cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

918
Views
0
Helpful
4
Replies
pchelisant
Beginner

Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

Gentlemen need you help.

We can successfully connect with anyconnect to asa. 

However when we implement SAML Authentication (DUO 2 Factor authentication) We cannot connect with the error 

Potential CSRF attack dtected.

We can see this is a cross site scripting issue, and The ASA  is providing CSRF protection and causing this error.
The error we see  is being generated by the ASA.

Can you help me how to disable that protection or at least pisibility to whitelist interested hosts?

 

here a short info

 

Cisco Adaptive Security Appliance Software Version 9.15(1)1
SSP Operating System Version 2.9(1.131)
Device Manager Version 7.15(1)

Compiled on Fri 20-Nov-20 18:59 GMT by builders
System image file is "disk0:/asa9-15-1-1-smp-k8.bin"
Config file at boot was "startup-config"

 

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
ASA: 4104 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode
The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.
The Running Activation Key feature: 10000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual

This platform has an ASA5525 VPN Premium license.


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

 

 

 

webvpn config

webvpn

 port 4443

 enable outside

 dtls port 4443

 http-headers

 hsts-server

  enable

  max-age 31536000

  include-sub-domains

  no preload

 hsts-client

  enable

 x-content-type-options

 x-xss-protection

 content-security-policy default-src 'self' https://api-b0affc49.duosecurity.com 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'

 no anyconnect-essentials

 

 

 

 

Thanks!

4 REPLIES 4
balaji.bandi
VIP Expert

pchelisant
Beginner

Sorry first link doesnt work for me.

Tried to whitelist useragent however no success.

Other 2 links a well known to me, and as per config you can see i use the latest software version

 

balaji.bandi
VIP Expert

first, link was a bug - older version since you running the same kind of issue so suggested to have look.

 



BB


*** Rate All Helpful Responses ***

loizosko
Beginner

anybody figured out the issue?

getting the same error with okta. running latest 6.7 ftd

Content for Community-Ad