Problem with client login over AnyConnect

timsnover · ‎08-18-2018

I am in the process of standing up 3 new ASA 5516-X devices to replace our old ASA 5520 VPN firewalls that are EOL next month on September 18th. I have the first one up and running having replaced the old 5520 about 2 weeks ago. The device name and IP address on the new device are the same as the old, so all our client machines could continue to use the existing AnyConnect on their laptops.

At first, after the cutover, everything seemed OK as when I shut down the old and connected the new ASA, I immediately saw people connecting to it. However, after 2 days, I started getting calls from folks that have accounts on a child domain that they were not able to connect to the new ASA but could still connect to the secondary ASA, which is still on the ASA 5520 platform.

I had a server admin create me an account in the child domain, give it an e-mail account so I could request and install a VPN certificate from our CA server, and I set it up on my laptop to confirm what was being reported to me. When I am logged into my laptop with my main account, I am able to connect to both the new ASA and the old ASA. But, when I log into the laptop with my child domain account, I am still able to log into the old ASA 5520, but when I attempt to login to the new ASA 5516-X, I get the username and password prompt, but when I hit enter, I get "login failed" and the login page just keeps coming back up.

I put the ASA in debugging mode and attempted to log in, and then checked the log entries and can see the following entries that pertain to my login attempt:

Aug 14 2018 11:18:58: %ASA-6-725016: Device selects trust-point ASDM_TrustPoint3 for client outside:73.148.9.220/58954 to x.x.x.x/443

Aug 14 2018 11:18:58: %ASA-6-725016: Device selects trust-point ASDM_TrustPoint3 for client outside:73.148.9.220/58955 to x.x.x.x/443

Aug 14 2018 11:18:58: %ASA-6-725016: Device selects trust-point ASDM_TrustPoint3 for client outside:73.148.9.220/58956 to x.x.x.x/443

Aug 14 2018 11:18:58: %ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 355818B9000100001EA3, subject name: e=snoverut@chesterfield.gov,cn=Snover\, Tim,ou=IST,dc=utilities,dc=chesterfield,dc=gov, issuer_name: cn=Abbot,dc=chesterfield,dc=gov.

I have had a TAC case open with Cisco on this ever since the issue was reported to me, but they have been less than helpful in resolving the issue. He keeps getting confused by the fact that my username on the main domain is snovert and on the child domain it is snoverut. These are 2 separate accounts, on different domains, each with their own VPN certificate issued by our CA server (Abbot).

Any help in resolving this would be helpful. I will be taking the running config files for both the new ASA and the Old one, cleaning them out of any info that does not pertain to the VPN connections, and will post that in a bit.

timsnover · ‎08-18-2018

Attached is a copy of the running configuration for the ASA 5516-X with IP addresses replaced with x.x.x.x and other info replaced with Masked or Masked Something.

timsnover · ‎08-18-2018

Attached is a copy of the running configuration of the old ASA 5520 that was replaced with the 5516-X. A few things to know is the old 5520 used the protocol "NT" for the AAA authentication. That protocol is not supported on the 5516-X platform, so I used Kerberos instead of NT. I have tested the AAA server set up for the Kerberos authentication and was able to confirm that both my normal account, SnoverT, and my child domain account, SnoverUT, were able to properly authenticate using the Kerberos protocol.

Also on this old configuration you will see a lot of configuration for site-to-site connections. These are no longer set up on the ASA VPN, so that is why that configuration is not on the ASA 5516-X file above.