Re: Potential CSRF attack dtected - ANYCONNECT, SSL WEBVPN

pchelisant · ‎01-11-2021

Gentlemen need you help.

We can successfully connect with anyconnect to asa.

However when we implement SAML Authentication (DUO 2 Factor authentication) We cannot connect with the error

Potential CSRF attack dtected.

We can see this is a cross site scripting issue, and The ASA is providing CSRF protection and causing this error.
The error we see is being generated by the ASA.

Can you help me how to disable that protection or at least pisibility to whitelist interested hosts?

here a short info

Cisco Adaptive Security Appliance Software Version 9.15(1)1
SSP Operating System Version 2.9(1.131)
Device Manager Version 7.15(1)

Compiled on Fri 20-Nov-20 18:59 GMT by builders
System image file is "disk0:/asa9-15-1-1-smp-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
ASA: 4104 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode
The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.
The Running Activation Key feature: 10000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

webvpn config

webvpn

port 4443

enable outside

dtls port 4443

http-headers

hsts-server

enable

max-age 31536000

include-sub-domains

no preload

hsts-client

enable

x-content-type-options

x-xss-protection

content-security-policy default-src 'self' https://api-b0affc49.duosecurity.com 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'

no anyconnect-essentials

Thanks!

balaji.bandi · ‎01-11-2021

Look at the below suggetions :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj34599

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

https://duo.com/docs/ciscoasa-sso

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pchelisant · ‎01-11-2021

Sorry first link doesnt work for me.

Tried to whitelist useragent however no success.

Other 2 links a well known to me, and as per config you can see i use the latest software version

balaji.bandi · ‎01-11-2021

first, link was a bug - older version since you running the same kind of issue so suggested to have look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

loizosko · ‎03-02-2021

anybody figured out the issue?

getting the same error with okta. running latest 6.7 ftd

IvanAlvarenga25979 · ‎07-27-2021

what was the resolution for this case?

loizosko · ‎07-27-2021

there was a timer in the firewall idp settings that did not match the timer in the sso provider settings.

after making it the same it worked

atocki · ‎08-26-2021

Hello @loizosko, I'm facing the same issue with the FTD 6.7, what timer do you talking about please?

kerbe42 · ‎06-15-2022

I experienced the same issue this morning, in my case I had neglected to apply my standard NTP Server, so was related to clock skew.

JohnKimble · ‎07-06-2023

Hi
I know this is an old post, but for anyone who still have this issue, here is what I did. After confirming all my URLs were correct, I resolved the issue by removing the default value of 300ms in Request Timeout, under Single Sign-On server profile. Removing the 300ms, sets Timeout to "Use the timeout set by the Provider". Everything works great now. You can read more about it under "SAML Timeout section" here https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/asdm716/vpn/asdm-716-vpn-config/webvpn-configure-users.html