Skip to main content
Cisco Meraki Documentation

AnyConnect SAML Troubleshooting Guide

This guide covers troubleshooting of SAML authentication with AnyConnect on the MX Appliance. Before digging into troubleshooting,

  • Verify your MX is running at least 16.13+ or 17.5+ firmware

  • Verify configuration on your Identity Provider and on the MX AnyConnect Settings page to ensure they are both configured correctly, see configuration guide.
     

For debugging check Network-wide > Event Log for Security Appliances and Filter by “AnyConnect VPN general event” and “AnyConnect VPN authentication failure” as seen below then search. 
 

IdP = Identity Provider (e.g. DUO, AzureAD, Okta, etc)

Use the table below to correlate error messages, understand the error and take corrective action

Possible error message

Explanation 

Corrective action

SSO token verify failure for user: <username>

Single-sign-on token presented by the AnyConnect client failed verification.

This can happen if the session has been removed, or if the STRAP key associated with that session has changed.

  • Try to reauthenticate
     
  • Test with a different user
     
  • If IdP configuration changed, reconfigure the MX

Received null assertion message

The SAML assertion presented is missing. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app
     

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application
     

SAML assertion message content is null

The SAML assertion presented is empty. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app
     

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application
     

No response in http data

There is no request body in the HTTP assertion message. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app
     

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application

No SAMLResponse in assertion

There is no "SAMLResponse=" string in the SAML assertion. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app
     

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application

No SSO token in SAML login_final message

There is no SSO token in SAML login_final message. This is an AnyConnect client issue. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application

No CSRF token in SAML login_final message

There is no CSRF token in SAML login_final message.  This is an AnyConnect client issue. Possible man in the middle issue.

  • Check IdP configuration to ensure there are no restrictions on users to access the configured AnyConnect app

  • Test with a test/device account to ensure authentication traffic is not being filtered or blocked by a third party security application

Base URL too long (> 128 char)

The AnyConnect Server URL config attribute is too long.

This is a misconfiguration issue.

Reconfigure AnyConnect server URL to be less than or equal to 128 characters. This will require shortening the AnyConnect Server hostname and updating it accordingly in the IdP configuration portal.

Warning: Base URL not https (<url>)

This is a warning. AnyConnect Server URL does not start with https.

It will be used, but is likely a misconfiguration error.

Reconfigure AnyConnect Server URL on Dashboard. Ensure the URL starts with https

Failed to base64-decode IdP metadata from text, SAML disabled

If anyconnect_vpn_saml_metadata_text was configured, the base64-encoded metadata could not be base64-decoded.

This is likely a misconfiguration error or corrupted metadata file.

Re download the metadata file from IdP and re upload it on the Dashboard

Failed to obtain IdP provider ID from metadata, SAML disabled

The IdP metadata was provided, but it did not contain the IdP Provider ID.

This is an issue with the IdP, or the translation of the metadata from the IdP to the AnyConnect server config.

Re download the metadata file from IdP and re upload it on the Dashboard

IdP Provider ID %s too long (> 384 char), SAML disabled

The IdP Provider ID is too long. This is configured on the IdP, and extracted from the IdP metadata. 

Reconfigure new AnyConnect App in the IdP portal.

Failed to generate server from SP metadata

Failed to create an internal LASSO server object due to a LASSO library error.

Contact Meraki Support

 

Failed to add IdP info to server

Failed to generate Lasso server

These two messages are due to failure to add IdP info to the internal LASSO server object due to a LASSO library error.

Contact Meraki Support

Failed to generate login

Failed to generate Lasso login

These two messages are due to failure to create a LASSO login object due to a LASSO library error.

Contact Meraki Support

 

Profile is empty

Failed to create a LASSO profile object from the LASSO login object due to a LASSO library error.

Contact Meraki Support

 

Failed to init authentication request

Failed to initialize the LASSO login object due to a LASSO library error.

Contact Meraki Support

 

Failed to build authentication request

Failed to build a LASSO authentication request due to a LASSO library error.

Contact Meraki Support

 

Assertion is not url encoded

SAML assertion received from the client is not URL encoded. This is either an IdP issue or a client issue.

Reconfigure new AnyConnect in the IdP portal or verify configuration is correct

Failed to process auth response

Failed to process the SAML authentication response due to a LASSO library error.

Contact Meraki Support

 

Failed to obtain auth response

Failed to obtain the SAML authentication response from the processed response, due to a LASSO library error.

Contact Meraki Support

 

Failed to process assertion

Failed to obtain the SAML assertion from the SAML authentication response.

Contact Meraki Support

 

Assertion is expired or not valid

MXs  local clock is not within the "Not valid before" and "Not valid on or after" times specified in the SAML assertion

This could be due to a clock sync issue between the IdP and the host device (the MX in Meraki's case)

It could also be due to the client attempting to use an expired SAML assertion to log in.

Ensure you are running 16.13+ or 17.5+ 

Assertion audience misconfigured or mismatched. Expecting <url>

The assertion audience presented in the SAML assertion did not match the configured value. This is likely a misconfiguration on the IdP.

Ensure IdP configuration is correct. There should not be any trailing white spaces in the URL configuration on the IdP.

No issuer in response

There is no Issuer found in the SAML Assertion response message. This is likely an IdP configuration issue.

Ensure IdP configuration is correct. 

No subject in assertion

There is no Subject found in the SAML Assertion response message. This is likely an IdP configuration issue.

Ensure IdP configuration is correct. 

No name ID in assertion

There is no Name ID found in the SAML Assertion response message. This is likely an IdP configuration issue.

Ensure IdP configuration is correct. 

Authentication failed due to problem navigating to the single sign-on URL There is an unknown error experienced with the AnyConnect embedded browser when using WebView2 Add DWORD registry value UseLegacyEmbeddedBrowser set to 1 to the relevant registry key:
 
  • (64-bit machine) Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client
  • (32-bit machine) Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Cisco AnyConnect Secure Mobility Client
  • (32-bit or 64-bit machine) Computer\HKEY_CURRENT_USER\SOFTWARE\Cisco\Cisco AnyConnect Secure Mobility Client


More information can be found in the release notes for AnyConnect 4.10.05095

 

  • Was this article helpful?