Solved: AnyConnect with Azure AD SAML disconnects right after authenticating

guacamoley · ‎08-31-2023

Hey all. I set up our Anyconnect with Azure AD SAML. Our old device had it working, but we had to reimage the device and when we set it back up we are running into a weird issue.

When I sign in, I go through the normal SAML prompts, get my mfa push, and then once I actually connect, the embedded browser flashes for just a moment and brings up the sign off page ("You have been disconnected") and then closes, with the anyconnect client saying "Login Failed.".

I've rebooted the device, verified the Azure SSO side of things, recreated and reuploaded the Azure AD cert, I've verified NTP is synced correctly, and I disconnected the saml IDP from the tunnel group and reconnected it - no luck.

I am attaching debugs for anyone curious, and also I looked in my DART bundle and saw some errors but couldn't really figure out if they were relevant:

Description: Keyset does not exist
Description: CERTIFICATE_ERROR_PROVIDER_ERROR

Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate
Description: XmlLocalACPolMgr instance
Description: ConnectMgr::processIfcData failed
Failed to get a XmlLocalACPolMgr instance

Does anyone have any advice here?

Pavan Gundu · ‎09-01-2023

sh run webvpn

sh run tunnel-group TG

sh run group-policy GP

Please post these outputs.

View solution in original post

Pavan Gundu · ‎09-01-2023

[saml] webvpn_login_primary_username: SAML assertion validation succeeded

SAML Assertion is success from the debug message .

Pavan Gundu · ‎09-01-2023

sh run webvpn

sh run tunnel-group TG

sh run group-policy GP

Please post these outputs.

guacamoley · ‎09-01-2023

Hi Pavan,

I changed the login/idp urls just for security sake.

ciscoasa# show run webvpn
webvpn
enable OUTSIDE
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/cisco-secure-client-win-5.0.03076-webdeploy-k9.pkg 1
anyconnect enable
anyconnect external-browser-pkg disk0:/external-sso-5.0.03072-webdeploy-k9.pkg
saml idp https://sts.windows.net/idpurl
url sign-in https://login.microsoftonline.com/loginurl
url sign-out https://login.microsoftonline.com/loginurl
base-url https://test.vpn.com
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint0
no signature
no force re-authentication
timeout assertion 7200
tunnel-group-list enable
cache
disable
error-recovery disable

ciscoasa# sh run tunnel-group asa01
tunnel-group asa01 type remote-access
tunnel-group asa01 general-attributes
address-pool AZ01_Pool
default-group-policy GroupPolicy_ASAv01_RAVPN
tunnel-group asa01 webvpn-attributes
authentication saml
external-browser enable
group-alias asa01 enable idpurl
saml identity-provider https://sts.windows.net/idpurl
saml idp-trustpoint AzureAD-AC-SAML

ciscoasa# sh run group-policy GroupPolicy_ASAv01_RAVPN
group-policy GroupPolicy_ASAv01_RAVPN internal
group-policy GroupPolicy_ASAv01_RAVPN attributes
banner value ASAv01
wins-server none
dns-server value 10.128.131.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none

Pavan Gundu · ‎09-01-2023

Can you also let me know what version of software you are running?

guacamoley · ‎09-01-2023

Hi Pavan - turns out it was an issue with my licensing - my AnyConnect license was limiting only 2 users and kicking the rest off.

Pavan Gundu · ‎09-01-2023

Haha, glad it was resolved

Jeremy Parker · ‎11-29-2023

How did you determine this? i am having the same issue with being logged off immedialty after logging in when using SAML

guacamoley · ‎11-29-2023

It was simple as realizing I hadn't set up smart licensing on my device yet. If you don't have the proper anyconnect licensing it will only allow 1 user to connect at a time.