Re: Anyconnect VPN fails to connect for one connection profile

itsupport116 · ‎08-25-2021

Hi

I have multiple Anyconnect connection profiles using ISE for authentication and one profile will not connect and I am seeing ISE servers being marked as failed in the logs. The same ISE servers are being used for all profiles and I can see successful login on ISE console.

The same profile on another ASA is working perfectly with the same users using the same ISE servers.

Thanks in advance

Declan

Karsten Iwen · ‎08-25-2021

I would start with a "debug radius" and "debug aaa ..." to see if there is any hint on what is going wrong here.

itsupport116 · ‎08-25-2021

Thanks

Here are some logs for successful and failed connection

6 113004 AAA user authentication Successful : server = 10.x.x.x.x : user = myuser
6 113009 AAA retrieved default group policy (ProfileB-VPN) for user = myuser
6 113008 AAA transaction status ACCEPT : user = myuser

6 113004 AAA user authentication Successful : server = 10.x.x.x.x : user = myuser
6 113009 AAA retrieved default group policy (ProfileA-VPN) for user = myuser
2 113022 AAA Marking RADIUS server 10.x.x.x in aaa-server group ISE as FAILED
2 113023 AAA Marking RADIUS server 10.x.x.x in aaa-server group ISE as ACTIVE

aaa dedug for the failure and success

Resetting 10.x.x.x's numtries
Resetting 0.0.0.0's numtries
Marking server 10.x.x.x down in servertag ISE
Marking server 10.x.x.y down in servertag ISE
Marking server 10.x.x.x in server tag ISE Up
Marking server 10.x.x.y in server tag ISE Up
AAA_BindServer: No server found
ERROR: No active server found
Resetting 10.x.x.x's numtries
Resetting 0.0.0.0's numtries
Resetting 10.x.x.x's numtries

Nothing obvious in the radius debug, I will need to ensure it is sanitized before I could add it here.

Regards

Declan

moha99edhamedan · ‎09-03-2023

Hi
I currently have the same problem