Trouble with ASAv anyconnect radius login

faghouri83 · ‎04-17-2024

Hi Everyone

I'm using a trial version of ASAv and i believe it has full functionality but is limited in 100kbps. I'm trying to set up remote access anyconnect vpn which authenticates to our NPS radius server. As you can see in the radius debug, it seems to be connecting to the radius successfully. The radius server goes to an AD server to authenticate the user:

rad_procpkt: ACCEPT
radius.c 1374: status = 1
MSChapv2 authenticator received.
Added decoded MS MPPE recv key for RADIUS
Added decoded MS MPPE send key for RADIUS
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x00007fc812693f60 session 0x2b54 id 111
free_rip 0x00007fc812693f60
radius: send queue empty

The problem is that the authentication fails on the anyconnect. Now i've checked the licence on my trial ASAv and it is showing:

Firewall throughput limited to 100 Kbps

Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0
Botnet Traffic Filter : Enabled
Cluster : Enabled

It is showing anyconnect as disabled. Am i mistaken into thinking the anyconnect feature should work in the trial or do i have an issue between the ASAv and radius server or the radius server and the AD domain server?

Thanks

MHM Cisco World · ‎04-17-2024

Share ouput of this

Show vpn sessiondb summary

MHM

faghouri83 · ‎04-18-2024

ciscoasa# show vpn-sessiondb summary

No sessions to display.

MHM Cisco World · ‎04-18-2024

show vpn-sessiondb license-summary

The ASA by defualt accept three anyconnect' but let check license by above command

Then we start troubleshooting the anyconnect-asa-radius(AD)

MHM

faghouri83 · ‎04-18-2024

Ive done the anyconnect command above and also the command you stated:

ciscoasa# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 750 : 0 : NONE
AnyConnect Essentials : DISABLED : 750 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 750 : 750 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
All : Peak : Eff. :
In Use : In Use : Limit : Usage
---------------------------------
AnyConnect Premium : : 0 : 1 : 750 : 0%
Other VPN : : 0 : 0 : 750 : 0%
L2TP Clients
---------------------------------------------------------------------------

MHM Cisco World · ‎04-18-2024

Asa# show activation-key

This must show yoh that you use two anyconnect Premium' as you share below show verison it zero but let more check.

Check it.

I will share you later today some steps to debug traffic between asa and radius

MHM

faghouri83 · ‎04-18-2024

Thanks.

show activation-key

command does not work

Aref Alsouqi · ‎04-18-2024

Not a 100% sure about the ASAv but yes you're right, usually the ASA would come with 2x AnyConnect licenses. Try please to enable AnyConnect essentials and see if that makes any difference. To do so please issue the following commands:

webvpn
anyconnect-essentials

faghouri83 · ‎04-18-2024

There is no essentials command but there is an enable command which i have tried but does not seem to do anything:

webvpn mode commands/options:
enable Enable the AnyConnect Client
external-browser-pkg Configure the AnyConnect external browser package file
path
image Configure the AnyConnect client package file path
profiles Configure the AnyConnect client profiles package
filepath

Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0

Aref Alsouqi · ‎04-18-2024

Could you please type "anyconnect ?" under webvpn and share the output of the available commands for review?

faghouri83 · ‎04-18-2024

ciscoasa(config-webvpn)# anyconnect ?

webvpn mode commands/options:
enable Enable the AnyConnect Client
external-browser-pkg Configure the AnyConnect external browser package file
path
image Configure the AnyConnect client package file path
profiles Configure the AnyConnect client profiles package
filepath

I have tried anyconnect enable under webvpn but seems to be the same:

Licensed features for this platform:
Maximum VLANs : 200
Inside Hosts : Unlimited
Fail over : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 0
AnyConnect Essentials : Disabled
Other VPN Peers : 750
Total VPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 0

Not sure if i have to reboot for it to take effect.

Aref Alsouqi · ‎04-18-2024

AnyConnect enable would enable the premium licenses I think.

Q. Does ASAv support remote access utilizing Cisco Secure Client Plus and Apex licenses?

A. Yes. But please note that ASAv, which utilizes Cisco Smart Licensing, does not require any Cisco Secure Client license to be physically applied to the actual platform. The same licenses must still be purchased and you must still link the Contract number to your Cisco.com ID for SW Center access and tech support.

Answer Cisco Secure Client Licensing Frequently Asked Questions - Cisco

Seems that the ASAv supports only the smart licenses? maybe @Marvin Rhoads or @Rob Ingram can help on this.

faghouri83 · ‎04-18-2024

Tried the command but does not seem to work or do anything.

Marvin Rhoads · ‎04-18-2024

That's correct @Aref Alsouqi - ASAv only supports smart licenses - including for AnyConnect / Secure Client. It does not include the two AnyConnect licenses that traditional ASA hardware appliances offered.

Thus, you must register the ASAv with a Smart Account to use that feature. Even if the account is non-compliant (i.e., no available AnyConnect licenses) it should allow you to use the feature.

faghouri83 · ‎04-18-2024

Hi Marvin

i've tried the anyconnect enable command but i still cannot connect via the anyconnect app.