Link to home
Start Free TrialLog in
Avatar of travisryan
travisryanFlag for United States of America

asked on

ASA anyconnect configuration issue

I currently have a Cisco ASA 5520 with a working AnyConnect vpn configuration. I'd like to set up my 5510 as a seperate backup VPN connection. After running through setup process via ASDM I can connect in to the 5510 vpn, but not authenticate. After looking at both configurations I realize i need to add a cert, which I was going to set up a self signed cert in the interim. Other than, what else am I missing in this set up?

ASA ver 9.1(3) for both devices. Both devices have the appropriate licenses.
5510VPN-Clean.txt
5520VPN-Clean.txt
Avatar of travisryan
travisryan
Flag of United States of America image

ASKER

The config has for the 5510 has been updated and is attached. To be clear, I'm getting the error "login failed" when I try to login with the anyconnect client on a Win 8 machine.

I've tried multiple AD names and passwords, and the local admin password just in case it wasn't connecting to AD. I've since tested the AD LDAP connection in the ASDM and it does seem to be able to read groups from AD. Any help is appreciated.
5510VPN-v2-Clean.txt
Still having issues today. To be clear, I can connect to my site with the anyconnect client, it's just when I try to login, with any log in, it gives me "log in failed".
At this point I'm also trying to debug the connection as well as comparing configurations. Adding:

logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
logging class svc console debugging

didn't show anything in my logs when I attempted to connect. Neither did adding:

debug web anyconnect 255

On my Windows 8 test machine, i only see: user credentials entered, login failed on the "message history" tab of the anyconnect client. Is there any other place I should be looking to see what's actually failing?
The web page I have redirected to the outside interface of my ASA won't come up in the browser, but I can ping it. I wouldn't think this would make a difference because my error message isn't something about not connecting, it's about not being able to log in with a user account. Again it's even more strange because I can even use the few local accounts I have on the ASA, so it's not like the list of allowed users is somehow pointing to the local database instead of hitting LDAP and AD.
Ok, I got everything cleared up except for something that should be something simple. On my working setup there's a web page I direct users to when they're outside the company. This page let's them log in and download the anyconnect client. I can't seem to find where that option is. Can someone help me?
Things I've tried:

 
I'm comparing the 5510 configuration to a 5520 configuration that's working correctly and every "webvpn" section in the non-working config matches up with the sections in the working config.
   
There's no mention of svc in either config.
   
Through the ASDM, I connect into the working device and the inherit checkbox is checked on the Configuration>Remote Access VPN>Network (Client) Access>Group Policies>Edit>Advanced>AnyConnect Client>Login settings page.

What am I missing?
When I navigate to the page, nothing shows up. When I ping the page from outside the firewall, pings return with the right IP.
ASKER CERTIFIED SOLUTION
Avatar of travisryan
travisryan
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I went to the SSL VPN service page, it shows 6.2(1). I SSH into the 5510, the asdm-715 image is in there. I delete it out for safe measure and re-transfer it. Then I set it to be the asdm image and delete out the asdm-621.bin file.

I go back to the SSL VPN service page, it still shows 6.2(1)! And it still won't let me connect in from my other ASDM application already running. When I try to add it as another device I get "could not open device". When I try to download the launcher from the 6.2(1) page and connect in, it gives me an "unable to connect".

Either there's something I'm missing here or just I need to reboot the device to get it working properly.