Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
5
Helpful
7
Replies

Access issue

ciscoworlds
Level 4
Level 4

‎12-31-2018 04:29 AM - edited ‎03-12-2019 04:18 AM

Hi;

 

I'm trying to configure remote access VPN to Cisco FTD 6.2.2. My internal RADIUS is ISE 2.4 (patch 5). The remote access VPN establishes successfully; but some interesting things happens:

 

I get double logs on ISE, one shows failed attempt and the 2nd one shows successful attempt. 

ise.jpg

 

The details for the failed logs is like this (briefed):

ise01.jpg

 

And the details of the successful log is like this (Briefed):

ise02.jpg

 

The connection details on FTD shows every flows "allowed" to pass through firewall. I even installed the Wireshark and captured packets on a internal server. But the issue is after successful establishment of remote access VPN on a sample public client, I cannot reach any internal clients. As I said I got "allowed" connection logs on FTD, showing every packet passed through firewall. On internal client, I got entries showing that remote access VPN client has sent packets to the internal server but interesting part is, none of the packets have been replied. I mean, internal server gets all of the remote access VPN packets, but doesn't send any response at all. The default gateway of the internal server is FTD and it can reach all of the networks but doesn't send any response to the packets it received from remote access VPN client. 

Any idea?

 

Labels:
0 Helpful
7 Replies 7

Sheraz.Salim
VIP
VIP

‎12-31-2018 05:17 AM - edited ‎12-31-2018 05:24 AM

Its seem you ISE policy had an issue as you match two policy at the same time. what EAP protocol you using for authentication. and what setting apply on end point?

could you please share your policy setting in regards to VPN setup.

 

 

also code 24408 point your user name is locked out. the best get back to AD and unlock this account.

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP
VIP

‎12-31-2018 05:20 AM

Its seem you ISE policy had an issue as you match two policy at the same time. what EAP protocol you using for authentication,and what setting apply on end point

could you please share your policy setting in regards to VPN setup.

please do not forget to rate.
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎12-31-2018 08:40 AM

Hi,

You have an authentication policy called TRAVPN which has multiple statements. The first statement authenticates against AD which is failing as the error states. The default statement passes the authentication but you aren't posting the entire logs to see what identity source is used for successful authentication. Because ISE performs multiple lookups you see duplicate logs. To avoid this either resolve the problem of AD authentication if you are using AD for VPN users, or configure a statement above AD statement which matches AnyConnect VPN clients as source and authenticates them against the required identity source (which is used in the default statement and passes the authentication).
0 Helpful

ciscoworlds
Level 4
Level 4
In response to Mohammed al Baqari

‎01-03-2019 01:41 AM - edited ‎01-03-2019 01:42 AM

I'm using Default Network Access without any change. 

ise03.jpg

The details of this policy set is as below, which shows there is only one Default authentication policy, nothing more.

ise04.jpg

And there is only one authorization policy, as simple as the following:

ise05.jpg

So as seen there is no complex thing on the ISE and if there were any misconfiguration, it would not be the ISE. Also both of these 2 simultaneously logs (failed-login log and successful-login log) shows the matching auth/athZ rules correctly. I mean both logs shows that the user "xadmin1" matches with auth/authZ rules TRAVPN. So why one of them uses the same auth/authZ rules cannot pas authentication with the same AD as the other successful one uses!

ise06.jpg

ise07.jpg

I even reset the password for the user "xadmin1" despite that there should be no relevance (because if the password for that user was wrong, why the same user with the same password was able to pass the auth/authz which is displayed in the successful-login log?!

These are the log files on the VPN Client inside the AnyConnect VPN:

 

11:45:25 AM Contacting x.x.x.x.
11:45:37 AM User credentials entered.
11:45:38 AM Establishing VPN session...
11:45:38 AM The AnyConnect Downloader is performing update checks...
11:45:38 AM Checking for profile updates...
11:45:38 AM Checking for product updates...
11:45:38 AM Checking for customization updates...
11:45:38 AM Performing any required updates...
11:45:38 AM The AnyConnect Downloader updates have been completed.
11:45:50 AM Establishing VPN session...
11:45:50 AM Establishing VPN - Initiating connection...
11:45:50 AM Establishing VPN - Examining system...
11:45:50 AM Establishing VPN - Activating VPN adapter...
11:45:54 AM Establishing VPN - Configuring system...
11:45:54 AM Establishing VPN...
11:45:54 AM Connected to x.x.x.x.

 

So as seen, I've gotten any specific error on the client side too. 

 

It might be something related to the Anyconnect I think. 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ciscoworlds

‎01-03-2019 01:57 AM

i think the issue could be your Authentication Policy where you mention Default=All_User_ID_Stores, it would
be ideal if you create a seprate identity source sequence and put your only AD in it and then test it.

please do not forget to rate.
0 Helpful

ciscoworlds
Level 4
Level 4
In response to ciscoworlds

‎01-03-2019 02:13 AM

Note: I found the reason! I removed the SGT from the ISE authZ rule and now reachability is restored!

Sheraz.Salim
VIP
VIP
In response to ciscoworlds

‎01-03-2019 02:26 AM

well done :)

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card