We had internet connectivity problem. After it was resolved, we wasn't able to connect to VPN with anyconnect client with error "Failed to get AAA hendle"
We updated ios from asa917-k8.bin to asa917-6-k8.bin. No luck. It allows to conect only once after reboot. Very strange behavior. Do we have to change IOS version?
We tried both with local and ldap authentification.
which AnyConnect client are you running ? Try the latest release (4.5). Also, which clients are you having this problem with (Windows 10) ?
In the interest of passing on knowledge, here is the root cause of what I experienced that caused the "failed to get AAA handle" message to appear anytime anyone tried to establish an IPSEC VPN connection into an ASA using Anyconnect.
When the syslog buffer fills up, the ASA by default will stop allowing any new VPN traffic at all, by anyone (even local accounts). In my case, changing the ASA configuration to send logs to the syslog server via TCP (vice UDP) caused the syslog buffer to fill up in a matter of hours (due to another problem on the ASA which was blocking TCP connections to the syslog server). That is when the "failed to get AAA handle" message began appearing.
To fix the problem, we first made the ACL correction to allow TCP connections to the syslog server. At that point, logs started flowing out of the syslog buffer and VPN connections were permitted and the AAA handle error went away. There is also a checkbox that appears after you switch to syslog over TCP to allow VPNs to continue to function even if the syslog buffer fills up.
Hope this helps anyone in the future who gets this misleading error message. The cause has nothing to do with AAA.