some trouble with webvpn

Unanswered Question
Jun 8th, 2008

Hello - when i confogure my asa 5520 with software 8.0(3) I have next problem:

When i enter to secure desktop and print my login and passwd i see "incorrect login"

on asa i see this:

INFO: debug webvpn enabled at level 200.

HMCIS-Firewall# webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_portal.c:http_webvpn_kill_cookie[632]

webvpn_auth.c:http_webvpn_pre_authentication[2009]

WebVPN: calling AAA with ewsContext (-932106496) and nh (-932109336)!

WebVPN: started user authentication...

webvpn_auth.c:webvpn_aaa_callback[4537]

WebVPN: AAA status = (REJECT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_auth.c:http_webvpn_post_authentication[1233]

WebVPN: user: (evkuzin) rejected.

http_remove_auth_handle(): handle 76 not found!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!


But radius logs a clean!!!


what wrong?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Farrukh Haroon Mon, 06/09/2008 - 02:22

Did you check the Radius connectivity with the AAA server using the 'test' command on the ASA?


Regards


Farrukh

vadim.kharchenko Mon, 06/09/2008 - 03:14

Yes - i'm sure that the connection to radius work propertly because beside webvpn i configure remote ipsec vpn with authentification on this radius and it's work.

vadim.kharchenko Tue, 06/10/2008 - 01:26

It's not work :(

But i noticed the following issue:

If i write login & pass any users from AD, then i see "incorrect login" and in debug webvpn "AAA status = (REJECT)"

If i write login & pass my admin user with priv 15 - i see on debug webvpn "AAA status = (ACCEPT) and on login page "Login denied, unauthorized connection mechanism, contact your administrator."

I don't know why... (((

Farrukh Haroon Tue, 06/10/2008 - 05:12

I think your current WebVPN is landing on the DefaultRAGroup (the configuration of which is missing from the text file you attached in your first post), use this link to configure your ASA such that you can 'select' the tunnel-group at logon time:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml


This way, at least you know no which tunnel-group you are landing.


Regards


Farrukh


Actions

This Discussion