Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14619
Views
10
Helpful
6
Replies

Failed to get AAA hendle

Pavlo Zabudskyi
Level 1
Level 1

‎06-25-2016 05:58 AM

We had internet connectivity problem. After it was resolved, we wasn't able to connect to VPN with anyconnect client with error "Failed to get AAA hendle"

We updated ios from asa917-k8.bin to asa917-6-k8.bin. No luck. It allows to conect only once after reboot. Very strange behavior. Do we have to change IOS version?

We tried both with local and ldap authentification.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

unavailable
Level 1
Level 1

‎08-29-2017 03:30 PM

 

Were you able to find a fix for this?

0 Helpful

Georg Pauwen
VIP
VIP
In response to unavailable

‎08-29-2017 11:37 PM

Hello,

which AnyConnect client are you running ? Try the latest release (4.5). Also, which clients are you having this problem with (Windows 10) ?

0 Helpful

clauwdkicker
Level 1
Level 1
In response to Georg Pauwen

‎10-20-2019 06:14 PM

In the interest of passing on knowledge, here is the root cause of what I experienced that caused the "failed to get AAA handle" message to appear anytime anyone tried to establish an IPSEC VPN connection into an ASA using Anyconnect.

 

When the syslog buffer fills up, the ASA by default will stop allowing any new VPN traffic at all, by anyone (even local accounts).  In my case, changing the ASA configuration to send logs to the syslog server via TCP (vice UDP) caused the syslog buffer to fill up in a matter of hours (due to another problem on the ASA which was blocking TCP connections to the syslog server).  That is when the "failed to get AAA handle" message began appearing.

 

To fix the problem, we first made the ACL correction to allow TCP  connections to the syslog server.  At that point, logs started flowing out of the syslog buffer and VPN connections were permitted and the AAA handle error went away.  There is also a checkbox that appears after you switch to syslog over TCP to allow VPNs to continue to function even if the syslog buffer fills up.

 

Hope this helps anyone in the future who gets this misleading error message.  The cause has nothing to do with AAA.

Deepak Kumar
VIP Alumni
VIP Alumni
In response to clauwdkicker

‎10-20-2019 10:06 PM

Hi,
Thanks for sharing the fixed up with us.
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

MalformedPacket
Level 1
Level 1
In response to clauwdkicker

‎09-14-2020 05:45 PM

This was exactly it, for either reliable syslog or syslog over TLS.

 

permit-hostdown Allow new connection even if TCP syslog server is
down

 

logging permit-hostdown will override this behavior if TCP endpoint is not responding. 

 

0 Helpful

arora_karan
Level 1
Level 1
In response to Georg Pauwen

‎07-15-2020 12:50 PM

its the correct link

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents