Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cant connect using anyconnect. Using Kerberos to authenticate via AD

Hi Everyone

Im trying to configure my ASA with anyconnect in my test lab but im coming across problems. Basically im authenticating usernames and passwords using active directory (kerberos). Now from the ASDM i can test active directory authentication and its successful. Now when Im tryin to use anyconnect from my pc its failing. No error messages come up! Dont know what im doing wrong here so was just wondering if anyone can take a look at my config and help me find any mistakes.Any help is appreciated. Thanks

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address standby
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
<--- More --->
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address
ftp mode passive
clock timezone GMT 0
access-list NONAT extended permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ACuserPOOL mask
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover standby
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
<--- More --->
asdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
route outside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACauthentication protocol kerberos
aaa-server ACauthentication (inside) host
timeout 5
kerberos-realm LAB.NET
aaa authentication http console ACauthentication
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
<--- More --->
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ACpolicy internal
group-policy ACpolicy attributes
vpn-tunnel-protocol svc
tunnel-group ACusers type remote-access
tunnel-group ACusers general-attributes
address-pool ACuserPOOL
authentication-server-group ACauthentication
<--- More --->
default-group-policy ACpolicy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip

New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat

Anyone? Really struggling with this :-( The authentication test is successful and i can ping from my host to the outside firewall interface. Can someone point me in the right direction? Thanks

Cisco Employee

Re: Cant connect using anyconnect. Using Kerberos to authenticat

2 things:

Make sure time is synched between your ASA and your AD server - kerberos is time sensitive.

In your user settings in AD, there is a checkbox for 'require kerberos pre-authentication'.  Try selecting/deselecting that box and see if there is any change in behavior.

Also - what is the OS of the AD server?

If that doesn't work, get a 'debug aaa common 255' and 'debug kerberos 255' from the ASA.

New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat


The AD and asa is time synched with an external ntp server and i know this works fine as i have tested it in asdm. It even authenticates the usernames. I have some users with pre authentication enabled and some disabled. The OS is server 2003.  Anyway ive enabled the debug and i cant make sense of it. I havent touched Firewalls in years. heres the output from the debug:

AAA API: In aaa_open
AAA session opened: handle = 205
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(6d9c6a80) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LOCAL)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
User: user1
In localauth_ioctl
Local authentication of user user1
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 205, pAcb = 6f3e43a4
aaa_backend_callback: Error:
AAA task: aaa_process_msg(6d9c6a80) received message type 1
AAA FSM: In AAA_ProcSvrResp

Back End response:
Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = LOCAL, author svr = , user pol = , tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:

user policy attributes:

tunnel policy attributes:

Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(6d9c6a80) received message type 3
In aaai_close_session (205)

Cisco Employee

Re: Cant connect using anyconnect. Using Kerberos to authenticat

It looks like you're landing on the LOCAL authentication server

Initiating authentication to primary server (Svr Grp: LOCAL)  <---- LOCAL

Which is probably due to the fact that you are landing on the DefaultWEBVPNGroup (where SSL connections will land by default unless configured otherwise) connection profile/tunnel-group and it's set for local authentication by default.

You can either change the authentication on that group to be your kerberos AAA group, or make the tunnel-group/connection profile available to be chosen instead of DefaultWEBVPNGroup:


New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat


Ive just changed the authentication from Kerberos to LDAP but i still seem to be getting the same problem......Ive attached the config file with the debugs as well! This is becoming a bit of a nightmare for me :-(

Thanks as always

CreatePlease to create content