Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1172
Views
0
Helpful
0
Replies

SSL VPN Webauth/anyconnect failue

pghbrea
Level 1
Level 1

‎01-10-2013 05:35 PM - edited ‎02-21-2020 06:36 PM

So with our setup we're using the SSL webauth page as it uses RSA Adaptive Authentication as the second factor for auth. In the DAP we then push the connection over to anyconnect. The result is this.

1. Webauth to AD

2. RSA auth with questions

3. DAP match

4. Anyconnect verification/download/upgrade/connect

At the 4th stage the anyconnect downloader completes all the apropriate checks for install, version upgrade, and then connect.

We have a user with a windows 7 machine that's failing on this 4th step. I've watched the 1st three phases succeed each time and then when it comes time for the 4th step there's no indication of an issue. The webpage just defaults back to the login page with no error or any information as to what occured or didn't occur.

In the logs I see the following

- Primary auth pass

- Secondary auth pass

- DAP match success

- Unknown logs

Below is what I see in the logs for the issue user and my session

Jan 10 2013 17:51:00: %ASA-6-734001: DAP: user issueuser, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: xxx

Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create RAMFS message change path sessions/27017216/user:issueuser to standby unit

Jan 10 2013 17:51:00: %ASA-6-716001: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session started.

Jan 10 2013 17:51:00: %ASA-7-720041: (VPN-Primary) Sending Create WebVPN Session message user issueuser, IP x.x.x.x to standby unit

Jan 10 2013 17:51:00: %ASA-6-716038: Group <company> user <issueuser> IP <x.x.x.x> Authentication: successful, Session Type: WebVPN.

Jan 10 2013 18:21:25: %ASA-7-720041: (VPN-Primary) Sending Delete WebVPN Session message user issueuser, IP x.x.x.x to standby unit

Jan 10 2013 18:21:25: %ASA-6-716002: Group <company> user <issueuser> IP <x.x.x.x> WebVPN session terminated: Idle Timeout.

Jan 10 2013 20:12:50: %ASA-6-734001: DAP: user mysession, Addr x.x.x.x, Connection Clientless: The following DAP records were selected for this connection: company-Non-Owned

Jan 10 2013 20:13:06: %ASA-4-722041: TunnelGroup <company> GroupPolicy <company> issueuser <mysession> IP <x.x.x.x> No IPv6 address available for SVC connection

Jan 10 2013 20:13:06: %ASA-5-722033: Group <company> user <mysession> IP <x.x.x.x> First TCP SVC connection established for SVC session.

Jan 10 2013 20:13:06: %ASA-6-722022: Group <company> user <mysession> IP <x.x.x.x> TCP SVC connection established without compression

Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping x.x.x.x - LOCAL\mysession Succeeded - VPN user

Jan 10 2013 20:13:06: %ASA-7-746012: issueuser-identity: Add IP-user mapping session.ip.address - LOCAL\mysession Succeeded - VPN user

Jan 10 2013 20:13:06: %ASA-4-722051: Group <company> user <mysession> IP <x.x.x.x> Address <session.ip.address> assigned to session

Thanks for any help and/or suggestions.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents