error on connecting to anyconnect Failed to create sesson manager entry

rockey · ‎05-27-2019

Hi

In our environment ASA installed and user get error message when they connect anyconnect vpn " Failed to create sesson manager entry".

when I checked on asa :-

sh vpn-sessiondb anyconnect
sh vpn-sessiondb summary

nothing showing.

please help on this.

balaji.bandi · ‎05-27-2019

Can you provide us more information :

1. ASA Model of the Devices.

2. what is the ASA OS code running ?

3. Any connection version.

4. what is the Operating system used to installed any connect as client ?

is this working setup failed ? or new setup ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

saleshms199588045 · ‎05-27-2021

Hi Rockey,

I hardly believe it will occur because of client side activities like hibernating laptop entire week and using daily.

Here what happening is session may created and user trying to create one more session using the credentials.

Try to restart the cisco anyconnect service to fix.

Regards,

Salesh MS

Infra AM Network · ‎12-14-2023

Did you find any solution to this problem?

Currenlty having the same issue. Reloading didn't work

tvotna · ‎12-14-2023

This is most likely CSCvw34277 bug. Are you saying that reloading the *ASA* didn't help? Hard to believe.

Infra AM Network · ‎12-14-2023

Yes, it didn't help we did reload of the firewall. The one which is hard to believe is cisco doesn't have fix for this

tvotna · ‎12-15-2023

You need to check if everything is ok with licensing. Is it Firepower or old good ASA box? Check:

show versionshow license allshow vpn-sessiondb license-summary

BruceLevenbergGlobal · ‎10-14-2024

I had this error "Failed to create session manager entry" today when connecting to VPN after running "sfc /scannow" on the RADIUS server. Restarting NPS service resolved the issue.

Nhesson-2 · ‎10-29-2024

Hello all,

We ran into this issue on two different firewalls at the same time. After calling TAC, they suggested we reload both firewalls, which fixed the issue for us. The TAC person does not have a reason why two different firewalls come up with the same issue at the same time. 9.18(4)22 is our current version, and had no issue up until today.

troyb · ‎11-04-2024

I can tell you that we had it happen to 5 different ASAs at the same time. Some older 5512x, some on the 5508x and 5506x and one on an FPR-1010 running ASA software. They are not all running the same version. All of them using Duo with SAML authentication. None of the ASAs running without Duo were impacted. Duo shows that all these sessions authenticated without issue. So when the duo sends the anyconnect client back the hash key for the ASA to accept, this is when the failure is happening.

I can reproduce it on Mac and windows. We can have it fail 1 or 2 times in a row and then successfully connect. It seems random. This will work for a while and then start happening again.

He have had TAC gather debug logs during the failures and DART logs that correspond to the failures from the client. They are investigating now what is in those logs and debug captures.

engineer467 · ‎11-26-2024

Hi Troyb,

Did TAC respond back with any solution? Please share.

Thank you.

troyb · ‎11-26-2024

Hello,

TAC did reply and stated that this is due to brute force hacking attempts to the Anyconnect profiles. See the link below that they provided as a guide on how to reduce the possibility of this happening. Essentially, what is happening is that scripts are being used to try and brute force authenticate against the radius/local ASA authentication. This basically causes the asa to run out of resources to handle the authentication requests.

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html#toc-hId-1889061833

engineer467 · ‎11-26-2024

Thank you for the quick reply.