ASA5520 Clientless VPN -Login Failed.

Unanswered Question
Jan 7th, 2009


No matter how the clientless vpn is configured I get a login failed after trying to login despite the details being correct,

If anyone has encounterd this before any help would be great.


The attachment is syslog output during an attempt, it appears sucessful but it doesnt work.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 01/07/2009 - 12:54

logs seems you are authenticated, it is just from single LMSCAM-ADMIN user or no webvpn at all?

can you post a screen shoot of client browser for the first initial login, are you getting completly logged in after authentication, any browser errors during that initial login ?

l.topliss Thu, 01/08/2009 - 01:13

Hi, Thanks for you reply,

This is the initial setup and I have never been able to login without getting login failed.

I have tried authenticating using radius but that appears successful in the syslog and has the same results.

The only error is that its an unverified certificate, it seems like its successful then times out. I have tried it on some other pc as I thought it was maybe a browser issue, but it doesn't work on them either.

JORGE RODRIGUEZ Thu, 01/08/2009 - 08:54

ok.. SSL is straight forward depending which one u used, I suggest go to this link and review your implementation , in same link is three types of SSL webvpn technologies for reference, make sure you meet the requirements for the client side.. once you have checked the implementation and requirements to be fine, we could start troubleshooting. Can you also indicate what version of ASA code is your ASA under.


l.topliss Fri, 01/09/2009 - 05:55

ok thanks, I will work through that document,

my asa version is:

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)

l.topliss Fri, 01/09/2009 - 07:39

The config appears correct for Clientless SSL VPN, I am try to setup access to an internal website.

The only thing I dont have setup is the netbios server.

Using the debug webvpn, I have encoutered this error

WebVPN: started user authentication...

class inspection_default

WebVPN: AAA status = (ACCEPT)

WebVPN: user: (LMSCAM-ADMIN) authenticated.


INFO: debug webvpn enabled at level 15.

ciscoasa# webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = cc32ed08

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL



WebVPN: calling AAA with ewsContext (-869078928) and nh (-836976872)!


WebVPN: started user authentication...


WebVPN: AAA status = (ACCEPT)


ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = cc32ed08

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL


WebVPN: user: (LMSCAM-ADMIN) authenticated.


User came in on group he wasn't supposed to come in on!

franpena2008 Fri, 05/21/2010 - 04:40

Good morning,

Did you resolve this problem?

Same issue happens to me, configured local user or radius user, I pass the authentication but

in the web browser it says login incorrect...

Thanks for your help


l.topliss Fri, 05/21/2010 - 06:02


This was a while ago but i did fix it,

I think it I did it on group policy on the ASA, there is an option for tunnel group lock, this resloved my problem



Smailmilak83_2 Wed, 06/16/2010 - 00:43


I have the same problem (same AAA debug output).

I entered this in the group-policy:

group-policy SSL-CLIENTLESS internal

group-policy SSL-CLIENTLESS attributes

dns-server value

vpn-tunnel-protocol webvpn

group-lock value SSL-CLIENTLESS   THIS ONE

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ssl-tunnel


  homepage value

  port-forward disable

  svc ask none default webvpn

  deny-message value ACCESS DENIED


UASA# sh run tunnel-group SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS type remote-access
tunnel-group SSL-CLIENTLESS general-attributes
address-pool SSLVPN
authentication-server-group vpn
default-group-policy SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS webvpn-attributes
group-alias POS enable
tunnel-group SSL-CLIENTLESS ipsec-attributes
isakmp ikev1-user-authentication none

I still have the same problem with the AAA authentication.

Can anyone help me out?

kkingkill Wed, 01/25/2012 - 01:19

yes, it's so strange,  group-lock DefaultWEBVPNGroup is OK.But when I use others  tunnel-group,it display login failed.

Kirupairajah Sa... Wed, 08/14/2013 - 01:59


ASA 5585

I came across the same issue , suddently my ASA prompting login failed issue ... I did failover and restart the Boxes .. but no luck..
After I disable and re enable webvpn .. It is working .. It might be IOS bug and I opend a case .. let me post you once  I receved root cause from CISCO

CCIE 38651 R&S

smailmilak Wed, 08/14/2013 - 02:03

This was three years ago
I remember that I solved the issue with this command:

aaa-server vpnssl protocol nt

reactivation-mode depletion deadtime 1

max-failed-attempts 5

"protocol nt" did the trick.

Joseph Gaefe Sat, 05/03/2014 - 22:51

I just ran into this very similar issue.  SSL vpn service had recently been setup and working.  Attempted to access it via iPhone Safari and received login failed.  Then logged out of browser on Mac (thinking only one login at a time) and login from iPhone still failed.  attempted to re-login on Mac (Safari and Firefox) and login failed.  

Solution:  restarted webvpn...

conf t
no webvpn
   enable outside
   anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
   anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2
   anyconnect enable
   tunnel-group-list enable


my_ASA# sho ver

Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)

Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"

my_ASA up 26 days 4 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB


This Discussion