01-17-2017 07:37 AM - edited 02-21-2020 09:07 PM
Hello everyone,
I have a weird issue going on in our environment. We have a Cisco ASA configured to allow our users to VPN into our network from home. They're using the Cisco AnyConnect client to do so. We haven't had a single issue in two years since this has been set up and we have licensing for many users to be connected at once. All of a sudden, just one specific user cannot log into our VPN anymore. Every time she tries it says "login failed" and won't accept her credentials.
We have tried changing her password, verifying that "change password at next login" is not enabled, made sure she isn't locked out, checked the "do not allow kerberos preauthentication" box, tried logging in on a different computer and user account, ect. Nothing works. It seems to be an issue with the individual's AD account. I'm completely stumped as to why this user cannot connect to the VPN. She was able to connect before without any issues.
Anyone have any suggestions as to why this could be happening and what I could do to troubleshoot and potentially fix it? My workaround is to basically create a brand new user account for her to use solely for VPN access.
Thanks!
01-17-2017 08:02 AM
Is the users internal IP range conflicting with the given IP address from the VPN or of the office you use? I cannot think of anything else to suggest that you have not tried already.
I have seen the issue before with a guest we had being given a 10.0.0.0 /12 address from our WiFi controller, which conflicted with her office addressing scheme (which was the same range).
01-17-2017 08:07 AM
I actually thought about an IP conflict on her home network but I got a hold of her laptop today and did a bunch of testing on multiple hot spots using our phones to test and she still can't authenticate for some reason. About three or four different WiFi external hotspots were used and we got the same issue each time so I'm thinking that an IP conflict isn't the issue here, especially since we tested on other PCs where other user accounts worked just fine. Thanks for the suggestion, though!
01-17-2017 08:10 AM
Very Strange! one last thing from me, before someone hopefully explains!
Does she have any special characters in her login? I would think passwords should be exempt from this, but the login might hang if it doesn't like the string inputted (ie. ardal.o'hanlon@company.com).
Apart from that, I apologise, cannot be of more assistance!
01-17-2017 08:13 AM
We have tried multiple passwords. She is using one special character in her password (a period) but we have a lot of people who use that same special character in their passwords and never had an issue. Again, I appreciate the suggestion though.
01-17-2017 05:20 PM
You mentioned AD user - are you using LDAP or RADIUS as the AAA protocol to talk to the AD? Also, Is the reject coming from the AD or the ASA? If LDAP, you can run the command "debug ldap 255" to get debugs when the connects. If Radius, you can use "debug radius all". The debugs may contain any particular error message if its an issue with the AD account.
Also, have you checked the AD Security logs when the authentication fails?
11-15-2018 04:46 PM
We just had the same issue for one of our clients users. Our fix was someone at some point checked the deny under the users remote access policy in the AD user properties. Once we enabled that and all is well again.
11-19-2020 02:19 PM
@jfaulkner Have you managed to find the solution to this issue?
I have the same related issue with several users and the only workaround right now is to create another AD account for VPN connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide