AnyConnect and DAP not working on ASA 8.3.2?

Answered Question
Aug 23rd, 2010

Hi,

I've run into a problem using the AnyConnect client after upgrading ASA5510 to 8.3.2 (from 8.3.1). After entering username and password in browser, the error message "Login denied. Your environment does not meet the access criteria defined by your administrator." pops up.

Some findings:

1. Connecting to ASA 8.3.1 and 8.2.3 works fine with Dynamic Access policies (DAP) defined
2. Connecting to ASA 8.3.2 fails when DAP policies are defined
3. Connecting to ASA 8.3.2 works fine when no DAP policies (except DfltAccessPolicy) are defined
4. Error messages in syslog file are "%ASA-3-734004: DAP: Processing error: Code 2358" and "%ASA-3-734004: DAP: Processing error: Code 3626"
5. Cisco Secure Desktop is enabled, but only perform Host Scan checks.

The software versions in use:

- Cisco Secure Desktop 3.5.1077
- AnyConnect 2.5.0217
- Clients used for testing are running WinXP and Vista

It doesn't seem to matter what the DAP policy contains, just that it exists. I've tried to add a new policy with a single "Application = IPsec" (which it should skip and move to DfltAccessPolicy) and one with a single "Application = AnyConnect" (which it should match and be allowed access). IPsec clients match the first one and carry on as usual, but the AnyConnect client stops as long as there is at least one policy defined. The problem exist even if the DfltAccessPolicy is set to "Continue".

I see this problem on two different ASA5510s. Is this a known problem?

I have this problem too.
0 votes
Correct Answer by Todd Pula about 6 years 5 months ago

More than likely you are running into bug CSCth56065.  If you open up a case with TAC, we can provide you with the 8.3.2.1 interim which includes the fix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
Rahul Govindan Mon, 08/23/2010 - 06:25

Hi,

There have been issues with DAP being broken in newer codes. The debug dap trace and debug dap error output while login should show you the error in dap that you are facing. Please post the same here. Also I would suggest you open a service request with Cisco TAC to diagnose the problem as it does seem like you are hitting a bug with dap.

Correct Answer
Todd Pula Mon, 08/23/2010 - 07:51

More than likely you are running into bug CSCth56065.  If you open up a case with TAC, we can provide you with the 8.3.2.1 interim which includes the fix.

Bjorn-Helge Bjo... Mon, 08/23/2010 - 08:35

It certainly seems like the same bug. The output from "debug dap trace" + "debug dap errors" is:

DAP_ERROR: Username: xyz, dap_add_csd_data_to_lua: Unable to load Host Scan data: [string "dapxlate_lua"]:559: bad argument #1 to `find' (string expected, got nil)
DAP_ERROR: Username: xyz, ERROR selecting DAP records
DAP_TRACE: Username: xyz, Action set to terminate
DAP_TRACE: Username: xyz, DAP_close: A7F6DA88

I'll create a case with TAC. Is there en estimate on when the next "normal" release with this fix will be released?

noepkes51 Thu, 09/16/2010 - 06:46

This bug burned me too.  I didn't see anything about this in the release notes.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

We ran into  a “catastrophic” bug in 8.2.3 code. One of our ASA showed being licensed for 10GE, and the other was not.  As there was a license inconsistency between the two ASA’s, we had failover issues with both Firewalls acting as Primary.  We had to back off 8.3.2 and are now running 8.2.2.21 on both ASA’s, which still protects us from the vulnerabilities that took us to 8.2.3.

However, at 8.2.2.21, we are also running into the exact same DEBUG DAP ERROR messages as noted above and none of our AnyConnect clients are able to connect.

kailey_gauthier Thu, 12/30/2010 - 11:05

This is affecting me too. This makes endpoint posture assessment and DAP records completely useless. The bug one of the other posters references shows the same symptoms,  but they don't mention our versions, code 8.3(2), what gives?

Todd Pula Thu, 12/30/2010 - 11:19

Bug CSCth56065 was resolved in 8.3.2.1 so you will need to upgrade to a more recent interim image in order to get the fix.

kailey_gauthier Thu, 12/30/2010 - 11:20

wow, thanks for the fast reply, Do I need to contact cisco for that version? will Interim 8.3.(2.4) fix this, as thats the only interim I found on my downloads

Todd Pula Thu, 12/30/2010 - 11:30

Glad I could help.  The 8.3.2.4 image will include the fix as well.

eric.stewart Mon, 01/17/2011 - 11:19

Great work folks!  I stumbled to this forum posting via Google as I was having the same problem.  I'm downloading 8.3.24 (interim) and I will see if it fixes my problem.

Thanks,

/Eric

Actions

This Discussion

Related Content