09-05-2014 04:19 AM - edited 02-21-2020 07:48 PM
Hello.
We have basic ASA scenario setup in a production environment configured for SSL anyconnect and security plus license. The authentication is using Radius server on a Windows 2012 and group membership in AD group to grant access. However, when I try to connect either using the webvpn link or the installed anyconnect client I am getting Login Failed error message, but apparently the authentication was successful (see debug below).
The running config of the vpn is
ASA Version 9.1(3)
!
ip local pool pool1 10.150.30.1-10.150.30.250 mask 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.150.30.0_24 NETWORK_OBJ_10.150.30.0_24 no-proxy-arp route-lookup
aaa-server SAD protocol radius
aaa-server SAD (inside) host 192.168.10.15
key *****
http server enable
crypto ca certificate chain comodo.trustpoint
ssl trust-point comodo.trustpoint outside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.10.8
vpn-filter value
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_Story-Anyconnect-VPN internal
group-policy GroupPolicy_Story-Anyconnect-VPN attributes
wins-server none
dns-server value 192.168.10.8
vpn-tunnel-protocol ssl-client ssl-clientless
tunnel-group Story-Anyconnect-VPN type remote-access
tunnel-group Story-Anyconnect-VPN general-attributes
address-pool pool1
authentication-server-group SAD
default-group-policy GroupPolicy_Story-Anyconnect-VPN
tunnel-group Story-Anyconnect-VPN webvpn-attributes
group-alias Story-Anyconnect-VPN enable
Whenever I try to login using domain account from the webvpn portal I get Login failed and the following dump
SA5510-Story-FW(config-webvpn)# webvpn_allocate_auth_struct: net_handle = 0xae330f88
webvpn_portal.c:ewaFormSubmit_webvpn_login[3628]
webvpn_portal.c:webvpn_login_validate_net_handle[2542]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2562]
webvpn_portal.c:webvpn_login_assign_app_next[2580]
webvpn_portal.c:webvpn_login_cookie_check[2597]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2654]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2688]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2750]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2802]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2875]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from group list
webvpn_login_resolve_tunnel_group: TG_BUFFER = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_negotiate_client_cert[2965]
webvpn_portal.c:webvpn_login_check_cert_status[3063]
webvpn_portal.c:webvpn_login_cert_only[3111]
webvpn_portal.c:webvpn_login_primary_username[3133]
webvpn_portal.c:webvpn_login_primary_password[3212]
webvpn_portal.c:webvpn_login_secondary_username[3244]
webvpn_portal.c:webvpn_login_secondary_password[3319]
webvpn_portal.c:webvpn_login_extra_password[3431]
webvpn_portal.c:webvpn_login_set_cookie_flag[3450]
webvpn_portal.c:webvpn_login_set_auth_group_type[3473]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_not_resuming[3551]
webvpn_portal.c:http_webvpn_kill_cookie[1053]
webvpn_auth.c:http_webvpn_pre_authentication[2087]
WebVPN: calling AAA with ewsContext (-1398866832) and nh (-1372385400)!
webvpn_add_auth_handle: auth_handle = 1985
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5336]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3628]
webvpn_portal.c:webvpn_login_validate_net_handle[2542]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2562]
webvpn_portal.c:webvpn_login_assign_app_next[2580]
webvpn_portal.c:webvpn_login_cookie_check[2597]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2654]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2688]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = Story-Anyconnect-VPN
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2750]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2802]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2875]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2965]
webvpn_portal.c:webvpn_login_check_cert_status[3063]
webvpn_portal.c:webvpn_login_cert_only[3111]
webvpn_portal.c:webvpn_login_primary_username[3133]
webvpn_portal.c:webvpn_login_primary_password[3212]
webvpn_portal.c:webvpn_login_secondary_username[3244]
webvpn_portal.c:webvpn_login_secondary_password[3319]
webvpn_portal.c:webvpn_login_extra_password[3431]
webvpn_portal.c:webvpn_login_set_cookie_flag[3450]
webvpn_portal.c:webvpn_login_set_auth_group_type[3473]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3503]
webvpn_auth.c:http_webvpn_post_authentication[1415]
WebVPN: user: (daniel) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2794]
webvpn_session.c:http_webvpn_create_session[219]
webvpn_session.c:http_webvpn_find_session[175]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[175]
webvpn_session.c:http_webvpn_destroy_session[1587]
webvpn_remove_auth_handle: auth_handle = 1985
webvpn_free_auth_struct: net_handle = 0xae330f88
webvpn_allocate_auth_struct: net_handle = 0xae330f88
webvpn_free_auth_struct: net_handle = 0xae330f88
If I go about login from the installed Anyconnect client on the PC then i get
ASA5510-Story-FW(config-webvpn)# Public archive directives retrieved from cache for index 1.
Can you please help me on that problem. Thanks
09-14-2014 11:25 PM
Enable the below debugs and connect using anyconnect vpn client and the get the debugs.
ASA5500-7# debug webvpn 255
ASA5500-7# debug radius all
Are you using DAP policies?
11-01-2014 07:16 AM
hi,
Please also share the output of show vpn-sessiondb license-summary.
Plus sh version
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide