Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3245
Views
0
Helpful
3
Replies

Duo and Cisco VPN not authenticating

dellavallej
Level 1
Level 1

‎04-16-2020 10:42 AM

We have set up the Duo Proxy server, and set up authentication from Cisco VPN ASA, when we test authentication to the Duo Proxy from the VPN profile we get error “authentication rejected: AAA Failure”
Looking at the log file the Duo Proxy server we see this error “There was a problem running the connectivity tool: Attempted to get the client for a non-server section”

I can only assume the Proxy config is incorrect in some way, but not sure?

Has anyone seen this?

0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎04-17-2020 08:01 AM

It’s hard to say what is wrong without knowing what’s in your config file.

  • Does it match the completed config example shown in [the documentation](Two-Factor Authentication for Cisco ASA SSL VPNs | Duo Security (where you have some client section configured for primary authentication, and a server section for your ASA that uses the client section (either because you explicitly specified it with the client= option or because there is only one client section so it is used by default)?
  • Have you tried debug logging for the failed authentication test?
Duo, not DUO.
0 Helpful

dellavallej
Level 1
Level 1

‎04-17-2020 08:42 AM

Yes the config matches per the set up doc.

On the ASA VPN I can run a test to check the configuration there and keep getting the same error “authentication rejected: AAA Failure”

I do have debug turned on and after all the checks of the config is says this:
“There are no configuration problems”

So now I’m totally confused…

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to dellavallej

‎04-20-2020 06:20 AM

Sorry to hear that.

The output of the connectivity log is not the same thing as the Authentication Proxy’s own debug log. I suggest you enable debug logging on your Duo Authentication Proxy, test the auth from the ASA, and then open the authproxy.log file on the proxy server to see what output was captured for the incoming request from the ASA and the subsequent response during that authentication test.

If you don’t see any authentication activity in the Duo proxy’s authproxy.log, then there is likely an issue preventing communications between the Duo proxy and your ASA, and you should examine the network config , firewall, routing, etc.

If there is no authproxy.log file, then most likely the Duo Authentication Proxy service could not be started. Verify whether the service is started. If it isn’t, try to start it manually. If it will not start and stay running, here are some suggestions.

Keep in mind this forum isn’t a substitute for Duo Support, so if you are still stuck consider contacting them to receive 1:1 troubleshooting assistance.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents