cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9403
Views
0
Helpful
2
Replies

Anyconnect VPN log in failure

Edward Luna
Level 1
Level 1

Today we had a very disturbing failure.  We have a fully functional VPN on our ASA 5510 adaptive security device running 8.2(5).  I was setting up a new user on a Windows 7 Professional 64 bit machine using FireFox instead of Internet Explorer.

The initial connection worked fine but the download of the client failed.  I clicked on the link provided to manually download the client and the Cisco VPN client appeared to download and install properly.  However, when I attempted to open the VPN after the client install it again said that the automatic download of the client failed and it offered the link to download the client again, which I did with exactly the same result.

I thought that perhaps the problem was with FireFox so I opened Internet Explorer and entered the url for the VPN.  After the user-id and password were entered (and validated) I received the same error about the client download failure and I selected the link to manually download just like I did the other 3 times in FireFox.  This time it actually looked like it was working as I received the certificate error about AnyConnect (which I normally get) however, the login screen remained on the page after I clicked on the certificate error to continue.  

The PC appeared to hang so I ended the VPN session and then attempted to reestablish the connection.  This time when I entered the user-id and password it came back saying "Invalid Logon".  I tried again and received the same result.  I tried a different user but no joy... same result... invalid login.  I went to a different PC; one that had been working fine only a few minutes earlier, and I received the same invalid login message no matter which user-id and password I entered.  Something had happened that was blocking all users from connecting to the VPN.

I didn't want to believe that attempting to connect to the VPN using FireFox on a Windows 7 64 bit machine could somehow bring my Cisco VPN down but I was out of options... so I rebooted the ASA and much to my disappoinment the reboot fully restored the VPN service. 

Now if this were a $75 dollar LinkSys Router instead of a several thousand dollar security device I would just shake it off, but how can it be that a failed connection attempt could bring a Cisco ASA 5510 VPN to its knees?  I thought that maybe I had exceeded the license max for SSL VPN connections... I think its 2... but if that was the cause then why wouldn't the message indicate such instead of just saying "invalid login".  Also, there were no other open connectionsat the time, unless all the failed downlaod attempts counted as active sessions.  I also had already checked in ASDM and no active VPN sessions were listed.

Any guidence anyone can provide would be greatly appreciated.

Ed

1 Accepted Solution

Accepted Solutions

Vishnu Sharma
Level 1
Level 1

Hi Edward,

I went through the issue and I think that you have only 2 license for SSL and when you try connection multiple times, nomatter whether the install took place correctly or it failed but the sessions were built on the ASA and after building the session, ASA pushed those files on the client machines. I know it does give you a irrelevant message saying "Invalid Logon" however if you will run the debug web svc 255 on the ASA (using SSH/Telnet), you will see a message:

Session could not be established. Session limit of 2 reached

.

You are saying that you did not see any session on the ASA, so could you please get the output of the command:

debug web anyconnect 255 (or debug web svc 255) and share with us.

Thanks,

Vishnu Sharma

View solution in original post

2 Replies 2

Vishnu Sharma
Level 1
Level 1

Hi Edward,

I went through the issue and I think that you have only 2 license for SSL and when you try connection multiple times, nomatter whether the install took place correctly or it failed but the sessions were built on the ASA and after building the session, ASA pushed those files on the client machines. I know it does give you a irrelevant message saying "Invalid Logon" however if you will run the debug web svc 255 on the ASA (using SSH/Telnet), you will see a message:

Session could not be established. Session limit of 2 reached

.

You are saying that you did not see any session on the ASA, so could you please get the output of the command:

debug web anyconnect 255 (or debug web svc 255) and share with us.

Thanks,

Vishnu Sharma

After I made the post I came to the same conclusion.  Rather than take-up time with what is likely a license issue, I'll just get more licenses and see if that fixes the problem.

The other issue is the question of FireFox working correctly with Cisco AnyConnect.  I've never had any trouble with I.E. and Anyconnect so I'm assuming FireFox doesn't support something that AnyConnect needs.

I'll assign yours as the correct answer and let you know how FireFox works out... if it works out.

Thanks

Ed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: