Gentlemen need you help.
We can successfully connect with anyconnect to asa.
However when we implement SAML Authentication (DUO 2 Factor authentication) We cannot connect with the error
Potential CSRF attack dtected.
We can see this is a cross site scripting issue, and The ASA is providing CSRF protection and causing this error.
The error we see is being generated by the ASA.
Can you help me how to disable that protection or at least pisibility to whitelist interested hosts?
here a short info
Cisco Adaptive Security Appliance Software Version 9.15(1)1
SSP Operating System Version 2.9(1.131)
Device Manager Version 7.15(1)
Compiled on Fri 20-Nov-20 18:59 GMT by builders
System image file is "disk0:/asa9-15-1-1-smp-k8.bin"
Config file at boot was "startup-config"
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
ASA: 4104 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode
The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.
The Running Activation Key feature: 10000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual
This platform has an ASA5525 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
Carrier : Enabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
This platform has an ASA5525 VPN Premium license.
webvpn config
webvpn
port 4443
enable outside
dtls port 4443
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy default-src 'self' https://api-b0affc49.duosecurity.com 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
no anyconnect-essentials
Thanks!
