some trouble with webvpn

Unanswered Question
Jun 8th, 2008
User Badges:

Hello - when i confogure my asa 5520 with software 8.0(3) I have next problem:

When i enter to secure desktop and print my login and passwd i see "incorrect login"

on asa i see this:

INFO: debug webvpn enabled at level 200.

HMCIS-Firewall# webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_portal.c:http_webvpn_kill_cookie[632]

webvpn_auth.c:http_webvpn_pre_authentication[2009]

WebVPN: calling AAA with ewsContext (-932106496) and nh (-932109336)!

WebVPN: started user authentication...

webvpn_auth.c:webvpn_aaa_callback[4537]

WebVPN: AAA status = (REJECT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_auth.c:http_webvpn_post_authentication[1233]

WebVPN: user: (evkuzin) rejected.

http_remove_auth_handle(): handle 76 not found!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!


But radius logs a clean!!!


what wrong?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Farrukh Haroon Mon, 06/09/2008 - 02:22
User Badges:
  • Red, 2250 points or more

Did you check the Radius connectivity with the AAA server using the 'test' command on the ASA?


Regards


Farrukh

vadim.kharchenko Mon, 06/09/2008 - 03:14
User Badges:

Yes - i'm sure that the connection to radius work propertly because beside webvpn i configure remote ipsec vpn with authentification on this radius and it's work.

Farrukh Haroon Mon, 06/09/2008 - 23:36
User Badges:
  • Red, 2250 points or more

Were you able to get this working?


Regards


Farrukh

vadim.kharchenko Tue, 06/10/2008 - 01:26
User Badges:

It's not work :(

But i noticed the following issue:

If i write login & pass any users from AD, then i see "incorrect login" and in debug webvpn "AAA status = (REJECT)"

If i write login & pass my admin user with priv 15 - i see on debug webvpn "AAA status = (ACCEPT) and on login page "Login denied, unauthorized connection mechanism, contact your administrator."

I don't know why... (((

vadim.kharchenko Tue, 06/10/2008 - 03:12
User Badges:

I think that in the settings webvpn I should enter tunnel-group test. But where... :)

Farrukh Haroon Tue, 06/10/2008 - 05:12
User Badges:
  • Red, 2250 points or more

I think your current WebVPN is landing on the DefaultRAGroup (the configuration of which is missing from the text file you attached in your first post), use this link to configure your ASA such that you can 'select' the tunnel-group at logon time:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml


This way, at least you know no which tunnel-group you are landing.


Regards


Farrukh


vadim.kharchenko Tue, 06/10/2008 - 09:16
User Badges:

Yes - thank you. Now it's working. But in cfg i don't see DefaultRAGroup...


Farrukh Haroon Tue, 06/10/2008 - 23:32
User Badges:
  • Red, 2250 points or more

Did you try


"show run all tunnel-group"


It should be there


Regards


Farrukh

Actions

This Discussion