Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Problems with the Authentication Proxy

30-31

Cisco ASA Series Firewall CLI Configuration Guide

Chapter30 Configuring the ASA CX Module

Troubleshooting the ASA CX Module

When you enable the authentication proxy, the ASA generates a debug messge when it sends an

authentication proxy TLV to the ASA CX module, giving IP and port details:

DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: inside4.

DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: cx_inside.

DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: cx_outside.

When the interface IP address is changed, auth-proxy tlv updates are sent to the ASA CX module:

DP CXSC Event: Sent Auth proxy tlv for removing Auth Proxy for interface inside.

DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: inside.

When a flow is freed on the ASA, the ASA CX module is notified so it can clean up the flow:

DP CXSC Msg: Notifying CXSC that flow (handle:275233990) is being freed for

192.168.18.5:2213 -> 10.166.255.18:80.

When the ASA CX module sends a redirect to a client to authenticate, and that redirect is sent to the

ASA, the ASA sends it to the ASA CX module. In this example, 192.168.18.3 is the interface address

and port 8888 is the authentication proxy port reserved on that interface for the authentication proxy

feature:

DP CXSC Msg: rcvd authentication proxy data from 192.168.18.5:2214 -> 192.168.18.3:8888,

forwarding to cx

When a VPN connection is established on the ASA, and the ASA sends connection information to the

ASA CX module:

CXSC Event: Dumping attributes from the vpn session record

CXSC Event: tunnel->Protocol: 17

CXSC Event: tunnel->ClientVendor: SSL VPN Client

CXSC Event: tunnel->ClientVersion: Cisco AnyConnect VPN Agent for Windows 2.4.1012

CXSC Event: Sending VPN RA session data to CXSC

CXSC Event: sess index: 0x3000

CXSC Event: sess type id: 3

CXSC Event: username: devuser

CXSC Event: domain: CN=Users,DC=test,DC=priv

CXSC Event: directory type: 1

CXSC Event: login time: 1337124762

CXSC Event: nac result: 0

CXSC Event: posture token:

CXSC Event: public IP: 172.23.34.108

CXSC Event: assigned IP: 192.168.17.200

CXSC Event: client OS id: 1

CXSC Event: client OS:

CXSC Event: client type: Cisco AnyConnect VPN Agent for Windows 2.4.1012

CXSC Event: anyconnect data: , len: 0

Problems with the Authentication Proxy

If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot

your configuration and connections:

1. Check your configurations.

•On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command

and make sure there are rules installed and that they are correct.

•In PRSM, ensure the directory realm is created with the correct credentials and test the connection

to make sure you can reach the authentication server; also ensure that a policy object or objects are

configured for authentication.

Cisco Systems Problems with the Authentication Proxy

Models: and the ASA Services Module ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA 5505