06-25-2016 05:58 AM
We had internet connectivity problem. After it was resolved, we wasn't able to connect to VPN with anyconnect client with error "Failed to get AAA hendle"
We updated ios from asa917-k8.bin to asa917-6-k8.bin. No luck. It allows to conect only once after reboot. Very strange behavior. Do we have to change IOS version?
We tried both with local and ldap authentification.
08-29-2017 03:30 PM
Were you able to find a fix for this?
08-29-2017 11:37 PM
Hello,
which AnyConnect client are you running ? Try the latest release (4.5). Also, which clients are you having this problem with (Windows 10) ?
10-20-2019 06:14 PM
In the interest of passing on knowledge, here is the root cause of what I experienced that caused the "failed to get AAA handle" message to appear anytime anyone tried to establish an IPSEC VPN connection into an ASA using Anyconnect.
When the syslog buffer fills up, the ASA by default will stop allowing any new VPN traffic at all, by anyone (even local accounts). In my case, changing the ASA configuration to send logs to the syslog server via TCP (vice UDP) caused the syslog buffer to fill up in a matter of hours (due to another problem on the ASA which was blocking TCP connections to the syslog server). That is when the "failed to get AAA handle" message began appearing.
To fix the problem, we first made the ACL correction to allow TCP connections to the syslog server. At that point, logs started flowing out of the syslog buffer and VPN connections were permitted and the AAA handle error went away. There is also a checkbox that appears after you switch to syslog over TCP to allow VPNs to continue to function even if the syslog buffer fills up.
Hope this helps anyone in the future who gets this misleading error message. The cause has nothing to do with AAA.
10-20-2019 10:06 PM
09-14-2020 05:45 PM
This was exactly it, for either reliable syslog or syslog over TLS.
permit-hostdown Allow new connection even if TCP syslog server is
down
logging permit-hostdown will override this behavior if TCP endpoint is not responding.
07-15-2020 12:50 PM
its the correct link
01-10-2025 03:52 PM
Thanks. Many years later and this helped me out. Denying new client vpn sessions by default when a syslog buffer is full isnt my favorite design decision.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide