The primary authentication fails when the user attempts to connect to FTD headend through AnyConnect.
AAA user authentication Rejected : reason = AAA failure : server = xx.xx.x.xx : user = ***** : user IP = xx.xx.x.xx
The user name and password may be incorrect.
Provide the correct user name and password and try again.
Routing failed to locate next hop for TCP from XXXXX to XXXXX
AAA authentication server not accessible : server = xx.xx.xx.xx : user = *****
Duo server is not reachable from the FTD device.
- In CDO, edit the Duo LDAP object and manually choose the interface that is used to connect to the Duo server.
- Deploy the configuration to FTD and try to log in again.
Certificate validation failed. serial number: XXX, subject name: XXX.
Certificate chain failed validation. Generic validation failure occurred.
AAA authentication server not accessible.
A suitable Trustpoint was not found to validate the certificate produced by Duo.
If the certificate is installed already, perform the following steps to validate whether the certificate is installed correctly:
- On the Devices & Service menu, select the FTD device and in the Device Actions on the right, click Command Line Interface. See Using the CDO Command Line Interface.
show crypto ca certificates.
AAA user authentication Rejected : reason = Invalid password : server = xx.xx.xx.xx : user = **** : user IP = yy.yy.yy.yy
- The user account may not be present in Duo.
- The user is present in Duo, but not present in “Permitted Groups” in the application.
- Enroll users in Duo. See https://duo.com/docs/enrolling-users for instructions.
- Assign the user group to "Permitted Groups" to perform authentication for the Cisco Firepower Threat Defense VPN application in Duo. See https://duo.com/docs/protecting-applications#permitted-groups for instructions.