Asa Debug Anyconnect



  1. Cisco Asa Vpn Ldap Authentication
  2. Cisco Asa Debug Anyconnect
  3. Asa Debug Anyconnect Download
  4. Cisco Anyconnect Authentication
  5. Asa Debug Anyconnect User

It can be confirmed by connecting AnyConnect with debug webvpn anyconnect enabled. The following is an excerpt of an example debug output. ASA5555 # show run logging logging enable logging timestamp logging buffer-size 100000 logging buffered errors logging debug-trace logging message 711001 level alerts ASA5555 # ASA5555 # debug webvpn anyconnect. Apr 09, 2017 Cisco ASA AAA Failure Debug Posted on 2017-04-09 by kludgebomb I recently came across an issue where our team was unable to log into one of our Cisco ASA firewalls running code version 9.2(4)5 to manage the firewall.

Mar 19, 2009 Lori Hyde shows you a simple eight-step process to setting up remote access for users with the Cisco ASA. #svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 Step 3. Use the debug webvpn. On the ASA, use the show version command in order to check if the feature is enabled. The license name differs with the ASA release: €€ ASA Release 8.0.x: license name is AnyConnect for Linksys Phone. ASA Release 8.2.x and later: license name is AnyConnect for Cisco VPN Phone. €€ Here is an example for ASA Release 8.0.x: €€ ASA5505.

I recently came across an issue where our team was unable to log into one of our Cisco ASA firewalls running code version 9.2(4)5 to manage the firewall. Shortly after we were notified that AnyConnect clients were unable to authenticate. SSH is configured to authenticate using TACACS and AnyConnect using RADIUS, not the same protocols but still both functions of AAA . We reviewed our remote logging server (a must have tool!) for any output from the firewall and found the following log message:

%ASA-3-113001: Unable to open AAA session. Session limit [2048] reached

After discussing the issue with Cisco TAC, they provided the following debug command to assist with diagnostics:

debug menu aaa 61

Debug

The output of this command looked something like this:

Anyconnect

IN USE AUTH HANDLE STATS
Max Sessions: 2048
In Use List Count: 2047
In Use List Head: 247
In Use List Tail: 765

The issue ultimately came down to the firewall not properly tearing down AAA sessions to the AAA servers and eventually hitting the max session limit where it stopped performing further AAA functions (in our case SSH login and AnyConnect VPN authentication requests). The immediate resolution was to reboot each the firewall which cleared the sessions. We were running a HA pair and AAA sessions are not HA replicated so we were able to reboot them one at a time which allowed us to avoid outage time while resolving the AAA issue.

A quick search of the Cisco Bug site using the syslog event message ID (ASA-3-113001) reveals several known bug IDs for this event (CSCud50997, CSCuj10655, CSCtg28821, and others). We were not able to nail down exactly which bug was responsible. The short answer for us was the Cisco ASA platform has bugs (as does every platform from every vendor) and regularly patching (at least to the latest interim/minor version) is good network hygiene. We patched to the latest 9.2 minor/interim code release and have not seen another occurrence of this issue since.

Important follow-up note… the day after dealing with the issue above, we inexplicable experienced a software bug which repeatedly crashed each firewall in the HA pair until both crashed at the same time causing an outage. After the simultaneous crash occurred, both firewalls recovered and now appear stable. I have to assume whatever caused the crashing was rooted in some HA replicated information which is why they are stable after the dual reboot (which is the only way to fully clear the HA replicated state stable information from both firewalls). We were never able to find a root cause of the crash events. While I have no reason other than timing to think the two issues are related, consider this a warning… if you experience the AAA issue above, do not be surprised if it is followed shortly there after by a full firewall crash & reboot (maybe even consider enabling coredump on one of the firewalls in the HA pair just in case).

Came across this task to set up a posture assessment for workstation domain membership check when connecting with Anyconnect (AC) VPN to Cisco ASA and enforce access based on compliance. ISE was already deployed for simple VPN authentication so, first of all, I had to make a decision on what to use: ASA host scan (requires ASA APEX license) or ISE posture assessment. Great feature comparison here but if it comes down to price then it is about $10 versus $7 per user for ASA vs ISE. And since ISE offers more flexibility it was picked for the final solution.

Asa Debug AnyconnectAsa

There are a few Cisco 1, 2 and non Cisco guides there so here I’ll just fill in missing pieces.

  • Get APEX license to support posture for ISE in addition to Base License which you should have already.
  • Upload and enable proper AC package on ASA. The package you need is anyconnect-….webdeploy-k9.pkg. All necessary files will be included in it. At the time of writing, my file version was anyconnectwin-4.6.04056-webdeployk9.pkg. Once file is uploaded use this command to enable it.

webvpn

anyconnect-win-4.6.04056-webdeploy-k9.pkg 1

  • Enable ISE posture module to be installed on the endpoint.

group-policy DfltGrpPolicy attributes

webvpn

Cisco Asa Vpn Ldap Authentication

anyconnect modules value iseposture

  • Create ACL on ASA to allow DNS requests and traffic to ISE nodes. Redirect all other web traffic for posture to take place.

access-list redirect extended deny udp any any eq domain
access-list redirect extended deny ip any host <ISE IP>
access-list redirect extended permit tcp any any eq www

  • Add dynamic authorization under ISE aaa-server group

aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization

  • Make sure accounting is enabled under default tunnel-group

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ISE
accounting-server-group ISE

This will conclude ASA configuration.

Some good debugging commands to troubleshoot posture-related issues on ASA.

  • debug aaa url-redirect
  • debug aaa authorization
  • debug radius dynamic-authorization
  • debug radius decode
  • debug radius user <USERNAME>
  • show vpn-sessiondb detail anyconnect filter name <USERNAME>

Now move on to ISE.

First get you latest posture updates. Administration> System> Settings> Posture> Updates.

Make sure your posture portal is setup with publicly signed certificate otherwise users will get trust errors. With some providers, you can not generate a wildcard certificate so you will have to include all Policy Service Nodes (PSN) FQDN as a separate SAN field in CSR or generate individual certificate per node. When done attach certificate to proper Portal group.

Configure the following elements for Client Provisioning under Work Centers > Posture> Client Provisioning > Resources

  • Posture Agent Profile. Populate Discovery host with PSN FQDNs and Call Home list with PSN FQDNs and IP addresses.
  • Next upload AC package to ISE. This is the anyconnect-…predeploy-k9.zip file that you can find on Cisco AC download page. Select “Agent resources from local disk“. Make sure and give a meaningful name so it will be easier to identify.
Asa Debug Anyconnect

AC version on ISE has to match the one on ASA otherwise you will get an error message.

Cisco Asa Debug Anyconnect

  • Download the latest compliance modules from Cisco for Windows/OSX and Supplicant Provisioning Wizard.
  • Finally, create AnyConnect configuration for use in client provisioning policy.

Asa Debug Anyconnect Download

AC configuration settings are below. Red devil spreader grass seed settings.

  • Create Client Provisioning Policy under Policy> Client Provisioning

Cisco Anyconnect Authentication

Next, build a Posture Policy. I’m not going to cover different posture checks at this time. Remember on the policy there is an option to put it in audit mode so you can test it out before enforcing.

Asa Debug Anyconnect User

Since ISE reporting is not the greatest for customization and flexibility I’m using Splunk searches to get quick reports. How to get ISE logs into Splunk I covered in this post.