06-17-2021 04:09 AM
During ASA/VPN troubleshooting by running debug webvpn I noticed number of rejected webvpn login attempts with different user names (below log) These login attempts are not from any of our staff members. I assume this is not from AnyConnect Client? and are attempting to connect via Clientless SSL VPN (WebVPN)? Just to add that the ASA portal login page is shutdown.
How would I go about checking from what IP rejected connection attempts are coming from.
webvpn_portal.c:ewaFormSubmit_webvpn_login[3827]
webvpn_portal.c:webvpn_login_validate_net_handle[2579]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2599]
webvpn_portal.c:webvpn_login_assign_app_next[2617]
webvpn_portal.c:webvpn_login_cookie_check[2633]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2679]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2712]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2783]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2838]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2918]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3054]
webvpn_portal.c:webvpn_login_check_cert_status[3164]
webvpn_portal.c:webvpn_login_cert_only[3246]
webvpn_portal.c:webvpn_login_saml_only[3274]
webvpn_portal.c:webvpn_login_primary_username[3310]
webvpn_portal.c:webvpn_login_primary_password[3460]
webvpn_portal.c:webvpn_login_secondary_username[3488]
webvpn_portal.c:webvpn_login_secondary_password[3573]
webvpn_portal.c:webvpn_login_extra_password[3622]
webvpn_portal.c:webvpn_login_set_cookie_flag[3641]
webvpn_portal.c:webvpn_login_set_auth_group_type[3664]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3685]
webvpn_auth.c:http_webvpn_post_authentication[1362]
WebVPN: user: (Administrator) rejected.
webvpn_remove_auth_handle: auth_handle = 550
http_webvpn_post_authentication[1456] ewsContextSendReply(WEBVPN_PAGE_LOGIN)
http_webvpn_post_authentication[1596] -> NULL
webvpn_portal.c:webvpn_login_aaa_resuming[3723]
ewaFormSubmit_webvpn_login() -> redirect status=1 ret='NULL'
webvpn_free_auth_struct: net_handle = 0x00007f3fb9fd8bf0
webvpn_allocate_auth_struct: net_handle = 0x00007f3fb9fd8bf0
webvpn_free_auth_struct: net_handle = 0x00007f3fb9fd8bf0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3827]
webvpn_portal.c:webvpn_login_validate_net_handle[2579]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2599]
webvpn_portal.c:webvpn_login_assign_app_next[2617]
webvpn_portal.c:webvpn_login_cookie_check[2633]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2679]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2712]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2783]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2838]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2918]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3054]
webvpn_portal.c:webvpn_login_check_cert_status[3164]
webvpn_portal.c:webvpn_login_cert_only[3246]
webvpn_portal.c:webvpn_login_saml_only[3274]
webvpn_portal.c:webvpn_login_primary_username[3310]
webvpn_portal.c:webvpn_login_primary_password[3460]
webvpn_portal.c:webvpn_login_secondary_username[3488]
webvpn_portal.c:webvpn_login_secondary_password[3573]
webvpn_portal.c:webvpn_login_extra_password[3622]
webvpn_portal.c:webvpn_login_set_cookie_flag[3641]
webvpn_portal.c:webvpn_login_set_auth_group_type[3664]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3685]
webvpn_auth.c:http_webvpn_post_authentication[1362]
WebVPN: user: (admin) rejected.
webvpn_remove_auth_handle: auth_handle = 535
http_webvpn_post_authentication[1456] ewsContextSendReply(WEBVPN_PAGE_LOGIN)
http_webvpn_post_authentication[1596] -> NULL
webvpn_portal.c:webvpn_login_aaa_resuming[3723]
ewaFormSubmit_webvpn_login() -> redirect status=1 ret='NULL'
webvpn_free_auth_struct: net_handle = 0x00007f3fbc426cb0
webvpn_allocate_auth_struct: net_handle = 0x00007f3fbc426cb0
webvpn_free_auth_struct: net_handle = 0x00007f3fbc426cb0
06-18-2021 01:23 PM
Enable logging, filter for the syslog message ASA-6-113015, this will provide the user and the user IP address.
%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = TEST : user IP = 2.2.2.100
If the username is unknown or not valid it won't be displayed correclt until you configure the command "no logging hide username", at which point it will be revealed as per the example above.
More information on the syslog message:-
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769508
HTH
06-21-2021 02:19 AM
Thank you for the reply. I am looking into this now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide