In the interest of passing on knowledge, here is the root cause of what I experienced that caused the "failed to get AAA handle" message to appear anytime anyone tried to establish an IPSEC VPN connection into an ASA using Anyconnect. When the syslog buffer fills up, the ASA by default will stop allowing any new VPN traffic at all, by anyone (even local accounts). In my case, changing the ASA configuration to send logs to the syslog server via TCP (vice UDP) caused the syslog buffer to fill up in a matter of hours (due to another problem on the ASA which was blocking TCP connections to the syslog server). That is when the "failed to get AAA handle" message began appearing. To fix the problem, we first made the ACL correction to allow TCP connections to the syslog server. At that point, logs started flowing out of the syslog buffer and VPN connections were permitted and the AAA handle error went away. There is also a checkbox that appears after you switch to syslog over TCP to allow VPNs to continue to function even if the syslog buffer fills up. Hope this helps anyone in the future who gets this misleading error message. The cause has nothing to do with AAA.
... View more