Problems with the authentication proxy – Cisco ASA 5505 User Manual

Page 1266

Advertising
background image

59-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 59 Configuring the ASA CX Module

Troubleshooting the ASA CX Module

CXSC Event: tunnel->ClientVersion: Cisco AnyConnect VPN Agent for Windows 2.4.1012

CXSC Event: Sending VPN RA session data to CXSC

CXSC Event: sess index: 0x3000

CXSC Event: sess type id: 3

CXSC Event: username: devuser

CXSC Event: domain: CN=Users,DC=test,DC=priv

CXSC Event: directory type: 1

CXSC Event: login time: 1337124762

CXSC Event: nac result: 0

CXSC Event: posture token:

CXSC Event: public IP: 172.23.34.108

CXSC Event: assigned IP: 192.168.17.200

CXSC Event: client OS id: 1

CXSC Event: client OS:

CXSC Event: client type: Cisco AnyConnect VPN Agent for Windows 2.4.1012

CXSC Event: anyconnect data: , len: 0

Problems with the Authentication Proxy

If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot
your configuration and connections:

1.

Check your configurations.

On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command
and make sure there are rules installed and that they are correct.

In PRSM, ensure the directory realm is created with the correct credentials and test the connection
to make sure you can reach the authentication server; also ensure that a policy object or objects are
configured for authentication.

2.

Check the output of the show service-policy cxsc command to see if any packets were proxied.

3.

Perform a packet capture on the backplane, and check to see if traffic is being redirected on the
correct configured port. See the

“Capturing Module Traffic” section on page 59-17

. You can check

the configured port using the show running-config cxsc command or the show asp table classify
domain cxsc-auth-proxy
command.

Note

If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.

Example 59-1 Make sure port 2000 is used consistently:

1.

Check the authentication proxy port:

hostname# show running-config cxsc

cxsc auth-proxy port 2000

2.

Check the authentication proxy rules:

hostname# show asp table classify domain cxsc-auth-proxy

Input Table

in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false

hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6

Advertising