Solved: AnyConnect connection started failing with "not authorized"

ml1witten · ‎12-30-2022

Hello,

I had updated a small office ASA 5508-X back in July, and had not needed VPN access again until recently. The version I updated to was 9.16(3). I generally use ASDM for management. I really only want to support AnyConnect VPN's, though I still have a bit of IPSEC left over from previous testing. I have an Apex license that is current, though I am only testing one VPN client right now.

When I use my credentials that have worked for years, I get a User Not Authorized for AnyConnect Client Access..... I look at the ASA logs, and it is now telling me that I logged in just fine, but:

AnyConnect Client <174.209.xxx.xxx> attempted to connect on an interface with webvpn disabled. Interface : <outside>.

I don't care much in general about clientless webvpn, but I made sure all webvpn was enabled on that interface (client and clientless) in both ASDM and from the CLI. I also changed it to support just SSL client access, and it still gives the exact same error. I have included a config dump of some of the critical webvpn and client pieces below.

Note that I did see CSCwc37256 which describes a similar issue, so I just upgraded to the latest update (9.a16(4) asa9-16-4-9-lfbff-k8) but no joy.

webvpn
port 8443
enable outside
enable inside
http-headers
   hsts-server
    enable
    max-age 31536000
    include-sub-domains
    no preload
   hsts-client
    enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.05111-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
   dns-server value <mydns1> <mydns2>
   vpn-tunnel-protocol ssl-client
   group-lock value MainAdminGrp
default-domain value mydomain.net
webvpn
      anyconnect ssl rekey time 240
      anyconnect ssl rekey method new-tunnel
      anyconnect ssl compression lzs
      anyconnect dtls compression lzs
      anyconnect ask none default anyconnect
group-policy GroupPolAdmin internal
group-policy GroupPolAdmin attributes
   banner value Hi!
   dns-server value <mydns1>
   vpn-tunnel-protocol ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value vpn_SplitTunnel
    default-domain value xxxx
   address-pools value Shorter6Group
webvpn
    anyconnect ssl compression lzs
group-policy GroupPolicy6 internal
group-policy GroupPolicy6 attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
   vpn-tunnel-protocol ikev2 ssl-client
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
   vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
dynamic-access-policy-record DfltAccessPolicy
   webvpn
      url-list none
      file-browsing disable
      file-entry disable
      http-proxy disable
      url-entry disable
      svc ask none default svc
      always-on-vpn profile-setting

username ME attributes
   vpn-group-policy GroupPolAdmin
    password-storage disable
tunnel-group DefaultWEBVPNGroup general-attributes
   address-pool Shorter6Group
tunnel-group MainAdminGrp type remote-access
tunnel-group MainAdminGrp general-attributes
   address-pool Shorter6Group
default-group-policy GroupPolAdmin
tunnel-group MainAdminGrp webvpn-attributes
    goup-alias Main enable
.... etc

Any thoughts on what to do next would be appreciated. I did not want to try falling back to the pre-error image unless I had to because of security issues.

balaji.bandi · ‎12-31-2022

One thing i noticed is you are not using standard port 8443 - as per I know if you like to change the port

you need to disable no enable outside (I do not think you need an inside interface here in your config - until your requirement is different)

then you change port 8443 - then enable outside and test.

Also, make sure when the client initiates a connection it should initiate connect to port 8443 (by default HTTPS means 443)

example :

https://www.petenetlive.com/KB/Article/0000422

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎12-31-2022

One thing i noticed is you are not using standard port 8443 - as per I know if you like to change the port

you need to disable no enable outside (I do not think you need an inside interface here in your config - until your requirement is different)

then you change port 8443 - then enable outside and test.

Also, make sure when the client initiates a connection it should initiate connect to port 8443 (by default HTTPS means 443)

example :

https://www.petenetlive.com/KB/Article/0000422

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ml1witten · ‎12-31-2022

BB,

Thank you for the reply! I saw that as an option in the bug report, but I had 2 other things (AnyConnect firmware download and one other) on 443, so I decided to wait on that. At the moment, I have rolled back 2 versions to 9.16(2) (I believe), and the VPN works but ASDM does not... pretty sure the latter is just one of the JAVA related security settings, but have not had time to track it down yet again.

I will probably go ahead back to (3), as that is where VPN first failed, and will see if changing that port helps. It is all very odd, and looks a lot like that bug report, but that was not resolved either by bouncing the webvpn service or upgrading to (4). I wonder about the DAP, since I had never done much with that in the past and it may help with (new?) conflicts with using ASDM and AnyConnect at the same time, but I have not been able to find anything definitive yet.

Anyway, many thanks and I'll probably move to 16(3) or (4) and try that tomorrow.

-Mike

balaji.bandi · ‎12-31-2022

but ASDM does not - this looks like different issue - what is the ASDM version ?

have you checked the ASDM version compatibility :

ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ml1witten · ‎01-02-2023

BB,

Thank you again.. ASDM is 7.17 (1-155). It has actually been working, or seeming to work, just fine with 9.16(3) and I believe (4), and I thought I had verified it. .. just looked at release notes, and I think it should at lest be fully compatible with 9.16(3). I usually pull them down at the same time to be sure. It doesn't look like it will work with the older version (2), which was one of the things I figured was wrong there. I was not going to spend much effort on getting that older version to work. Hopefully, later today I'll restore it to (3) or (4) and get back to the SSL Issue, and re-visit the port number assignments. Thanks!! -Mike

MHM Cisco World · ‎01-01-2023

ASDM and WebVPN Enabled on the Same Interface of the ASA - Cisco

if change the WebVPN port not work. return it to default and instead change the ASDM HTTP port.

ml1witten · ‎01-02-2023

I had seen that note, but had more-or-less ignored it I am afraid, as both had been working fine on 9.16(2) with things configured as they are, but it looks like they changed something. I will likely try both. Certainly bouncing the webvpn service did not help. Again, I will be restoring 9.16 (3) or (4) later today, and will probably update ASDM, since it may even be something in the older version that is interfering with my configuration. One thing at a time, however.

I see that the OpenJRE version of ASDM describes it as "integrated". Does that mean I don't have to download and compile OpenJRE? That is what it looked like last time I looked into it <grin> I don't use Java for anything else these days. Anyway, thanks and I'll post what seems to get it working (if I do).

balaji.bandi · ‎01-02-2023

Also, make sure ports are not idnetical for ASDM and VPN

also, disable web vpn inside the interface if not required.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ml1witten · ‎01-02-2023

So.. I believe I have things working, and was slogging through a number of mostly self-induced issues. The primary one to start with was that the WEBVPN port had moved, either by me or something else, to the 8443 port. So, to use it for AnyConnect, I had to tell it to connect on that port (which it finally did). I prefer 443 as default for users, so I moved it back. I disabled it on inside.

Other issues: When I changed configs, I realized I had not fixed the ASDM link in the older image, which pointed to one that I had deleted. ASDM launcher could not do the version test (it would be nice if it told us that). I found that fairly quickly withe the JAVA console debugger.

Another issue was modifying the Ports, at least in the newer version of ASDM, removed the links to the client images.

There were likely some other issues with ASDM versions and signatures. I went straight back to (4) and updated ASDM (tftp) just to be sure so I am not sure what other than the link pointer finally fixed it completely.

ASDM now seems to run fine, as does AnyConnect. I have simply not seen any ASDM/WEBVPN/AnyConnect conflicts, and it is still not clear to me how you can make ASDM connect on a different port... and if I read things correctly, the URL takes care of that anyway. I have ASDM and AnyConnect connected now, all on 443's. The only think I want WebVPN to do is allow client download, so I have it pretty well disabled to the extent possible. Not sure what they plan on that score once webvpn is "deprecated", since AnyConnect seems to utilize that (SSL-Client).

I still need to test some settings, but your pointers were a great help!

-Mike