I've run into a problem using the AnyConnect client after upgrading ASA5510 to 8.3.2 (from 8.3.1). After entering username and password in browser, the error message "Login denied. Your environment does not meet the access criteria defined by your administrator." pops up.
1. Connecting to ASA 8.3.1 and 8.2.3 works fine with Dynamic Access policies (DAP) defined
2. Connecting to ASA 8.3.2 fails when DAP policies are defined
3. Connecting to ASA 8.3.2 works fine when no DAP policies (except DfltAccessPolicy) are defined
4. Error messages in syslog file are "%ASA-3-734004: DAP: Processing error: Code 2358" and "%ASA-3-734004: DAP: Processing error: Code 3626"
5. Cisco Secure Desktop is enabled, but only perform Host Scan checks.
The software versions in use:
- Cisco Secure Desktop 3.5.1077
- AnyConnect 2.5.0217
- Clients used for testing are running WinXP and Vista
It doesn't seem to matter what the DAP policy contains, just that it exists. I've tried to add a new policy with a single "Application = IPsec" (which it should skip and move to DfltAccessPolicy) and one with a single "Application = AnyConnect" (which it should match and be allowed access). IPsec clients match the first one and carry on as usual, but the AnyConnect client stops as long as there is at least one policy defined. The problem exist even if the DfltAccessPolicy is set to "Continue".
I see this problem on two different ASA5510s. Is this a known problem?