Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24193
Views
25
Helpful
22
Replies

Anyconnect with SAML connection issue

Go to solution
StevenEdmunds6666
Level 1
Level 1

‎01-08-2023 04:12 AM - edited ‎01-08-2023 05:10 AM

Hi All,

I have configured Cisco AnyConnect to authenticate with SAML and O365.

When I connect, I am presented with the login page at which point I enter the password and then authenticate from my mobile phone. However, when it's 'authenticated' I get a message saying, 'You are Disconnected. You may now close this browser tab'. 

I have also noticed that even though it's gone through, the VPN doesn't actually connect.

The only thing that I have noticed which looks odd to me is that the 'Login URL' and the 'Logout' URL appear to both be the same in the Azure side SAML page.

***Just found this message when authenticating: "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message.Have tried to re-enable SAML auth in tunnel-group but no luck.***

 

Thanks for reading and any questions, please let me know.

Steven

0 Helpful
22 Replies 22

Go to solution
StevenEdmunds6666
Level 1
Level 1

‎01-10-2023 01:50 AM - edited ‎01-10-2023 02:10 AM

I have also realised that I may also have an issue with my certificate or config. Even though the cert is applied on the ASA, when I try to connect using AnyConnect, I get the message that 'Certificate does not match the server name'

This can be ignored - was because I wasn't connecting via the correct name on the AnyConnect client.

0 Helpful

Go to solution
engineer467
Level 1
Level 1

‎11-10-2024 11:53 PM

Hello Marvin,

I am getting a similar error in the debug saml, [SAML] consume_assertion: assertion is expired or not valid.

I doublechecked the Assertion Consumer Service URL and SP Entity ID, all seems okay.

Any insights? Thanks a lot.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to engineer467

‎11-11-2024 04:07 AM

@engineer467 

Assuming the SAML IDP is using a currently valid certificate (easy enough to check), I would then check the time and date in your firewall.

0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to Marvin Rhoads

‎11-11-2024 04:55 AM

Hello Marvin,

Thanks for responding. I checked all of them and they looked fine. Then I
came across this cisco bug id (
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvi23605). So
deleting the SAML config and reconfiguring worked for me.
Appreciate your quick response.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to engineer467

‎11-11-2024 05:26 AM

Ah yes, that bug is a pitfall. Newer versions of ASA and ASDM even warn you of if when changing your SAM configuration.

0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to Marvin Rhoads

‎11-11-2024 05:32 AM

Oh I didn't know that. Hope they do the same for FDM users as well.
0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to engineer467

‎11-11-2024 05:45 AM

Or just fix the issue. lol
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to engineer467

‎11-11-2024 05:55 AM

It was explained to me an an issue with the open source Lasso software library that Cisco uses. Like so many open source projects, if it's not actively maintained there are limitations to what can be done. (Of course, Cisco could fork it like they do with openSSH but I guess it's not considered a big enough problem for that.)

https://lasso.entrouvert.org/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card