Solved: Re: Duo 2FA for AnyConnect giving an error message

mmoulson1 · ‎10-08-2020

I am trying to configure 2FA using Duo for Any Connect login.

I have completed the few steps that seem to be very simple to configure the Duo gateway and ASA config. I am prompted to login via Duo and complete 2FA using my mobile app. However once this is done I am hit with the error: "unable to update the session management database" Duo support seem to think this is an ASA problem, however searching this error only finds results related to old versions of ASA code.

Thanks in advance

mmoulson1 · ‎11-20-2020

For anyone interested the problem was this config under the default group policy:

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0

I had created a separate group policy for AnyConnect with Duo but the 'vpn-simultaneous-logins' attribute is inherited from the default policy. This caused the "unable to update the session management database" error after passing the Duo authentication.

The fix was to configure 'vpn-simultaneous-logins 1' under the Duo policy, or change the default policy.

View solution in original post

mmoulson1 · ‎11-20-2020

For anyone interested the problem was this config under the default group policy:

group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0

I had created a separate group policy for AnyConnect with Duo but the 'vpn-simultaneous-logins' attribute is inherited from the default policy. This caused the "unable to update the session management database" error after passing the Duo authentication.

The fix was to configure 'vpn-simultaneous-logins 1' under the Duo policy, or change the default policy.

30-06 · ‎09-13-2023

I was getting this error due to missing authorization line:

tunnel-group anyconnect general-attributes
authorization-server-group SERV-LDAP