AnyConnect and DAP not working on ASA 8.3.2?

Answered Question
Aug 23rd, 2010
User Badges:

Hi,


I've run into a problem using the AnyConnect client after upgrading ASA5510 to 8.3.2 (from 8.3.1). After entering username and password in browser, the error message "Login denied. Your environment does not meet the access criteria defined by your administrator." pops up.


Some findings:


1. Connecting to ASA 8.3.1 and 8.2.3 works fine with Dynamic Access policies (DAP) defined
2. Connecting to ASA 8.3.2 fails when DAP policies are defined
3. Connecting to ASA 8.3.2 works fine when no DAP policies (except DfltAccessPolicy) are defined
4. Error messages in syslog file are "%ASA-3-734004: DAP: Processing error: Code 2358" and "%ASA-3-734004: DAP: Processing error: Code 3626"
5. Cisco Secure Desktop is enabled, but only perform Host Scan checks.


The software versions in use:


- Cisco Secure Desktop 3.5.1077
- AnyConnect 2.5.0217
- Clients used for testing are running WinXP and Vista


It doesn't seem to matter what the DAP policy contains, just that it exists. I've tried to add a new policy with a single "Application = IPsec" (which it should skip and move to DfltAccessPolicy) and one with a single "Application = AnyConnect" (which it should match and be allowed access). IPsec clients match the first one and carry on as usual, but the AnyConnect client stops as long as there is at least one policy defined. The problem exist even if the DfltAccessPolicy is set to "Continue".


I see this problem on two different ASA5510s. Is this a known problem?

Correct Answer by Todd Pula about 6 years 10 months ago

More than likely you are running into bug CSCth56065.  If you open up a case with TAC, we can provide you with the 8.3.2.1 interim which includes the fix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
Rahul Govindan Mon, 08/23/2010 - 06:25
User Badges:
  • Silver, 250 points or more

Hi,


There have been issues with DAP being broken in newer codes. The debug dap trace and debug dap error output while login should show you the error in dap that you are facing. Please post the same here. Also I would suggest you open a service request with Cisco TAC to diagnose the problem as it does seem like you are hitting a bug with dap.

Correct Answer
Todd Pula Mon, 08/23/2010 - 07:51
User Badges:
  • Silver, 250 points or more

More than likely you are running into bug CSCth56065.  If you open up a case with TAC, we can provide you with the 8.3.2.1 interim which includes the fix.

Bjorn-Helge Bjo... Mon, 08/23/2010 - 08:35
User Badges:

It certainly seems like the same bug. The output from "debug dap trace" + "debug dap errors" is:


DAP_ERROR: Username: xyz, dap_add_csd_data_to_lua: Unable to load Host Scan data: [string "dapxlate_lua"]:559: bad argument #1 to `find' (string expected, got nil)
DAP_ERROR: Username: xyz, ERROR selecting DAP records
DAP_TRACE: Username: xyz, Action set to terminate
DAP_TRACE: Username: xyz, DAP_close: A7F6DA88


I'll create a case with TAC. Is there en estimate on when the next "normal" release with this fix will be released?

noepkes51 Thu, 09/16/2010 - 06:46
User Badges:

This bug burned me too.  I didn't see anything about this in the release notes.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

We ran into  a “catastrophic” bug in 8.2.3 code. One of our ASA showed being licensed for 10GE, and the other was not.  As there was a license inconsistency between the two ASA’s, we had failover issues with both Firewalls acting as Primary.  We had to back off 8.3.2 and are now running 8.2.2.21 on both ASA’s, which still protects us from the vulnerabilities that took us to 8.2.3.

However, at 8.2.2.21, we are also running into the exact same DEBUG DAP ERROR messages as noted above and none of our AnyConnect clients are able to connect.

kailey_gauthier Thu, 12/30/2010 - 11:05
User Badges:

This is affecting me too. This makes endpoint posture assessment and DAP records completely useless. The bug one of the other posters references shows the same symptoms,  but they don't mention our versions, code 8.3(2), what gives?

Todd Pula Thu, 12/30/2010 - 11:19
User Badges:
  • Silver, 250 points or more

Bug CSCth56065 was resolved in 8.3.2.1 so you will need to upgrade to a more recent interim image in order to get the fix.

kailey_gauthier Thu, 12/30/2010 - 11:20
User Badges:

wow, thanks for the fast reply, Do I need to contact cisco for that version? will Interim 8.3.(2.4) fix this, as thats the only interim I found on my downloads

Todd Pula Thu, 12/30/2010 - 11:30
User Badges:
  • Silver, 250 points or more

Glad I could help.  The 8.3.2.4 image will include the fix as well.

eric.stewart Mon, 01/17/2011 - 11:19
User Badges:

Great work folks!  I stumbled to this forum posting via Google as I was having the same problem.  I'm downloading 8.3.24 (interim) and I will see if it fixes my problem.


Thanks,


/Eric

Todd Pula Mon, 01/17/2011 - 11:33
User Badges:
  • Silver, 250 points or more

Glad I could help!


Todd

Actions

This Discussion

Related Content