Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
4
Replies

Anyconnect client and clientless connections hang for two users

Go to solution
kmgraziano
Level 1
Level 1

‎03-02-2015 12:47 PM - edited ‎02-21-2020 08:06 PM

ASA 5525, v. 9.1(5)19

Anyconnect client 3.1.02026

I have two users who are unable to connect via the AC client or clientless through the web portal. Using the client, it will get stuck in a loop of "checking for updates". On the portal, the connection will proceed to the point of "Cisco Secure Desktop successfully validated... Success.. Reloading..please wait." Then it hangs there.

The issue occurs for the user regardless of which company laptop she logs onto. A help desk tech can use her laptop and successfully connect, but she cannot connect on her own laptop or on another laptop. (Same for the other user.) So the issue doesn't seem to be related to her laptop or the AC installation. (Help desk did reimage her machine early in the troubleshooting process before they realized that the issue seemed to follow the user.)

I've updated the hostscan file - no change in results.  Client and clientless connections seem to be working fine for all other users. We're stumped.  Suggestions, anyone?  thanks!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David paull
Level 1
Level 1
In response to kmgraziano

‎03-10-2015 05:48 PM

The LDAP should be server folks -- Active Directory.  Chances are whoever manages the ASA's should have access to at least look in Active Directory to look that up.  If they don't they need it.

 

I obviously don't know a lot about what devices you are using, but if you are using ISE, there should be some type of MNT device (Monitoring and Troubleshooting) -- which is collecting the logs and, hopefully, sending them to some type of syslog aggregate collection tool (splunk?).

Otherwise, there should be a device called a CAM (Clean Access Manager) that is collecting logs -- which may also be propagated to a syslog aggregate tool -- although with CAM's, you can pull the reports right out of them in a comma deliminated file (.csv) and go through them that way.

-- The thing that gets me is that it happens to two users no matter what computer they try to connect from, no matter what network they connect from, and other users can authenticate and gain network access on those same devices.

-- That is why it is rather perplexing.  Pretty much saying it has to be something with:

- the IP pool they are getting an IP from

- their AD credentials

- their username

- something along those lines, if the information provided was fully accurate.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
David paull
Level 1
Level 1

‎03-03-2015 06:06 PM

Are they authenticating successfully?

What do logs say?

Are they connecting with username/password or some type of smart card?

Have you checked for duplicate LDAP entries on whatever she is submitting?

2 users out of how many?  10,000?  3?

--

What differences are there with her and another user who is connecting successfully?

Pull up their profiles side by side and look.

--

There are a lot of things that come into play here that only you would know.

Even with the questions answered, we still wouldn't have a complete picture of what's going on or how your system works.

 

0 Helpful

Go to solution
kmgraziano
Level 1
Level 1
In response to David paull

‎03-10-2015 11:06 AM

thanks for your input. sorry for the delay in responding. here is some additional info:

*yes, they authenticate successfully.

*they connect with un/password

*2 users out of about 400

*profiles - will check and try to compare

Regrettably, due my inexperience with the ASA and no longer having a network engineer on board, I don't have an answer regarding duplicate LDAP entries or logs.

thanks for your help.

0 Helpful

Go to solution
David paull
Level 1
Level 1
In response to kmgraziano

‎03-10-2015 05:48 PM

The LDAP should be server folks -- Active Directory.  Chances are whoever manages the ASA's should have access to at least look in Active Directory to look that up.  If they don't they need it.

 

I obviously don't know a lot about what devices you are using, but if you are using ISE, there should be some type of MNT device (Monitoring and Troubleshooting) -- which is collecting the logs and, hopefully, sending them to some type of syslog aggregate collection tool (splunk?).

Otherwise, there should be a device called a CAM (Clean Access Manager) that is collecting logs -- which may also be propagated to a syslog aggregate tool -- although with CAM's, you can pull the reports right out of them in a comma deliminated file (.csv) and go through them that way.

-- The thing that gets me is that it happens to two users no matter what computer they try to connect from, no matter what network they connect from, and other users can authenticate and gain network access on those same devices.

-- That is why it is rather perplexing.  Pretty much saying it has to be something with:

- the IP pool they are getting an IP from

- their AD credentials

- their username

- something along those lines, if the information provided was fully accurate.

0 Helpful

Go to solution
kmgraziano
Level 1
Level 1

‎03-17-2015 05:48 AM

Thanks, David. I appreciate your input and time! We'll pursue these suggestions.

0 Helpful
Customers Also Viewed These Support Documents