Anyconnect Not authorised error post update to 9.1(6)1

Trevor Peacock · ‎05-11-2015

Hi, I have updated over the weekend to Version 9.1(6)1 from version 8.3(4), all is good except for the anyconnect VPN connections which are erroring as follows

[11/05/2015 11:56:12] Contacting hatstand.coatrack.com.
[11/05/2015 11:56:14] Please enter your username and password.
[11/05/2015 11:56:17] User credentials entered.
[11/05/2015 11:56:17] User not authorized for AnyConnect Client access, contact your administrator.
[11/05/2015 11:56:17] Ready to connect.

I have tried authenticating against the LDAP and the local databases and I get the same.

Any help is appreciated.

Thanks

Roman Polyachkov · ‎06-10-2018

I've got the same trouble (asa5505 9.2(4)33)
In logging
Jun 10 2018 23:50:09: %ASA-6-725001: Starting SSL handshake with client outside:31.173.80.4/43716 for TLS session.
Jun 10 2018 23:50:09: %ASA-6-725003: SSL client outside:31.173.80.4/43716 request to resume previous session.
Jun 10 2018 23:50:09: %ASA-6-725002: Device completed SSL handshake with client outside:31.173.80.4/43716
Jun 10 2018 23:50:09: %ASA-6-113012: AAA user authentication Successful : local database : user = test
Jun 10 2018 23:50:09: %ASA-6-113004: AAA user authorization Successful : server = LOCAL : user = test
Jun 10 2018 23:50:09: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = test
Jun 10 2018 23:50:09: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username1 = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username2 =
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
Jun 10 2018 23:50:09: %ASA-6-734001: DAP: User test, Addr 31.173.80.4, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Jun 10 2018 23:50:09: %ASA-6-725007: SSL session with client outside:31.173.80.4/43716 terminated.
Jun 10 2018 23:50:10: %ASA-6-302014: Teardown TCP connection 1852 for outside:31.173.80.4/43716 to identity:78.107.195.78/30443 duration 0:00:00 bytes 736 TCP FINs

Folk, can anybody help me?

Bogdan Nita · ‎06-11-2018

As per your DAP output you are using tunnel group DefaultWEBVPNGroup and group policy DfltGrpPolicy.
Please post output from:
show runn tunnel-group DfltAccessPolicy
show runn group-policy DfltGrpPolicy

Roman Polyachkov · ‎06-11-2018

Hi, Bogdan!

Here they are:

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
url-list value NS0001
customization value SSLdefault

but

show runn tunnel-group DfltAccessPolicy
ERROR: Invalid tunnel group name <DfltAccessPolicy>

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ac_admin_pool
authorization-server-group LOCAL
authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization SSLdefault

and

sh run all dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DfltAccessPolicy
action continue

Bogdan Nita · ‎06-12-2018

Can you try this:

tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup enable

, alias can be any name you want, I just used the tunnel name.

Roman Polyachkov · ‎06-12-2018

Added the group-alias.

Unfortunately, the same behaviour.

But finally I've found the root cause of this situation. In my case, the error message "User not authorized for AnyConnect Client access, contact your administrator." caused by my inattention:

there was config for ikev2 thru anyconnect - "crypto ikev2 enable outside client-services port 10443", but ssl config was -

"webvpn
port 11443"

So I've just connected to wrong port - 10443.

Thanks Bogdan - your suggestions brought me to look inside the config more closely.