01-10-2013 05:35 PM - edited 02-21-2020 06:36 PM
So with our setup we're using the SSL webauth page as it uses RSA Adaptive Authentication as the second factor for auth. In the DAP we then push the connection over to anyconnect. The result is this.
1. Webauth to AD
2. RSA auth with questions
3. DAP match
4. Anyconnect verification/download/upgrade/connect
At the 4th stage the anyconnect downloader completes all the apropriate checks for install, version upgrade, and then connect.
We have a user with a windows 7 machine that's failing on this 4th step. I've watched the 1st three phases succeed each time and then when it comes time for the 4th step there's no indication of an issue. The webpage just defaults back to the login page with no error or any information as to what occured or didn't occur.
In the logs I see the following
- Primary auth pass
- Secondary auth pass
- DAP match success
- Unknown logs
Below is what I see in the logs for the issue user and my session
Jan 10 2013 17:51:00: %ASA-6-734001: DAP: user issueuser, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: xxx
Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create RAMFS message change path sessions/27017216/user:issueuser to standby unit
Jan 10 2013 17:51:00: %ASA-6-716001: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session started.
Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create WebVPN Session message user issueuser, IP x.x.x.x to standby unit
Jan 10 2013 17:51:00: %ASA-6-716038: Group <company> user <issueuser> IP <x.x.x.x> Authentication: successful, Session Type: WebVPN.
Jan 10 2013 18:21:25: %ASA-7-720041: (VPN-Primary) Sending Delete WebVPN Session message user issueuser, IP x.x.x.x to standby unit
Jan 10 2013 18:21:25: %ASA-6-716002: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session terminated: Idle Timeout.
Jan 10 2013 20:12:50: %ASA-6-734001: DAP: user mysession, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: company-Non-Owned
Jan 10 2013 20:13:06: %ASA-4-722041: TunnelGroup <company> GroupPolicy <company> issueuser <mysession> IP <x.x.x.x> No IPv6 address available for SVC connection
Jan 10 2013 20:13:06: %ASA-5-722033: Group <company> user <mysession> IP <x.x.x.x> First TCP SVC connection established for SVC session.
Jan 10 2013 20:13:06: %ASA-6-722022: Group <company> user <mysession> IP <x.x.x.x> TCP SVC connection established without compression
Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping x.x.x.x - LOCAL\mysession Succeeded - VPN user
Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping session.ip.address - LOCAL\mysession Succeeded - VPN user
Jan 10 2013 20:13:06: %ASA-4-722051: Group <company> user <mysession> IP <x.x.x.x> Address <session.ip.address> assigned to session
Thanks for any help and/or suggestions.