Appendix: Command Reference

debug webvpn saml 255
debug webvpn anyconnect 255
debug aaa authentication
debug aaa authorization

! Capture SAML redirect
capture SAML type raw-data interface outside match tcp any any eq 443

! Show SAML state
show saml metadata <tunnel-group-name>
show webvpn saml idp
show running-config webvpn | section saml

! ISE CLI debug (use sparingly)
debug ise-saml all

! Better: ISE Admin > Operations > Troubleshoot > Diagnostic Tools > General Tools
!   > TCP Dump — capture SAML exchanges on ports 443/8443

! Live Logs with SAML filter:
! Operations > RADIUS > Live Logs > filter by Identity Source

! Azure Portal > Entra ID > Enterprise Apps > ASA VPN SAML > Sign-in logs
! Filter: Status = Failure
! Look for: AADSTS errors, CA policy blocks, MFA failures

! Key AADSTS error codes:
! AADSTS50105 — user not assigned to app
! AADSTS530003 — CA policy blocked
! AADSTS50076 — MFA required but not completed
! AADSTS700016 — app not found in tenant (wrong tenant ID)
! AADSTS50011 — reply URL mismatch (ACS URL wrong)

! Windows DART log location
%PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Logs\

! macOS/Linux
/opt/cisco/anyconnect/log/

! Key log entries to search for:
! "SAML" — SAML flow events
! "embedded-browser" — browser launch events
! "authentication" — auth result
! "tunnel" — tunnel establishment post-auth