Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect ssl authentication problem on ASA 5510

Hello.

We have basic ASA scenario setup in a  production environment configured for SSL anyconnect and security plus license. The authentication is using Radius server on a Windows 2012 and group membership in AD group to grant access. However, when I try to connect either using the webvpn link or the installed anyconnect client I am getting Login Failed error message, but apparently the authentication was successful (see debug below).

The running config of the vpn is 

ASA Version 9.1(3)
!
ip local pool pool1 10.150.30.1-10.150.30.250 mask 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.150.30.0_24 NETWORK_OBJ_10.150.30.0_24 no-proxy-arp route-lookup

aaa-server SAD protocol radius
aaa-server SAD (inside) host 192.168.10.15
 key *****

http server enable
crypto ca certificate chain comodo.trustpoint
ssl trust-point comodo.trustpoint outside

webvpn
 enable outside
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.10.8
 vpn-filter value
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 
group-policy GroupPolicy_Story-Anyconnect-VPN internal
group-policy GroupPolicy_Story-Anyconnect-VPN attributes
 wins-server none
 dns-server value 192.168.10.8
 vpn-tunnel-protocol ssl-client ssl-clientless

tunnel-group Story-Anyconnect-VPN type remote-access
tunnel-group Story-Anyconnect-VPN general-attributes
 address-pool pool1
 authentication-server-group SAD
 default-group-policy GroupPolicy_Story-Anyconnect-VPN
tunnel-group Story-Anyconnect-VPN webvpn-attributes
 group-alias Story-Anyconnect-VPN enable

 

Whenever I try to login using domain account from the webvpn portal I get Login failed and the following dump

 

SA5510-Story-FW(config-webvpn)# webvpn_allocate_auth_struct: net_handle = 0xae330f88
webvpn_portal.c:ewaFormSubmit_webvpn_login[3628]
webvpn_portal.c:webvpn_login_validate_net_handle[2542]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2562]
webvpn_portal.c:webvpn_login_assign_app_next[2580]
webvpn_portal.c:webvpn_login_cookie_check[2597]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2654]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2688]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2750]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2802]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2875]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from group list
webvpn_login_resolve_tunnel_group: TG_BUFFER = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_negotiate_client_cert[2965]
webvpn_portal.c:webvpn_login_check_cert_status[3063]
webvpn_portal.c:webvpn_login_cert_only[3111]
webvpn_portal.c:webvpn_login_primary_username[3133]
webvpn_portal.c:webvpn_login_primary_password[3212]
webvpn_portal.c:webvpn_login_secondary_username[3244]
webvpn_portal.c:webvpn_login_secondary_password[3319]
webvpn_portal.c:webvpn_login_extra_password[3431]
webvpn_portal.c:webvpn_login_set_cookie_flag[3450]
webvpn_portal.c:webvpn_login_set_auth_group_type[3473]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_not_resuming[3551]
webvpn_portal.c:http_webvpn_kill_cookie[1053]
webvpn_auth.c:http_webvpn_pre_authentication[2087]
WebVPN: calling AAA with ewsContext (-1398866832) and nh (-1372385400)!
webvpn_add_auth_handle: auth_handle = 1985
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5336]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3628]
webvpn_portal.c:webvpn_login_validate_net_handle[2542]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2562]
webvpn_portal.c:webvpn_login_assign_app_next[2580]
webvpn_portal.c:webvpn_login_cookie_check[2597]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2654]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2688]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2750]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2802]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2875]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2965]
webvpn_portal.c:webvpn_login_check_cert_status[3063]
webvpn_portal.c:webvpn_login_cert_only[3111]
webvpn_portal.c:webvpn_login_primary_username[3133]
webvpn_portal.c:webvpn_login_primary_password[3212]
webvpn_portal.c:webvpn_login_secondary_username[3244]
webvpn_portal.c:webvpn_login_secondary_password[3319]
webvpn_portal.c:webvpn_login_extra_password[3431]
webvpn_portal.c:webvpn_login_set_cookie_flag[3450]
webvpn_portal.c:webvpn_login_set_auth_group_type[3473]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3503]
webvpn_auth.c:http_webvpn_post_authentication[1415]
WebVPN: user: (daniel) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2794]
webvpn_session.c:http_webvpn_create_session[219]
webvpn_session.c:http_webvpn_find_session[175]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[175]
webvpn_session.c:http_webvpn_destroy_session[1587]
webvpn_remove_auth_handle: auth_handle = 1985
webvpn_free_auth_struct: net_handle = 0xae330f88
webvpn_allocate_auth_struct: net_handle = 0xae330f88
webvpn_free_auth_struct: net_handle = 0xae330f88

If I go about login from the installed Anyconnect client on the PC then i get 

ASA5510-Story-FW(config-webvpn)# Public archive directives retrieved from cache for index 1.

 

Can you please help me on that problem. Thanks

2 REPLIES
New Member

Enable the below debugs and

Enable the below debugs and connect using anyconnect vpn client and the get the debugs.

ASA5500-7# debug webvpn 255

ASA5500-7# debug radius all

Are you using DAP policies?

 

Cisco Employee

hi,Please also share the

hi,

Please also share the output of show vpn-sessiondb license-summary.

Plus sh version

202
Views
0
Helpful
2
Replies
CreatePlease to create content