cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13267
Views
0
Helpful
9
Replies

Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

pchelisant
Level 1
Level 1

Gentlemen need you help.

We can successfully connect with anyconnect to asa. 

However when we implement SAML Authentication (DUO 2 Factor authentication) We cannot connect with the error 

Potential CSRF attack dtected.

We can see this is a cross site scripting issue, and The ASA  is providing CSRF protection and causing this error.
The error we see  is being generated by the ASA.

Can you help me how to disable that protection or at least pisibility to whitelist interested hosts?

 

here a short info

 

Cisco Adaptive Security Appliance Software Version 9.15(1)1
SSP Operating System Version 2.9(1.131)
Device Manager Version 7.15(1)

Compiled on Fri 20-Nov-20 18:59 GMT by builders
System image file is "disk0:/asa9-15-1-1-smp-k8.bin"
Config file at boot was "startup-config"

 

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
ASA: 4104 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode
The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.
The Running Activation Key feature: 10000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual

This platform has an ASA5525 VPN Premium license.


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

 

 

 

webvpn config

webvpn

 port 4443

 enable outside

 dtls port 4443

 http-headers

 hsts-server

  enable

  max-age 31536000

  include-sub-domains

  no preload

 hsts-client

  enable

 x-content-type-options

 x-xss-protection

 content-security-policy default-src 'self' https://api-b0affc49.duosecurity.com 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'

 no anyconnect-essentials

 

 

 

 

Thanks!

9 Replies 9

pchelisant
Level 1
Level 1

Sorry first link doesnt work for me.

Tried to whitelist useragent however no success.

Other 2 links a well known to me, and as per config you can see i use the latest software version

 

balaji.bandi
Hall of Fame
Hall of Fame

first, link was a bug - older version since you running the same kind of issue so suggested to have look.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

loizosko
Level 1
Level 1

anybody figured out the issue?

getting the same error with okta. running latest 6.7 ftd

what was the resolution for this case?

there was a timer in the firewall idp settings that did not match the timer in the sso provider settings.

after making it the same it worked

Hello @loizosko, I'm facing the same issue with the FTD 6.7, what timer do you talking about please?

kerbe42
Level 1
Level 1

I experienced the same issue this morning, in my case I had neglected to apply my standard NTP Server, so was related to clock skew.

JohnKimble
Level 1
Level 1

Hi
I know this is an old post, but for anyone who still have this issue, here is what I did. After confirming all my URLs were correct, I resolved the issue by removing the default value of 300ms in Request Timeout, under Single Sign-On server profile. Removing the 300ms, sets Timeout to "Use the timeout set by the Provider". Everything works great now. You can read more about it under "SAML Timeout section" here https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/asdm716/vpn/asdm-716-vpn-config/webvpn-configure-users.html

Review Cisco Networking for a $25 gift card