Re: Cisco ASA Multi-context Anyconnect Config ( login failed problem )

hamidreza.taghipur · ‎05-29-2022

Hi

i have two ASA-5545X ( Active/Active and Multi-context )
ASA Version : asa9-14-2-15
i want to config Anyconnect (ssl) for one of the Context with local authentication

I configured my asa step by step like a document
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

first , i want use ( Default AnyConnect Premium Peers 2 ) for my test and after that
i am gonig to buy appex license for anyconnect

but i have some question :

1- if i used ASDM wizard for anyconnect config , i dont have any option
for add image ( for this reseon i config it CLI )

2- anyconnect client ( from ouside ) could not
access to anyconnect portal( url site)
and this comment displeyd for outside user on browser "Internal Server Error " and the same time i have a this
log on ASA
" Clientless access has been blocked because it us not supported in Multi-context mode "

3-in this document
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html
it uses from this image in ASA :
anyconnect-win-4.3.05017-k9.pkg

UNFORTUNATELY , i can not find it or upper version from it in cisco website for download
whitch image (.pkg) i must be used for my senario ?

4-can anyconnect cliects use ip address instead FQDN from outside ?
or i must generate local certificate in ASA ?

(it is not important for me , that my certificate to be invaid )

--------------------

My Problem :
after config anyconnect with cli , i can not connect to it from outside :
After entering the username and password , I get a " login failed " error message

whats is my wrong config ? how to i troubleshooting it ?

i attach my config

Thanks

Sheraz.Salim · ‎05-29-2022

Answer of Question No2. As you running version ASA 9.14.

Here Multiple context mode does not currently support the following features for remote access VPN:

Clientless SSL VPN (In your case the portal will not display as its not supported)
AnyConnect 2.x and earlier
IKEv1
SAML
WebLaunch
VLAN Mapping
HostScan
VPN load balancing
Customization
L2TP

Anser to Question 3. ASA code 9.14 support anyconnect version 4.x, however cisco Here mentioned the old version will work.

Although versions other than those listed below may work, Cisco is not claiming support or full testing, and fixes will be performed only on currently supported products.

Answer to Question 4. Anyconnect clients can use the FQDN (as long as the DNS mapping is done) or can connect to ASA to its public IP address. [Why local certificate? if this is a production network in that case you need to generate a CSR and get it signed from your public CA. But if testing in LAB you can generate the local cert].

My Problem :
after config anyconnect with cli , i can not connect to it from outside :
After entering the username and password , I get a " login failed " error message

could you enable the logging on the ASA and see what logs you get for login failed. could be username and password wrong? setup the logging it will give a good start to where to look. I also beleive as long as you follow the config from the link mentioned in your above most. everthing looks good there.

group-policy GP-RA-VPN internal
group-policy GP-RA-VPN attributes
 vpn-tunnel-protocol ssl-client ikev2

try with vpn-tunnel-protocol ssl-client

please do not forget to rate.

hamidreza.taghipur · ‎05-30-2022

Thanks for Reply

my config is step by step like above document

i sure user pass is correct

so , i use

vpn-tunnel-protocol ssl-clien

instead

vpn-tunnel-protocol ssl-clien ikev2

but My problem still persists

do you have another idea ?

Sheraz.Salim · ‎05-31-2022

have to enable to logging on the ASA what does logs show you?

please do not forget to rate.

hamidreza.taghipur · ‎05-31-2022

My config for Debu Anyconnect on ASA

ASA5545/1(config)# sh debug
debug aaa authentication enabled at level 1
debug vpn-sessiondb enabled at level 1
debug vpn-session-trace enabled at level 1
debug ssl enabled at level 1
debug webvpn enabled at level 1
debug webvpn request enabled at level 1
debug webvpn response enabled at level 1
debug webvpn anyconnect enabled at level 255
debug webvpn session enabled at level 1
debug webvpn task enabled at level 1

---------------------------

i get these log on ASA when i try connect with anyconnect client

ASA5545/1(config)# #0x00007f7b54bdaff0 (POST). Request line:/
#0x00007f7b54bdaff0 (Response) Start
#0x00007f7b54bdaff0 (Response) Open handler file [/CSCOSSLC/config-auth]
#0x00007f7b54bdaff0 (Response) Processing LUA page.
VPN-SESSION-TRACE[1]:vc=7:SESS_Mgmt_FreeSessionFileLineFunc: Index=0x0008B000 ACTIVE @ aaa_shim_utils.c:270@aaa_shim_cleanup_auth_ctx
VPN-SESSION-TRACE[1]: < 0x000056366760f2b4 < 0x0000563665a70d62 < 0x0000563665a6db7f < 0x0000563665a67ba5 < 0x0000563665a7b75d
#0x00007f7b54bdaff0 (Response) Finish, connection keep-alive.

I

hamidreza.taghipur · ‎06-01-2022

Could my problem be due to not having an Apex license?

Because I have not yet purchased the Apex license

just i assign default Anyconect Premium Peers ( 2) from system context to anyconect context

Sheraz.Salim · ‎06-02-2022

If it was a limitation issue of anyconnect you would have see the logs. I have attach a link have a look at it.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

run these commands and display the output here

debug webvpn anyconnect
deb dap trace

please do not forget to rate.

hamidreza.taghipur · ‎06-07-2022

Thanks Sheraz .

Problem solved

with buy Anyconnect Apex license

it didnt work with default license on ASA