Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
5
Replies

ASA 5512 upgrade won't allow Duo SAML auth to complete

itneuf
Level 1
Level 1

‎12-16-2022 08:07 PM

Hi There!

We are currently having a Anyconnect SSL setup with SAML Duo authentification. Everything is working fine on the release 9.12(4)52. However, as soon as we upgrade to 9.12(4)54 or 9.12(4)55, the Anyconnect no longer completes the connection. 

I do receive the Duo prompt and I do approve the connection, after that I do have a new browser windows opening and gives me "Bad Request" as the message. If I do close this windows, the VPN disconnects. On MacOS system, the URL seems to point to the tunnel VPN group name (https://vpn.ourdomain.com/+CSCOE+/saml/sp/acs?tgname=DefaultWEBVPNGroup)

I've search within ASDM and the changelog and didn't find anything that could be causing this.

Labels:
Preview file
9 KB
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎12-17-2022 12:22 AM

what is the reason of upgrade to 9.12(4)54 or 9.12(4)55  - is there any bugs affecting with the current release?

personally - I would roll back to 9.12(4)52   (note 5512 was the end of life all 9.12(4) X  are interim only for the security bugs - I do not believe cisco supports any major code upgrades.on this code).

if you looking for support - suggest planning to migrate to Cisco Secure Firewall ( AKA - Firepower )soon. 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

itneuf
Level 1
Level 1

‎12-19-2022 06:58 AM

Hi Balaki, thank you for your answer. Honestly, i just wanted to install the latest because I tought it includes security fixes. I've opened a support ticket with Duo also. For the moment, we will stay on the 9.12(4)52. Have a nice day!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to itneuf

‎12-19-2022 10:23 AM

sure, known good version always better, if no reason to upgrade. that works better.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

joshuaccarr
Level 1
Level 1

‎03-30-2023 11:46 AM

did you ever hear back from duo on the cause? i'm having the same issue with a 5515-x, and with all the vulnerabilities i dont really want to leave it on the previous version. 

0 Helpful

itneuf
Level 1
Level 1

‎03-30-2023 06:13 PM

Hi ! We ended opening a support ticket with Cisco. It's a identified bug with no fixes.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc63208

We upgraded our equipement to 5525-x so we don't need this version anymore.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents