cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
1
Replies

AnyConnect Weirdness

mikedeyoung
Level 1
Level 1

All,

I have configured ASA5515 WebVPN and well as LDAP integration with Windows Server 2012.

When my end-users open up Internet Explorer and navigate to HTTPs://VPN.COMPANY.COM and try to login the receive error "Login failed".

I am 99.99% certain the configuration is good because of the following reasons.

Reason#1: I have verified LDAP authentication works from the CLI... "test aaa-server authentication LDAP_SERVER host X.X.X.X username NAME password PASS"... I receive message "Authentication Successful".

Reason#2: I have enabled "debug ldap 255" and "debug webvpn" and generated debug output by attempting to login and it looks good...

[219247] Session Start
[219247] New request Session, context 0x00007fff2b71fca8, reqType = Authentication
[219247] Fiber started
[219247] Creating LDAP context with uri=ldap://x.x.x.x:389
[219247] Connect to LDAP server: ldap://x.x.x.x:389, status = Successful
[219247] supportedLDAPVersion: value = 3
[219247] supportedLDAPVersion: value = 2
[219247] Binding as Cisco Firewall
[219247] Performing Simple authentication for Cisco Firewall to x.x.x.x
[219247] LDAP Search:
        Base DN = [dc=COMPANY,dc=LOCAL]
        Filter  = [sAMAccountName=username ]
        Scope   = [SUBTREE]
[219247] User DN = [CN=username  lastname,CN=Users,DC=COMPANY,DC=LOCAL]
[219247] Talking to Active Directory server x.x.x.x
[219247] Reading password policy for username , dn:CN=username  lastname,CN=Users,DC=COMPANY,DC=LOCAL
[219247] Read bad password count 0
[219247] Binding as username 
[219247] Performing Simple authentication for username  to x.x.x.x
[219247] Processing LDAP response for user username 
[219247] Message (username ): 
[219247] Authentication successful for username  to x.x.x.x
[219247] Retrieved User Attributes:
[219247]        objectClass: value = top
[219247]        objectClass: value = person
[219247]        objectClass: value = organizationalPerson
[219247]        objectClass: value = user
[219247]        cn: value = username  lastname
[219247]        sn: value = lastname
[219247]        givenName: value = username 
[219247]        distinguishedName: value = CN=username  lastname,CN=Users,DC=COMPANY,DC=LOCAL
[219247]        instanceType: value = 4
[219247]        whenCreated: value = 20150506160057.0Z
[219247]        whenChanged: value = 20150520151111.0Z
[219247]        displayName: value = username  lastname
[219247]        uSNCreated: value = 111226
[219247]        memberOf: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247]                mapped to Group-Policy: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247]                mapped to LDAP-Class: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247]        uSNChanged: value = 120459
[219247]        name: value = username  lastname
[219247]        objectGUID: value = .......C.......n
[219247]        userAccountControl: value = 66048
[219247]        badPwdCount: value = 0
[219247]        codePage: value = 0
[219247]        countryCode: value = 0
[219247]        badPasswordTime: value = 0
[219247]        lastLogoff: value = 0
[219247]        lastLogon: value = 0
[219247]        pwdLastSet: value = 130754016574937153
[219247]        primaryGroupID: value = 513
[219247]        objectSid: value = ............"s.!...!.:;.a...
[219247]        accountExpires: value = 9223372036854775807
[219247]        logonCount: value = 0
[219247]        sAMAccountName: value = username 
[219247]        sAMAccountType: value = 805306368
[219247]        userPrincipalName: value = username @company.LOCAL
[219247]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=COMPANY,DC=LOCAL
[219247]        dSCorePropagationData: value = 16010101000000.0Z
[219247]        lastLogonTimestamp: value = 130766082715215992
[219247] Fiber exit Tx=546 bytes Rx=2625 bytes, status=1
[219247] Session End
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = TG_ANYCONNECT_BIIT
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 7

Any ideas?

-mdy

 

 

1 Reply 1

Santhosha Shetty
Cisco Employee
Cisco Employee

Hi Mdy,

 

collect following along with ldap debug:

 

debug webvpn 127

debug webvpn any 127

debug dap trace 127

debug aaa common 127

 

... to turn off the debugs " undebug all"

 

Regards,

Santhosh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: