01-07-2009 07:49 AM - edited 02-21-2020 03:11 AM
Hi,
No matter how the clientless vpn is configured I get a login failed after trying to login despite the details being correct,
If anyone has encounterd this before any help would be great.
Thanks
The attachment is syslog output during an attempt, it appears sucessful but it doesnt work.
01-07-2009 12:54 PM
logs seems you are authenticated, it is just from single LMSCAM-ADMIN user or no webvpn at all?
can you post a screen shoot of client browser for the first initial login, are you getting completly logged in after authentication, any browser errors during that initial login ?
01-08-2009 01:13 AM
Hi, Thanks for you reply,
This is the initial setup and I have never been able to login without getting login failed.
I have tried authenticating using radius but that appears successful in the syslog and has the same results.
The only error is that its an unverified certificate, it seems like its successful then times out. I have tried it on some other pc as I thought it was maybe a browser issue, but it doesn't work on them either.
01-08-2009 08:54 AM
ok.. SSL is straight forward depending which one u used, I suggest go to this link and review your implementation , in same link is three types of SSL webvpn technologies for reference, make sure you meet the requirements for the client side.. once you have checked the implementation and requirements to be fine, we could start troubleshooting. Can you also indicate what version of ASA code is your ASA under.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml
Regards
01-09-2009 05:55 AM
ok thanks, I will work through that document,
my asa version is:
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)
01-09-2009 07:39 AM
The config appears correct for Clientless SSL VPN, I am try to setup access to an internal website.
The only thing I dont have setup is the netbios server.
Using the debug webvpn, I have encoutered this error
WebVPN: started user authentication...
class inspection_default
WebVPN: AAA status = (ACCEPT)
WebVPN: user: (LMSCAM-ADMIN) authenticated.
TCP
INFO: debug webvpn enabled at level 15.
ciscoasa# webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]
ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = cc32ed08
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
webvpn_portal.c:http_webvpn_kill_cookie[682]
webvpn_auth.c:http_webvpn_pre_authentication[2154]
WebVPN: calling AAA with ewsContext (-869078928) and nh (-836976872)!
webvpn_auth.c:webvpn_add_auth_handle[4702]
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[4740]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]
ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = cc32ed08
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
webvpn_auth.c:http_webvpn_post_authentication[1306]
WebVPN: user: (LMSCAM-ADMIN) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2622]
User came in on group he wasn't supposed to come in on!
05-21-2010 04:40 AM
Good morning,
Did you resolve this problem?
Same issue happens to me, configured local user or radius user, I pass the authentication but
in the web browser it says login incorrect...
Thanks for your help
Fran
05-21-2010 06:02 AM
hi,
This was a while ago but i did fix it,
I think it I did it on group policy on the ASA, there is an option for tunnel group lock, this resloved my problem
Regards
Lewis
06-16-2010 12:43 AM
Hi,
I have the same problem (same AAA debug output).
I entered this in the group-policy:
group-policy SSL-CLIENTLESS internal
group-policy SSL-CLIENTLESS attributes
dns-server value 192.168.10.101
vpn-tunnel-protocol webvpn
group-lock value SSL-CLIENTLESS THIS ONE
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ssl-tunnel
webvpn
homepage value http://192.168.10.195:8080/blablabla
port-forward disable
svc ask none default webvpn
deny-message value ACCESS DENIED
TUNNEL-GROUP:
UASA# sh run tunnel-group SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS type remote-access
tunnel-group SSL-CLIENTLESS general-attributes
address-pool SSLVPN
authentication-server-group vpn
default-group-policy SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS webvpn-attributes
radius-reject-message
group-alias POS enable
tunnel-group SSL-CLIENTLESS ipsec-attributes
isakmp ikev1-user-authentication none
I still have the same problem with the AAA authentication.
Can anyone help me out?
01-25-2012 01:19 AM
yes, it's so strange, group-lock DefaultWEBVPNGroup is OK.But when I use others tunnel-group,it display login failed.
08-14-2013 01:59 AM
PLATFORM
disk0:/asa846-smp-k8.bin
ASA 5585
I came across the same issue , suddently my ASA prompting login failed issue ... I did failover and restart the Boxes .. but no luck..
After I disable and re enable webvpn .. It is working .. It might be IOS bug and I opend a case .. let me post you once I receved root cause from CISCO
Shatheesh
CCIE 38651 R&S
08-14-2013 02:03 AM
This was three years ago
I remember that I solved the issue with this command:
aaa-server vpnssl protocol nt
reactivation-mode depletion deadtime 1
max-failed-attempts 5
"protocol nt" did the trick.
05-03-2014 10:51 PM
I just ran into this very similar issue. SSL vpn service had recently been setup and working. Attempted to access it via iPhone Safari and received login failed. Then logged out of browser on Mac (thinking only one login at a time) and login from iPhone still failed. attempted to re-login on Mac (Safari and Firefox) and login failed.
Solution: restarted webvpn...
conf t
no webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2
anyconnect enable
tunnel-group-list enable
my_ASA# sho ver
Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)
Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"
my_ASA up 26 days 4 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide