. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding hostname.
# The IP address and the hostname should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 126.96.36.199 cisco.example.com # source server
# 188.8.131.52 x.example.com # x client host
Delete the lines that contain the string: # added by WebVpnPortForward
Save and close the file.
Start Clientless SSL VPN and log in.
Click the Application Access link.
Send an Administrator’s Alert to Clientless SSL VPN Users
In the main ASDM application window, choose
> Administrator’s Alert Message to
Clientless SSL VPN Users.
Enter the new or edited alert content to
send, and then click
To remove current alert content and enter
new alert content, click
Protect Clientless SSL VPN Session Cookies
Embedded objects such as Flash applications and
Java applets, as well as external applications, usually rely on an existing
session cookie to work with the server. They get it from a browser using some
VPN session cookie makes the session cookie only visible to the browser, not
the client-side scripts, and it makes session sharing impossible.
Before You Begin
Change the VPN session cookie setting only
when there are no active Clientless SSL VPN sessions.
show vpn-sessiondb webvpn command to
check the status of Clientless SSL VPN sessions.
vpn-sessiondb logoff webvpn command to
log out of all Clientless SSL VPN sessions.
The following Clientless SSL VPN features
will not work when the
http-only-cookie command is enabled:
Sharepoint features that require desktop
applications (for example, MS Office applications)
AnyConnect Web launch
Citrix Receiver, XenDesktop, and Xenon
Other non-browser-based and browser
To prevent a Clientless SSL VPN session cookie
from being accessed by a third party through a client-side script such as
Use this setting only if Cisco TAC advises
you to do so. Enabling this command presents a security risk because the
Clientless SSL VPN features listed under the Guidelines section will not work
without any warning.