Problems connecting to anyconnect on ASA

3moloz123 · ‎01-20-2011

Hi,

Running ASA 8.2 on a 5505, and all of a sudden I cant connect to the vpn. Today I did some port forwards, a part from that I didnt do anything really.

webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy company internal
group-policy company attributes
 dns-server value 10.180.3.15 10.10.10.19
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value company_tunnel_all
 address-pools value vpnpool
username adminuser password efwefwefewfe encrypted privilege 15
username adminuser attributes
 vpn-group-policy tictac
tunnel-group tictac type remote-access
tunnel-group tictac general-attributes
 address-pool vpnpool
 default-group-policy tictac
tunnel-group company ipsec-attributes
 pre-shared-key *****
tunnel-group sslclientprofile type remote-access
tunnel-group sslclientprofile general-attributes
 address-pool vpnpool
 default-group-policy tictac
tunnel-group testclient type remote-access
tunnel-group testclient general-attributes
 address-pool vpnpool
tunnel-group testclient webvpn-attributes
 group-alias test enable
 group-url https://10.10.10.47/test enable

INFO: debug webvpn enabled at level 255.
ciscoasa# webvpn_allocate_auth_struct: net_handle = CB3670C0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = testclient
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from group list
webvpn_login_resolve_tunnel_group: TG_BUFFER = testclient
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-900036272) and nh (-885624640)!
webvpn_add_auth_handle: auth_handle = 258
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = testclient
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (adminuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
webvpn_session.c:http_webvpn_create_session[184]
WebVPN: error creating WebVPN session!
webvpn_remove_auth_handle: auth_handle = 258
webvpn_portal.c:webvpn_determine_primary_username[5683]
webvpn_portal.c:webvpn_determine_secondary_username[5752]
webvpn_portal.c:ewaFormServe_webvpn_login[1974]
webvpn_portal.c:http_webvpn_kill_cookie[790]
APP_BUFFER: <option value="testclient" noaaa="0" >test</option>
webvpn_free_auth_struct: net_handle = CB3670C0
webvpn_allocate_auth_struct: net_handle = CB3670C0
webvpn_free_auth_struct: net_handle = CB3670C0

3moloz123 · ‎01-20-2011

The weird thing is that IPSEC still works.

The device is not a security+, but from I can tell of ASDM "Monitor" tab, it does not seem to be because we have reached the limitation of 50 "users".

No other VPN client is connected, so it's definitely not that we use both the SSL VPN connections that are allowed with the license.

Question is why it just says "error creating WebVPN session"

rahgovin · ‎01-20-2011

What were the changes that were made? You could you try connecting the same with a browser to the ASAs fqdn and see if a ssl vpn login page turns up. Also you could also apply a capture on the ASAs outside interface for traffic on port 443 to see where it is getting blocked.