cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19034
Views
10
Helpful
12
Replies

ASA5520 Clientless VPN -Login Failed.

l.topliss
Level 1
Level 1

Hi,

No matter how the clientless vpn is configured I get a login failed after trying to login despite the details being correct,

If anyone has encounterd this before any help would be great.

Thanks

The attachment is syslog output during an attempt, it appears sucessful but it doesnt work.

12 Replies 12

JORGE RODRIGUEZ
Level 10
Level 10

logs seems you are authenticated, it is just from single LMSCAM-ADMIN user or no webvpn at all?

can you post a screen shoot of client browser for the first initial login, are you getting completly logged in after authentication, any browser errors during that initial login ?

Jorge Rodriguez

Hi, Thanks for you reply,

This is the initial setup and I have never been able to login without getting login failed.

I have tried authenticating using radius but that appears successful in the syslog and has the same results.

The only error is that its an unverified certificate, it seems like its successful then times out. I have tried it on some other pc as I thought it was maybe a browser issue, but it doesn't work on them either.

ok.. SSL is straight forward depending which one u used, I suggest go to this link and review your implementation , in same link is three types of SSL webvpn technologies for reference, make sure you meet the requirements for the client side.. once you have checked the implementation and requirements to be fine, we could start troubleshooting. Can you also indicate what version of ASA code is your ASA under.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

Regards

Jorge Rodriguez

ok thanks, I will work through that document,

my asa version is:

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)

The config appears correct for Clientless SSL VPN, I am try to setup access to an internal website.

The only thing I dont have setup is the netbios server.

Using the debug webvpn, I have encoutered this error

WebVPN: started user authentication...

class inspection_default

WebVPN: AAA status = (ACCEPT)

WebVPN: user: (LMSCAM-ADMIN) authenticated.

TCP

INFO: debug webvpn enabled at level 15.

ciscoasa# webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = cc32ed08

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_portal.c:http_webvpn_kill_cookie[682]

webvpn_auth.c:http_webvpn_pre_authentication[2154]

WebVPN: calling AAA with ewsContext (-869078928) and nh (-836976872)!

webvpn_auth.c:webvpn_add_auth_handle[4702]

WebVPN: started user authentication...

webvpn_auth.c:webvpn_aaa_callback[4740]

WebVPN: AAA status = (ACCEPT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]

ewaFormSubmit_webvpn_login: tgCookie = 0

ewaFormSubmit_webvpn_login: cookie = cc32ed08

ewaFormSubmit_webvpn_login: tgCookieSet = 0

ewaFormSubmit_webvpn_login: tgroup = NULL

webvpn_auth.c:http_webvpn_post_authentication[1306]

WebVPN: user: (LMSCAM-ADMIN) authenticated.

webvpn_auth.c:http_webvpn_auth_accept[2622]

User came in on group he wasn't supposed to come in on!

Good morning,

Did you resolve this problem?

Same issue happens to me, configured local user or radius user, I pass the authentication but

in the web browser it says login incorrect...

Thanks for your help

Fran

hi,

This was a while ago but i did fix it,

I think it I did it on group policy on the ASA, there is an option for tunnel group lock, this resloved my problem

Regards

Lewis

Smailmilak83_2
Level 1
Level 1

Hi,

I have the same problem (same AAA debug output).

I entered this in the group-policy:

group-policy SSL-CLIENTLESS internal

group-policy SSL-CLIENTLESS attributes

dns-server value 192.168.10.101

vpn-tunnel-protocol webvpn

group-lock value SSL-CLIENTLESS   THIS ONE

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ssl-tunnel

webvpn

  homepage value http://192.168.10.195:8080/blablabla

  port-forward disable

  svc ask none default webvpn

  deny-message value ACCESS DENIED

TUNNEL-GROUP:

UASA# sh run tunnel-group SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS type remote-access
tunnel-group SSL-CLIENTLESS general-attributes
address-pool SSLVPN
authentication-server-group vpn
default-group-policy SSL-CLIENTLESS
tunnel-group SSL-CLIENTLESS webvpn-attributes
radius-reject-message
group-alias POS enable
tunnel-group SSL-CLIENTLESS ipsec-attributes
isakmp ikev1-user-authentication none

I still have the same problem with the AAA authentication.

Can anyone help me out?

yes, it's so strange,  group-lock DefaultWEBVPNGroup is OK.But when I use others  tunnel-group,it display login failed.

PLATFORM

disk0:/asa846-smp-k8.bin
ASA 5585

I came across the same issue , suddently my ASA prompting login failed issue ... I did failover and restart the Boxes .. but no luck..
After I disable and re enable webvpn .. It is working .. It might be IOS bug and I opend a case .. let me post you once  I receved root cause from CISCO

Shatheesh
CCIE 38651 R&S

This was three years ago
I remember that I solved the issue with this command:

aaa-server vpnssl protocol nt

reactivation-mode depletion deadtime 1

max-failed-attempts 5

"protocol nt" did the trick.

Joseph Gaefe
Level 4
Level 4

I just ran into this very similar issue.  SSL vpn service had recently been setup and working.  Attempted to access it via iPhone Safari and received login failed.  Then logged out of browser on Mac (thinking only one login at a time) and login from iPhone still failed.  attempted to re-login on Mac (Safari and Firefox) and login failed.  

Solution:  restarted webvpn...

conf t
no webvpn
webvpn
   enable outside
   anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
   anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2
   anyconnect enable
   tunnel-group-list enable

 

my_ASA# sho ver

Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)

Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"

my_ASA up 26 days 4 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: