Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

some trouble with webvpn

Hello - when i confogure my asa 5520 with software 8.0(3) I have next problem:

When i enter to secure desktop and print my login and passwd i see "incorrect login"

on asa i see this:

INFO: debug webvpn enabled at level 200.

HMCIS-Firewall# webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_portal.c:http_webvpn_kill_cookie[632]

webvpn_auth.c:http_webvpn_pre_authentication[2009]

WebVPN: calling AAA with ewsContext (-932106496) and nh (-932109336)!

WebVPN: started user authentication...

webvpn_auth.c:webvpn_aaa_callback[4537]

WebVPN: AAA status = (REJECT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = c9938928

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_auth.c:http_webvpn_post_authentication[1233]

WebVPN: user: (evkuzin) rejected.

http_remove_auth_handle(): handle 76 not found!

webvpn_auth.c:webvpn_auth[476]

WebVPN: no cookie present!!

But radius logs a clean!!!

what wrong?

10 REPLIES

Re: some trouble with webvpn

Did you check the Radius connectivity with the AAA server using the 'test' command on the ASA?

Regards

Farrukh

New Member

Re: some trouble with webvpn

Yes - i'm sure that the connection to radius work propertly because beside webvpn i configure remote ipsec vpn with authentification on this radius and it's work.

Re: some trouble with webvpn

I'm assuming your WebVPN connections are landing on "tunnel-group test", Why do you have "authentication certificate" command there?

Also make sure you follow the instructions on the following link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809888e5.shtml#topicsubsub

Regards

Farrukh

Re: some trouble with webvpn

Also try to compare your debugs with the following page, and if possible post them over here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml

Regards

Farrukh

Re: some trouble with webvpn

Were you able to get this working?

Regards

Farrukh

New Member

Re: some trouble with webvpn

It's not work :(

But i noticed the following issue:

If i write login & pass any users from AD, then i see "incorrect login" and in debug webvpn "AAA status = (REJECT)"

If i write login & pass my admin user with priv 15 - i see on debug webvpn "AAA status = (ACCEPT) and on login page "Login denied, unauthorized connection mechanism, contact your administrator."

I don't know why... (((

New Member

Re: some trouble with webvpn

I think that in the settings webvpn I should enter tunnel-group test. But where... :)

Re: some trouble with webvpn

I think your current WebVPN is landing on the DefaultRAGroup (the configuration of which is missing from the text file you attached in your first post), use this link to configure your ASA such that you can 'select' the tunnel-group at logon time:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

This way, at least you know no which tunnel-group you are landing.

Regards

Farrukh

New Member

Re: some trouble with webvpn

Yes - thank you. Now it's working. But in cfg i don't see DefaultRAGroup...

Re: some trouble with webvpn

Did you try

"show run all tunnel-group"

It should be there

Regards

Farrukh

1748
Views
4
Helpful
10
Replies
CreatePlease login to create content