Webvpn weird authentication issues

Unanswered Question
Apr 14th, 2008
User Badges:

Hi All,

I have just configured webvpn on a pair of asa5510's, the webvpn is now issuing a pop-up when I log in either to a group that authenticates locally on the asa of to a group that authenticates to a Radius server.

the Pop-Up is a User Alert in the form


(the pop-up is the same no matter what group I authenticate into.)

here is the webvpn config, any pointers to remove this would be GREAT

ciscoasa# sh run | beg webvpn


enable outside

svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc webvpn

group-policy Staff_Group_Policy internal

group-policy Staff_Group_Policy attributes

vpn-filter value STAFF_RULE

vpn-tunnel-protocol IPSec svc webvpn

vlan 10

address-pools value Staff_DHCP


url-list value Staff

file-entry enable

file-browsing enable

group-policy Student_Group_Policy internal

group-policy Student_Group_Policy attributes

vpn-filter value STUDENT_RULES

vpn-tunnel-protocol IPSec svc webvpn

vlan 1

address-pools value Student_DHCP


url-list value Students

file-entry enable

file-browsing enable

group-policy IT_Dept_Group_Policy internal

group-policy IT_Dept_Group_Policy attributes

vpn-tunnel-protocol IPSec svc webvpn

vlan none

address-pools value IT_Dept_DHCP


hidden-shares none

username ******* password *******

tunnel-group IT_Dept type remote-access

tunnel-group IT_Dept general-attributes

default-group-policy IT_Dept_Group_Policy

tunnel-group IT_Dept webvpn-attributes

group-alias IT_Dept enable

tunnel-group IT_Dept ipsec-attributes

pre-shared-key *

tunnel-group Students type remote-access

tunnel-group Students general-attributes

authentication-server-group STUDENT_RADIUS

authentication-server-group (student) STUDENT_RADIUS

default-group-policy Student_Group_Policy

tunnel-group Students webvpn-attributes

group-alias Students enable

tunnel-group Students ipsec-attributes

pre-shared-key *

tunnel-group STAFF type remote-access

tunnel-group STAFF general-attributes

address-pool Staff_DHCP

authentication-server-group STAFF_RADUIS

authentication-server-group (Staff) STAFF_RADUIS

default-group-policy Staff_Group_Policy

tunnel-group STAFF webvpn-attributes

group-alias STAFF enable

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
owillins Fri, 04/18/2008 - 10:20
User Badges:
  • Silver, 250 points or more

Is user alert set in WebVPN mode?

ASA(config-webvpn)# no user-alert


As for filtering Smart Tunnel traffic you will need to specify syntax as


access-list temp webtype permit url smart-tunnel://x.x.x.x

mlatham67 Thu, 05/29/2008 - 13:40
User Badges:

Hi All

I Found that a reboot fixed my issue, but please make a note that a few weeks after we lost all access to cifs shares, the error was

Error Contacting Host

Please check bug CSCsl94183 and upgrade to asa803-12-k8.bin, this seems a lot more stable.

good luck.

schaef350 Tue, 09/17/2013 - 11:42
User Badges:
  • Bronze, 100 points or more

I found this thread while working on the same issue and figured I would update it to have accurate information:

I resolved this on our 9.1 ASA with something like this:

ciscoasa(config)# tunnel-group   general-attributes

ciscoasa(config-tunnel-general)# user-alert cancel

- Be sure to rate all helpful posts

Jatin Katyal Tue, 09/17/2013 - 21:51
User Badges:
  • Cisco Employee,


DOC: Multiple errors in ASA Command Reference for 'user-alert'


There are multiple errors in the ASA Command Reference regarding the 'user-alert' command. The most important one is, that from ASA version 8.2 onwards, the "no user-alert" command does not exist anymore, but has been replaced by the "user-alert cancel" command.

Jatin Katyal

**Do rate helpful posts**


This Discussion