Solved: Re: Logon failures from anyconnect VPN

AllanArnold · ‎03-17-2020

An user is unable to access our vpn site with a password that we know are correct. I am convinced that it's verified that the configuration profile are ok by authenticating with another account on the same client which works well.

Information collected from custom log files:

Function: SDIMgr::ProcessPromptData
File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\vpn\api\sdimgr.cpp
Line: 336
Authentication is not token based (OTP).

Function: CTransportWinHttp::setResponseData
File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\vpn\api\ctransportwinhttp.cpp
Line: 1643
Invoked Function: WinHttpQueryHeaders
Return Code: 12150 (0x00002F76)

The requested header was not found.

Does someone have any ideas to what it might be that trigger this fault?

AllanArnold · ‎03-23-2020

The issue is solved; there was a '&' character included in the password that caused this behaviour, can be found in this article:
https://community.cisco.com/t5/vpn/not-working-characters-in-user-passwords-for-vpn-access/td-p/2758379

Br,
Allan

View solution in original post

Cristian Matei · ‎03-17-2020

Hi,

1. Type the clear-text password in notepad first, to ensure there are no issues with keyboard keys or layout, so to confirm it

2. You sure the gateway requires only user/pass authentication, maybe you would also need a certificate alongside

Regards,

Cristian Matei.

AllanArnold · ‎03-18-2020

Thanks Cristian.

It's no doubt that the password entered is correct and it's unlikely a certificate issue since we're able to login with a different account on this client.

Cristian Matei · ‎03-18-2020

Hi,

So let me understand: you have a username/password that can be used for VPN from a specific machine, but the same username/password fails authentication from another machine, is this correct? When you try this username/password combination from birth machines, do you use the same VPN profile, do you connect using the same group/connection-profile from ANyConnect GUI, the one names "AnyConnectVPN"? Is your VPN headend a ASA box?

Regards,

Cristian Matei.

AllanArnold · ‎03-18-2020

I have tried login in with the account on two different clients and none of them are granting access to the VPN and when authenticating on the customer client with a second account it's functional which should mean that the user profile is not configured correctly, however it's possible to login with it with the same credentials in the office portal.

Cristian Matei · ‎03-18-2020

Hi,

For your initial post, it looked like the same user was working from one station/client and not from another station/client; this would have been possible, but it's not your case. I understand that another account (user/pass) works, but not the one you're speaking about. In this case, assuming you're trying to connect with both users to the same VPN gateway, on the same group/connection-profile (what shows up in AnyConnect window when you press connect), it means there are restrictions done at the VPN headend (ether the VPN gateway, or at the authentication/authorization server-level).

Regards,

Cristian Matei.

AllanArnold · ‎03-23-2020

The issue is solved; there was a '&' character included in the password that caused this behaviour, can be found in this article:
https://community.cisco.com/t5/vpn/not-working-characters-in-user-passwords-for-vpn-access/td-p/2758379

Br,
Allan

carl.muellerroemer · ‎11-29-2021

I'm having the same issue. It sometimes in a blue moon works. My password does not contain an ampersand, only non-special characters.

Is there any way as a user to debug this?