Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
2
Replies

webvpn Uknown/Rejected repeated log in attempts advice.

de.101
Level 1
Level 1

‎06-17-2021 04:09 AM

During ASA/VPN troubleshooting by running debug webvpn I noticed number of rejected webvpn login attempts with different user names (below log) These login attempts are not from any of our staff members. I assume this is not from AnyConnect Client? and are attempting to connect via Clientless SSL VPN (WebVPN)? Just to add that the ASA portal login page is shutdown.

How would I go about checking from what IP rejected connection attempts are coming from.

 

webvpn_portal.c:ewaFormSubmit_webvpn_login[3827]
webvpn_portal.c:webvpn_login_validate_net_handle[2579]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2599]
webvpn_portal.c:webvpn_login_assign_app_next[2617]
webvpn_portal.c:webvpn_login_cookie_check[2633]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2679]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2712]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2783]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2838]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2918]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3054]
webvpn_portal.c:webvpn_login_check_cert_status[3164]
webvpn_portal.c:webvpn_login_cert_only[3246]
webvpn_portal.c:webvpn_login_saml_only[3274]
webvpn_portal.c:webvpn_login_primary_username[3310]
webvpn_portal.c:webvpn_login_primary_password[3460]
webvpn_portal.c:webvpn_login_secondary_username[3488]
webvpn_portal.c:webvpn_login_secondary_password[3573]
webvpn_portal.c:webvpn_login_extra_password[3622]
webvpn_portal.c:webvpn_login_set_cookie_flag[3641]
webvpn_portal.c:webvpn_login_set_auth_group_type[3664]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3685]
webvpn_auth.c:http_webvpn_post_authentication[1362]
WebVPN: user: (Administrator) rejected.
webvpn_remove_auth_handle: auth_handle = 550
http_webvpn_post_authentication[1456] ewsContextSendReply(WEBVPN_PAGE_LOGIN)
http_webvpn_post_authentication[1596] -> NULL
webvpn_portal.c:webvpn_login_aaa_resuming[3723]
ewaFormSubmit_webvpn_login() -> redirect status=1 ret='NULL'
webvpn_free_auth_struct: net_handle = 0x00007f3fb9fd8bf0
webvpn_allocate_auth_struct: net_handle = 0x00007f3fb9fd8bf0
webvpn_free_auth_struct: net_handle = 0x00007f3fb9fd8bf0

webvpn_portal.c:ewaFormSubmit_webvpn_login[3827]
webvpn_portal.c:webvpn_login_validate_net_handle[2579]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2599]
webvpn_portal.c:webvpn_login_assign_app_next[2617]
webvpn_portal.c:webvpn_login_cookie_check[2633]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2679]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2712]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2783]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2838]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2918]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3054]
webvpn_portal.c:webvpn_login_check_cert_status[3164]
webvpn_portal.c:webvpn_login_cert_only[3246]
webvpn_portal.c:webvpn_login_saml_only[3274]
webvpn_portal.c:webvpn_login_primary_username[3310]
webvpn_portal.c:webvpn_login_primary_password[3460]
webvpn_portal.c:webvpn_login_secondary_username[3488]
webvpn_portal.c:webvpn_login_secondary_password[3573]
webvpn_portal.c:webvpn_login_extra_password[3622]
webvpn_portal.c:webvpn_login_set_cookie_flag[3641]
webvpn_portal.c:webvpn_login_set_auth_group_type[3664]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3685]
webvpn_auth.c:http_webvpn_post_authentication[1362]
WebVPN: user: (admin) rejected.
webvpn_remove_auth_handle: auth_handle = 535
http_webvpn_post_authentication[1456] ewsContextSendReply(WEBVPN_PAGE_LOGIN)
http_webvpn_post_authentication[1596] -> NULL
webvpn_portal.c:webvpn_login_aaa_resuming[3723]
ewaFormSubmit_webvpn_login() -> redirect status=1 ret='NULL'
webvpn_free_auth_struct: net_handle = 0x00007f3fbc426cb0
webvpn_allocate_auth_struct: net_handle = 0x00007f3fbc426cb0
webvpn_free_auth_struct: net_handle = 0x00007f3fbc426cb0

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎06-18-2021 01:23 PM

@de.101 

Enable logging, filter for the syslog message ASA-6-113015, this will provide the user and the user IP address.

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = TEST : user IP = 2.2.2.100

If the username is unknown or not valid it won't be displayed correclt until you configure the command "no logging hide username", at which point it will be revealed as per the example above.

 

More information on the syslog message:-

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769508

 

HTH

0 Helpful

de.101
Level 1
Level 1

‎06-21-2021 02:19 AM

Thank you for the reply. I am looking into this now.

0 Helpful
Customers Also Viewed These Support Documents