I've run into a problem using the AnyConnect client after upgrading ASA5510 to 8.3.2 (from 8.3.1). After entering username and password in browser, the error message "Login denied. Your environment does not meet the access criteria defined by your administrator." pops up.
1. Connecting to ASA 8.3.1 and 8.2.3 works fine with Dynamic Access policies (DAP) defined
2. Connecting to ASA 8.3.2 fails when DAP policies are defined
3. Connecting to ASA 8.3.2 works fine when no DAP policies (except DfltAccessPolicy) are defined
4. Error messages in syslog file are "%ASA-3-734004: DAP: Processing error: Code 2358" and "%ASA-3-734004: DAP: Processing error: Code 3626"
5. Cisco Secure Desktop is enabled, but only perform Host Scan checks.
The software versions in use:
- Cisco Secure Desktop 3.5.1077
- AnyConnect 2.5.0217
- Clients used for testing are running WinXP and Vista
It doesn't seem to matter what the DAP policy contains, just that it exists. I've tried to add a new policy with a single "Application = IPsec" (which it should skip and move to DfltAccessPolicy) and one with a single "Application = AnyConnect" (which it should match and be allowed access). IPsec clients match the first one and carry on as usual, but the AnyConnect client stops as long as there is at least one policy defined. The problem exist even if the DfltAccessPolicy is set to "Continue".
I see this problem on two different ASA5510s. Is this a known problem?
Solved! Go to Solution.
There have been issues with DAP being broken in newer codes. The debug dap trace and debug dap error output while login should show you the error in dap that you are facing. Please post the same here. Also I would suggest you open a service request with Cisco TAC to diagnose the problem as it does seem like you are hitting a bug with dap.
It certainly seems like the same bug. The output from "debug dap trace" + "debug dap errors" is:
DAP_ERROR: Username: xyz, dap_add_csd_data_to_lua: Unable to load Host Scan data: [string "dapxlate_lua"]:559: bad argument #1 to `find' (string expected, got nil)
DAP_ERROR: Username: xyz, ERROR selecting DAP records
DAP_TRACE: Username: xyz, Action set to terminate
DAP_TRACE: Username: xyz, DAP_close: A7F6DA88
I'll create a case with TAC. Is there en estimate on when the next "normal" release with this fix will be released?
We ran into a “catastrophic” bug in 8.2.3 code. One of our ASA showed being licensed for 10GE, and the other was not. As there was a license inconsistency between the two ASA’s, we had failover issues with both Firewalls acting as Primary. We had to back off 8.3.2 and are now running 18.104.22.168 on both ASA’s, which still protects us from the vulnerabilities that took us to 8.2.3.
However, at 22.214.171.124, we are also running into the exact same DEBUG DAP ERROR messages as noted above and none of our AnyConnect clients are able to connect.
This is affecting me too. This makes endpoint posture assessment and DAP records completely useless. The bug one of the other posters references shows the same symptoms, but they don't mention our versions, code 8.3(2), what gives?
Bug CSCth56065 was resolved in 126.96.36.199 so you will need to upgrade to a more recent interim image in order to get the fix.
wow, thanks for the fast reply, Do I need to contact cisco for that version? will Interim 8.3.(2.4) fix this, as thats the only interim I found on my downloads
Great work folks! I stumbled to this forum posting via Google as I was having the same problem. I'm downloading 8.3.24 (interim) and I will see if it fixes my problem.