Ошибка циско login failed

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

• Installation and Virtual Adapter Issues
• Disconnection or Inability to Establish Initial Connection
• Problems with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Issues

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

     Windowssetupapi.log

   • Windows Vista:

     Note: Hidden folders must be made visible in order to see these files.

     WindowsInfsetupapi.app.log
     
         WindowsInfsetupapi.dev.log
     

   If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

     Documents and Settings<username>Local SettingsTemp
     

   • Windows Vista:

     Users<username>AppDataLocalTemp
     

   If this is an automatic upgrade, this log is in the temp directory of the system:

   WindowsTemp
   

   The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

3. Obtain the PC system information file:
   1. From a Command Prompt/DOS box, type this:
      • Windows XP / Windows 2000:

        winmsd /nfo c:msinfo.nfo
        

      • Windows Vista:

        msinfo32 /nfo c:msinfo.nfo
        

      Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

   2. Obtain a systeminfo file dump from a Command Prompt:

      Windows XP and Windows Vista:

      systeminfo c:sysinfo.txt
      

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

• The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

  From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

  OR

  From the console of the ASA, type show running-config. Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

• The ASA event logs:
  1. In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

     config terminal
     logging enable
     logging timestamp
     logging class auth console debugging
     logging class webvpn console debugging
     logging class ssl console debugging
     logging class svc console debugging

  2. Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.
  3. In order to disable logging, issue no logging enable.
• The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
  1. Choose Start > Run.
  2. Enter:

     eventvwr.msc /s

  3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File as AnyConnect.evt.

     Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available.

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator.

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

webvpn
   svc keepalive 30
   svc dpd-interval client 80
   svc dpd-interval gateway 80

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 5

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

1. Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX, then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
2. Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
3. Check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

   access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
   ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
   nat (inside) 0 access-list in_nat0_out

4. Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.

   Example:

   
   !--- Route outside 0 0 is an incorrect statement.
   
   route outside 0 0 10.145.50.1
   route inside 0 0 10.0.4.2 tunneled

   For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.

   ASA(config)# policy-map global_policy
   ASA(config-pmap)#  class inspection_default
   ASA(config-pmap-c)# no inspect skinny

AnyConnect Crash Issues

Complete these data-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Save    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Table           : Checked
   Dump All Thread Contexts    : Checked
   Append To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
   1. Choose Start > Run.
   2. Enter:

      eventvwr.msc /s

   3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File As AnyConnect.evt.

      Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

 ASA(config)#group-policy <name> attributes
                          webvpn
                              svc mtu 1200

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

1. Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Go to the server list tab.
   2. Click Add.
   3. Type the main server on the Hostname field.
   4. Add the backup server below the backup server list on the Host address field. Then, click Add.
3. Once you have the XML file, you need to assign it to the connection you use on the ASA.
   1. In ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Group Policy section.
   4. Select your group-policy and click Edit.
   5. Select Advanced and then click SSL VPN Client.
   6. Click New. Then, you need to type a name for the Profile and assign the XML file.
4. Connect the client to the session in order to download the XML file.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list "C:WINDOWSINFcertclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue.

You can receive this log on the client: "The VPN client driver has encountered an error".

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc.
3. Run:

   esentutl /p%systemroot%System32catroot2
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb

4. When prompted, choose OK in order to attempt the repair.
5. Exit the command prompt.
6. Reboot.

Failed Repair

If the repair fails, complete these steps:

1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc.
3. Rename the %WINDIR%system32catroot2 to catroot2_old directory.
4. Exit the command prompt.
5. Reboot.

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

1. Open a command prompt as an Admimistrator on the PC.
2. Run:

   esentutl /g%systemroot%System32catroot2
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb

   Refer to System Catalog Database Integrity for more information.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory.

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

"Module C:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed
to register..."

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer. 
• Remove the VMware applications. Once AnyConnect is installed, VMware applications can be added back to the PC.
• Add the ASA to their trusted sites. 
• Copy these files from the ProgramFilesCiscoCiscoAnyconnect folder to a new folder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating system on the laptop/PC.

The log message related to this error on the AnyConnect client looks similar to this:

DEBUG: Error 2911:  Could not remove the folderC:Program FilesCiscoCisco AnyConnect
VPN Client.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:Program FilesCiscoCisco AnyConnect VPN Client, ,
DEBUG: Error 2911:  Could not remove the folder C:Program FilesCiscoCisco AnyConnect
VPN Client.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:Program FilesCiscoCisco AnyConnect VPN Client, ,
Info 1721. There is a problem with this Windows Installer package. A program required for
this install to complete could not be run. Contact your support personnel or package
vendor. Action: InstallHelper.exe, location: C:Program FilesCiscoCisco AnyConnect VPN
ClientInstallHelper.exe, command: -acl "C:Documents and SettingsAll UsersApplication
DataCiscoCisco AnyConnect VPN Client" -r

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached. I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address".

This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0".

This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License".

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

Router#show run | in pool

ip local pool SSLPOOL 192.168.30.2 192.168.30.254
   svc address-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: "Unable to update the session management database".

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

1. Disable the threat-detection.
2. Disable SVC compression.
3. Reload the ASA.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

1. Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Properties, then log on, and select Allow service to interact with the desktop.

   This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

   Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

   When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an error. error message. In order to resolve this issue, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco bug ID CSCsm54689 for more information.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Unable to process response from xxx.xxx.xxx.xxx".

Solution

In order to resolve this error, try these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Change the port number to 444 from the existing 443 and reenable it on 443.

For more information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: «Login Denied , unauthorized connection mechanism , contact your administrator»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Login Denied , unauthorized connection mechanism , contact your administrator".

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

<

Error: «Anyconnect package unavailable or corrupted. Contact your system administrator»

This error occurs when you try to launch the AnyConnect software from a Macintosh client in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect package to the flash of the ASA.
2. Modify the WebVPN configuration in order to specify the AnyConnect package that is used.

   webvpn
    svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2
    svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3

   The svc image command is replaced by the anyconnect image command in ASA Version 8.4(1) and later as shown here:

   hostname(config)#webvpn
   hostname(config-webvpn)#anyconnect image disk0:/
   anyconnect-win-3.0.0527-k9.pkg 1
   hostname(config-webvpn)#anyconnect image disk0:/
   anyconnect-macosx-i386-3.0.0414-k9.pkg 2
   
   
   

Error: «The AnyConnect package on the secure gateway could not be located»

This error is caused on the user’s Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the complete error:

"The AnyConnect package on the secure gateway could not be located. You may
be experiencing network connectivity issues. Please try connecting again."

Solution

In order to resolve this error message, verify whether the Operating System (OS) that is used on the client machine is supported by the AnyConnect client. 

If the OS is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this document for more information.

Error: «Secure VPN via remote desktop is not supported»

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be found at C:ProgramDataCiscoCisco AnyConnect VPN ClientAnyConnectLocalPolicy.xml. If this file is not found in this path, then locate the file at a different directory with a path such as C:Documents and SettingsAll UsersApplication DataCisco AnyConnectVPNClientAnyConnectLocalPolicy.xml. Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

<FipsMode>true</FipsMode>

To:

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

"Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package."

Solution

Complete these steps in order to fix this issue:

1. Remove any anti-virus software.
2. Disable the Windows firewall.
3. If neither Step 1 or 2 helps, then format the machine and then install.
4. If the problem still persists, open a TAC Case.

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

"Contact your system administrator. The installer failed with the following error:
Error applying transforms. Verify that the specified transform paths are valid."

This is the error message received when connecting with AnyConnect for MacOS:

"The AnyConnect package on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again."

Solution

Complete one of these workarounds in order to resolve this issue:

1. The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect image for MacOS in the ASA.
2. From the ASDM, follow the Network (Client) Access > AnyConnect Custom > Installs path and delete the AnyConnect package file. Make sure the package remains in Network (Client) Access > Advanced > SSL VPN > Client Setting.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

The VPN client driver has encountered an error when connecting through Cisco
AnyConnect Client.

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

"A VPN reconnect resulted in different configuration setting. The VPN network
setting is being re-initialized. Applications utilizing the private network may
need to be restarted."

Solution

In order to resolve this error, use this:

group-policy <Name> attributes
			webvpn
				svc mtu 1200

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

hostname(config)#group-policy <Name> attributes

hostname(config-group-policy)#webvpn
hostname(config-group-webvpn)#anyconnect mtu 500

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

The VPN connection is not allowed via a local proxy. This can be changed
through AnyConnect profile settings.

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
false</AllowLocalProxyConnections>

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

There are currently 2 clientless SSL VPN sessions in progress. AnyConnect
Essentials can not be enabled until all these sessions are closed.

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

The certificate you are viewing does not match with the name of the site
you are trying to view.

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

<ServerList>
 <HostEntry>
    <HostName>vpn1.ccsd.net</HostName>


 </HostEntry>
</ServerList>

Note: If there is an existing entry for the Public IP address of the server such as <HostAddress>, then remove it and retain only the FQDN of the server (for example, <HostName> but not <Host Address>).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Description : Function:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .AdapterNetworkStateIfc.cpp
Line: 147
Invoked Function: InternetSetOption
Return Code: 12010 (0x00002EEA)
Description: The length is incorrect for the option type
Description : Function: CTransportWinHttp::InitTransport
File: .CTransportWinHttp.cpp
Line: 252
Invoked Function: CConnectedStateIfc::SetConnectedStateToConnected
Return Code: -25362420 (0xFE7D000C)
Description: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

1. Reduce the number of entries in the split-tunnel list.
2. Use this configuration in order to disable DTLS:

   group-policy groupName attributes
     webvpn
       svc dtls none

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::SendRequest
File: .CTransportWinHttp.cpp
Line: 1170
Invoked Function: HttpSendRequest
Return Code: 12004 (0x00002EE4)
Description: An internal error occurred in the Microsoft 
Windows HTTP Services 
*****************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
Description : Function: ConnectIfc::connect
File: .ConnectIfc.cpp
Line: 472
Invoked Function: ConnectIfc::sendRequest
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
Description : Function: ConnectIfc::TranslateStatusCode
File: .ConnectIfc.cpp
Line: 2999
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
Connection attempt failed.  Please try again.
******************************************

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Refer to the How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista knowledge base article for more information.

Error: «The SSL transport received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::handleRequestError
File: .CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway.
******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::SendRequest
File: .CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: ConnectIfc::TranslateStatusCode
File: .ConnectIfc.cpp
Line: 3026
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connection attempt failed.  Please try again.
******************************************

Solution

Windows 8.1 does not support RC4 according to the following KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

https://technet.microsoft.com/en-us/library/dn303404.aspx

Related Information

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Client
• Technical Support & Documentation — Cisco Systems

Cisco AnyConnect login failed

My company recently took over IT operations for another company. We have next to no documentation to go off of.

Users use CiscoAnyconnect for VPN and we need to be able to manage this system for them.

One user is getting «Login Failed» when trying to connect and I cannot find a way to get their password reset. I can confirm that their AD environment is not integrated with Cisco VPN.

Any guidance will be appreciated. where to start especially. We have access to their servers and domain controllers.

Исправление: AnyConnect не смог установить соединение с указанным безопасным шлюзом.

Сообщение об ошибке « AnyConnect не смог установить соединение с указанным безопасным шлюзом » появляется, когда пользователи пытаются подключиться к VPN с помощью клиента AnyConnect. Эта проблема возникает из-за того, что VPN-клиент AnyConnect не может успешно выполнить процесс соединения с удаленным сервером, и на его пути есть некоторые блокировки. Сегодня мы рассмотрим указанное сообщение об ошибке, включая причины появления сообщения об ошибке и различные решения, которые вы можете реализовать, чтобы избавиться от ошибки.

Что вызывает сообщение об ошибке «AnyConnect не смог установить соединение с указанным безопасным шлюзом»?

Это может быть связано с множеством причин. Иногда это блокировка антивируса или брандмауэра, а иногда это может быть вызвано плохим подключением к Интернету. Следующие будут основными причинами; упомянуть вкратце —

• Проблема с антивирусом или брандмауэром: антивирусное программное обеспечение может время от времени мешать процессу подключения AnyConnect Client VPN и не позволять ему подключаться к внешним сетям или серверам из соображений безопасности. Часто он блокирует множество входящих и исходящих соединений. Таким образом, вы не сможете подключиться к своей любимой VPN с помощью Anyconnect.
• Неправильная конфигурация клиента: если вы неправильно настроили свой клиент Anyconnect и хранящиеся в нем конфигурации VPN неверны, то вы столкнетесь с проблемами при установлении успешных соединений.
• Интернет-ограничения: иногда IP-адреса некоторых стран могут быть заблокированы вашим интернет-провайдером, и вы можете сознательно не пытаться подключиться к VPN той же страны, которая была заблокирована вашим интернет-провайдером. Тогда вы столкнетесь с проблемами.

Чтобы обойти сообщение об ошибке, вы можете следовать приведенным ниже решениям, но обязательно перезагрузите компьютер и приложение, прежде чем переходить к другим исправлениям.

Решение 1. Отключение антивируса

Перво-наперво. В большинстве случаев проблема возникает из-за блокировки антивируса, что является распространенным сценарием. Следовательно, в таком случае вы должны попытаться отключить любой сторонний антивирус, который вы установили в своей системе, а затем попытаться подключиться к VPN с помощью AnyConnect. Надеюсь, это решит проблему.

Решение 2. Остановите службу подключения к Интернету

Время от времени служба ICS работает, что вызывает проблемы для клиента AnyConnect при подключении к VPN. Вам нужно будет отключить его, чтобы решить проблему. Вот как отключить службу:

1. Нажмите Windows + R и введите services.msc.
2. Когда откроется окно со службами, найдите службу общего доступа к подключению Интернета . Щелкните его правой кнопкой мыши и выберите « Остановить» .
3. Затем выйдите из окна служб , закрыв его.

Решение 3. Отключите общий доступ к подключению к Интернету (ICS)

Было несколько случаев, когда, если в Windows был включен ICS, пользователи сталкивались с этой проблемой. Чтобы отключить ICS, следуйте приведенным ниже инструкциям:

1. Откройте панель управления
2. Перейдите в раздел «Сеть и общий доступ к Интернету» и нажмите « Изменить настройки адаптера» .
3. После этого вам нужно будет щелкнуть правой кнопкой мыши по общему сетевому подключению , а затем выбрать « Свойства» .
4. В окне свойств нажмите на Совместное использование
5. Оказавшись там, вам нужно снять флажок с надписью « Разрешить другим пользователям сети подключаться через подключение к Интернету этого компьютера ».
6. После этого нажмите ОК.

Если ваша проблема была вызвана включением ICS, это должно было исправить ее.

Решение 4. Выберите параметр Подключиться к текущей сети в AnyConnect VPN.

Иногда клиентский VPN Any Connect колеблется между разными сетями, поэтому вам нужно выбрать вариант подключения только к текущей сети. Это может решить проблему для вас. Вот как это сделать:

1. Откройте клиент AnyConnect и там, где вы видите написанную сеть , щелкните ее правой кнопкой мыши.
2. Щелкните « Подключиться только к текущей сети ».

Решение 5. Попробуйте другое подключение

Иногда используемое вами интернет-соединение может иметь некоторые ограничения или может работать неправильно, что является причиной проблемы. В таком сценарии вам придется использовать альтернативное соединение, такое как Wi-Fi или мобильная точка доступа, чтобы узнать, можете ли вы подключиться к VPN.

AnyConnect VPN Client Troubleshooting Guide — Common Problems

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

Installation and Virtual Adapter Issues

Complete these steps:

Obtain the device log file:

Windows XP / Windows 2000:

Note: Hidden folders must be made visible in order to see these files.

If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

If this is an initial web deploy install, this log is located in the per-user temp directory.

Windows XP / Windows 2000:

If this is an automatic upgrade, this log is in the temp directory of the system:

The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

From a Command Prompt/DOS box, type this:

Windows XP / Windows 2000:

Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

Windows XP and Windows Vista:

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

From the console of the ASA, type show running-config . Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

Choose Start > Run.

Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available .

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

Obtain the output of the show vpn-sessiondb detail svc filter name ASA command from the console. If the output shows Filter Name: XXXXX , then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.

For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

AnyConnect Crash Issues

Complete these data-gathering steps:

Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

Choose Start > Run.

Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.

Go to the server list tab.

In ASDM, choose Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Connection Profiles.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list «C:WINDOWSINFcertclas.inf» was missing or invalid. Error 0xfffffde5: Unknown Error. , assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue .

You can receive this log on the client: «The VPN client driver has encountered an error» .

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Failed Repair

If the repair fails, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

Open a command prompt as an Admimistrator on the PC.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer.

• vpnapi.dll
• vpncommon.dll
• vpncommoncrypt.dll

The log message related to this error on the AnyConnect client looks similar to this:

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group User IP Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» .

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

The «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: «Unable to update the session management database» .

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

Disable the threat-detection.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.

This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Unable to process response from xxx.xxx.xxx.xxx» .

Solution

In order to resolve this error, try these workarounds:

Remove WebVPN from the ASA and reenable it. true

false

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

«Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.»

Solution

Complete these steps in order to fix this issue:

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

This is the error message received when connecting with AnyConnect for MacOS:

Solution

Complete one of these workarounds in order to resolve this issue:

The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:

Remove the MST translation table.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

Solution

In order to resolve this error, use this:

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

Note: If there is an existing entry for the Public IP address of the server such as , then remove it and retain only the FQDN of the server (for example, but not ).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

Reduce the number of entries in the split-tunnel list.

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Error: «The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Solution

Windows 8.1 does not support RC4 according to the following KB update:

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

Источник

The CiscoVPN solution is working rather nicely if we look at the reports. The most prominent issues appear only after the major updates which tend to break the application.

These are not common, but then again, they seemingly render the VPN client completely unusable. At least that was the case with the Fall Creators Update and April Update.

BEST VPN RECOMMENDATIONS — VETTED BY OUR EXPERTS

However, there’s no need to worry. We found some applicable steps and enlisted them below so make sure to check them out.

Why is Cisco VPN not connecting?

Users report that an error message appears while trying to connect to the Cisco VPN Client.

When the VPN client is launched, an error message reads The necessary VPN sub-system is not available. You cannot connect to remote VPN server displays.

These three factors can cause this warning to appear:

• The VPN client service has not yet been launched
• Installation issues with the VPN, possibly caused by corrupted or duplicated files
• A firewall or antivirus software may be interfering with the VPN connection

Additionally, a VPN client is more prone to lose Dead Peer Detection while it is having connectivity problems. If your system’s firmware is outdated, it could affect DPD issues.

How do I get my Cisco AnyConnect to work?

1. Repair the installation
2. Perform a clean installation
3. Allow VPN through firewall
4. Tweak the registry

1. Repair the installation

1. In the Windows Search bar, type Control and open Control Panel.
2. Click Uninstall a program in the bottom left corner.
3. Click on the Cisco System VPN client and choose Repair.
4. Follow the instructions until the installation is repaired.

Let’s start by repairing the installation. Lots of third-party applications tend to break after a major update is administered. That’s why it is always recommended to reinstall them after the update is installed.

Even better, if you want to avoid one of the numerous update/upgrade errors, uninstalling is a viable choice.

However, if you’ve not uninstalled Cisco VPN prior to an update, instead of reinstallation, you should try out repairing the present installation first.

If you’re not sure how to repair the Cisco VPN, follow the steps we provided above.

2. Perform a clean reinstallation

Finally, if none of the previous solutions got Cisco VPN to work, the only remaining solution we can suggest is performing a clean reinstallation.

Ideally, this will require a clean slate install where you’ll clear all remaining associated files from your PC prior to installing Cisco VPN again.

Follow the above steps to perform a clean reinstallation and fix Cisco VPN on Windows 10. If Cisco VPN is not working on windows 11 the steps for fixing the error are the same.

3. Allow VPN to freely communicate through Firewall

1. In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall.
2. Click Change settings.
3. Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall.
   • If that’s not the case, click Allow another app and add it.
4. Check both Private and Publicrong> network boxes.
5. Confirm changes and open the Cisco VPN.

System updates can, quite frequently, change the system settings and preferences to default values. This misdeed, of course, can affect Windows Defender settings as well.

If that’s the case, chances are that lots of third-party apps that require free traffic through the Firewall won’t work. Including the Cisco VPN client.

That’s why we encourage you to check the settings and confirm that the app is indeed allowed in Windows Firewall settings.

4. Tweak the Registry

1. Right-click on the Start button and open Device Manager.
2. Expand Network adapters.
3. Right-click on Virtual Adapter and update it.
4. Restart your PC.

Like many other integrating VPN solutions, Cisco VPN comes with the specific associated Virtual Network Adapter. The failure of this device is another common occurrence, and it’s accompanied by error code 442.

The first thing you can do if this error occurs is to check the Virtual Adapter driver in the Device Manager.

Now, if that fails to resolve the issue, you can try a Registry tweak which seems to address it fully. This requires administrative permission, in order to make changes to Registry.

Furthermore, we strongly suggest treading carefully since untaught meddling with the Registry can result in a system failure.

Follow these steps to tweak Registry and repair Cisco VPN:

1. Type Regedit in the Windows Search bar and open Registry Editor.
2. Copy-paste the following path in the address bar:
   • HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtA
3. Right-click on the DisplayName registry entry and choose Modify.
4. Under the Value Data section, make sure that the only body of text which stands is the Cisco Systems VPN Adapter.
   • For the 64bit version, the text is the Cisco Systems VPN Adapter for 64-bit Windows.
5. Save changes and try running Cisco VPN again.

Why is Cisco AnyConnect not opening?

Common errors include Cisco AnyConnect VPN Login Failed, which can happen for a variety of reasons. The VPN client’s inability to connect to the VPN server is the most frequent cause of this problem. Incorrect VPN settings, firewall configuration, or problems with network connectivity are just a few causes of this.

By navigating to the Windows Administration Tools and making sure that the Cisco AnyConnect VPN Agent is not running, you can determine whether another program interfered with the service.

It might be necessary to disable or even uninstall another VPN application on the desktop if it is already operating and the error message still shows. Verify if you have more than one VPN service installed on your PC, this might be the core problem for Cisco AnyConnect not opening.

If Cisco VPN is still not working on Windows 10 and 11, try contacting the support as they would more likely assist you in the best manner, you can also check our guide on what to do if your Cisco Anyconnect is not working through RDP.

That’s it. If you have any alternative solutions you care to share with us, feel free to do so in the comments section below.

My company recently took over IT operations for another company. We have next to no documentation to go off of.

Users use CiscoAnyconnect for VPN and we need to be able to manage this system for them.

One user is getting «Login Failed» when trying to connect and I cannot find a way to get their password reset. I can confirm that their AD environment is not integrated with Cisco VPN.

Any guidance will be appreciated. where to start especially. We have access to their servers and domain controllers.

Исправление: AnyConnect не смог установить соединение с указанным безопасным шлюзом.

Сообщение об ошибке « AnyConnect не смог установить соединение с указанным безопасным шлюзом » появляется, когда пользователи пытаются подключиться к VPN с помощью клиента AnyConnect. Эта проблема возникает из-за того, что VPN-клиент AnyConnect не может успешно выполнить процесс соединения с удаленным сервером, и на его пути есть некоторые блокировки. Сегодня мы рассмотрим указанное сообщение об ошибке, включая причины появления сообщения об ошибке и различные решения, которые вы можете реализовать, чтобы избавиться от ошибки.

Что вызывает сообщение об ошибке «AnyConnect не смог установить соединение с указанным безопасным шлюзом»?

Это может быть связано с множеством причин. Иногда это блокировка антивируса или брандмауэра, а иногда это может быть вызвано плохим подключением к Интернету. Следующие будут основными причинами; упомянуть вкратце —

• Проблема с антивирусом или брандмауэром: антивирусное программное обеспечение может время от времени мешать процессу подключения AnyConnect Client VPN и не позволять ему подключаться к внешним сетям или серверам из соображений безопасности. Часто он блокирует множество входящих и исходящих соединений. Таким образом, вы не сможете подключиться к своей любимой VPN с помощью Anyconnect.
• Неправильная конфигурация клиента: если вы неправильно настроили свой клиент Anyconnect и хранящиеся в нем конфигурации VPN неверны, то вы столкнетесь с проблемами при установлении успешных соединений.
• Интернет-ограничения: иногда IP-адреса некоторых стран могут быть заблокированы вашим интернет-провайдером, и вы можете сознательно не пытаться подключиться к VPN той же страны, которая была заблокирована вашим интернет-провайдером. Тогда вы столкнетесь с проблемами.

Чтобы обойти сообщение об ошибке, вы можете следовать приведенным ниже решениям, но обязательно перезагрузите компьютер и приложение, прежде чем переходить к другим исправлениям.

Решение 1. Отключение антивируса

Перво-наперво. В большинстве случаев проблема возникает из-за блокировки антивируса, что является распространенным сценарием. Следовательно, в таком случае вы должны попытаться отключить любой сторонний антивирус, который вы установили в своей системе, а затем попытаться подключиться к VPN с помощью AnyConnect. Надеюсь, это решит проблему.

Решение 2. Остановите службу подключения к Интернету

Время от времени служба ICS работает, что вызывает проблемы для клиента AnyConnect при подключении к VPN. Вам нужно будет отключить его, чтобы решить проблему. Вот как отключить службу:

1. Нажмите Windows + R и введите services.msc.
2. Когда откроется окно со службами, найдите службу общего доступа к подключению Интернета . Щелкните его правой кнопкой мыши и выберите « Остановить» .
3. Затем выйдите из окна служб , закрыв его.

Решение 3. Отключите общий доступ к подключению к Интернету (ICS)

Было несколько случаев, когда, если в Windows был включен ICS, пользователи сталкивались с этой проблемой. Чтобы отключить ICS, следуйте приведенным ниже инструкциям:

1. Откройте панель управления
2. Перейдите в раздел «Сеть и общий доступ к Интернету» и нажмите « Изменить настройки адаптера» .
3. После этого вам нужно будет щелкнуть правой кнопкой мыши по общему сетевому подключению , а затем выбрать « Свойства» .
4. В окне свойств нажмите на Совместное использование
5. Оказавшись там, вам нужно снять флажок с надписью « Разрешить другим пользователям сети подключаться через подключение к Интернету этого компьютера ».
6. После этого нажмите ОК.

Если ваша проблема была вызвана включением ICS, это должно было исправить ее.

Решение 4. Выберите параметр Подключиться к текущей сети в AnyConnect VPN.

Иногда клиентский VPN Any Connect колеблется между разными сетями, поэтому вам нужно выбрать вариант подключения только к текущей сети. Это может решить проблему для вас. Вот как это сделать:

1. Откройте клиент AnyConnect и там, где вы видите написанную сеть , щелкните ее правой кнопкой мыши.
2. Щелкните « Подключиться только к текущей сети ».

Решение 5. Попробуйте другое подключение

Иногда используемое вами интернет-соединение может иметь некоторые ограничения или может работать неправильно, что является причиной проблемы. В таком сценарии вам придется использовать альтернативное соединение, такое как Wi-Fi или мобильная точка доступа, чтобы узнать, можете ли вы подключиться к VPN.

AnyConnect VPN Client Troubleshooting Guide — Common Problems

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

Installation and Virtual Adapter Issues

Complete these steps:

Obtain the device log file:

Windows XP / Windows 2000:

Note: Hidden folders must be made visible in order to see these files.

If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

If this is an initial web deploy install, this log is located in the per-user temp directory.

Windows XP / Windows 2000:

If this is an automatic upgrade, this log is in the temp directory of the system:

The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

From a Command Prompt/DOS box, type this:

Windows XP / Windows 2000:

Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

Windows XP and Windows Vista:

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

From the console of the ASA, type show running-config . Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

Choose Start > Run.

Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available .

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX , then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.

For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

AnyConnect Crash Issues

Complete these data-gathering steps:

Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

Choose Start > Run.

Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.

Go to the server list tab.

In ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list «C:WINDOWSINFcertclas.inf» was missing or invalid. Error 0xfffffde5: Unknown Error. , assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue .

You can receive this log on the client: «The VPN client driver has encountered an error» .

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Failed Repair

If the repair fails, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

Open a command prompt as an Admimistrator on the PC.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer.

• vpnapi.dll
• vpncommon.dll
• vpncommoncrypt.dll

The log message related to this error on the AnyConnect client looks similar to this:

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» .

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

The «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: «Unable to update the session management database» .

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

Disable the threat-detection.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.

This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Unable to process response from xxx.xxx.xxx.xxx» .

Solution

In order to resolve this error, try these workarounds:

Remove WebVPN from the ASA and reenable it.<

For more information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: «Login Denied , unauthorized connection mechanism , contact your administrator»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Login Denied , unauthorized connection mechanism , contact your administrator» .

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

Error: «Anyconnect package unavailable or corrupted. Contact your system administrator»

This error occurs when you try to launch the AnyConnect software from a Macintosh client in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

Upload the Macintosh AnyConnect package to the flash of the ASA.

The svc image command is replaced by the anyconnect image command in ASA Version 8.4(1) and later as shown here:

Error: «The AnyConnect package on the secure gateway could not be located»

This error is caused on the user’s Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the complete error:

Solution

In order to resolve this error message, verify whether the Operating System (OS) that is used on the client machine is supported by the AnyConnect client.

If the OS is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this document for more information.

Error: «Secure VPN via remote desktop is not supported»

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be found at C:ProgramDataCiscoCisco AnyConnect VPN ClientAnyConnectLocalPolicy.xml . If this file is not found in this path, then locate the file at a different directory with a path such as C:Documents and SettingsAll UsersApplication DataCisco AnyConnectVPNClientAnyConnectLocalPolicy.xml . Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

<FipsMode>true</FipsMode>

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

«Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.»

Solution

Complete these steps in order to fix this issue:

Remove any anti-virus software.

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

This is the error message received when connecting with AnyConnect for MacOS:

Solution

Complete one of these workarounds in order to resolve this issue:

The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:

Remove the MST translation table.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

Solution

In order to resolve this error, use this:

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

Note: If there is an existing entry for the Public IP address of the server such as <HostAddress> , then remove it and retain only the FQDN of the server (for example, <HostName> but not <Host Address> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

Reduce the number of entries in the split-tunnel list.

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Error: «The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Solution

Windows 8.1 does not support RC4 according to the following KB update:

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

Some VPN users exclusive to Cisco AnyConnect Secure Mobility Client are reporting the issue whereby when they try to launch the VPN software or try to start/connect/enable the program on their Windows 11 or Windows 10 computer they get the error message VPN Agent Service not responding or starting. This post is intended to help affected users with the most suitable fixes.

The full error message when the issue occurs on your system reads thus;

The VPN Agent Service is not responding. Please restart this application after a minute.

As reported by most affected users, restarting the application as suggested on the error prompt didn’t work for them.

If you’re encountering the issue whereby the VPN Agent Service is not responding or starting when you try to start the Cisco AnyConnect VPN software installed on your Windows 11/10 system, you can try our recommended solutions in the order presented below to resolve the issue.

1. Initial checklist
2. Check essential Cisco AnyConnect Services
3. Reinstall Cisco AnyConnect VPN software
4. Reset Windows 11/10

Let’s see a quick descritption of these suggestions.

Read: Cisco AnyConnect error Connection attempt failed

1] Initial checklist

Before you try anything else, make sure you tick all the boxes on the following pre-task and see if the VPN software will start normally without throwing any error message.

Assuming that you are using the latest Cisco AnyConnect application, couple of things to check off your list:

• Did you install the VPN client as an administrator AND running the program as an administrator? In any case, you can try these options: allow Standard users to run a Program with Admin rights, login as an Administrator before attempting to install or run the program, and you can grant or get Elevated Privileges.
• Make sure your antivirus or any 3rd-party firewall is not causing the issue. For this, you can simply temporarily disable your security software. This largely depends on the security software you have installed. Refer to the instruction manual. Generally. to disable your antivirus software, locate its icon in the notification area or system tray on the taskbar (usually in the lower right corner of the desktop). Right-click the icon and choose the option to disable or exit the program.
• It might not seem to matter or obvious, but it will save you many minor ‘headaches’ caused by slightly outdated Windows version/build; always check for updates and install any available bits on your Windows 11/10 device and see if the error reappears.

Read: Fix VPN not working problems and issues in Windows

2] Check essential Cisco AnyConnect Services

Investigations revealed that a couple of main services especially Cisco AnyConnect Secure Mobility Agent service associated with the VPN client in question triggers the VPN Agent Service is not responding or starting on your Windows 11/10 system. In this case, to resolve the issue in hand, you may need to change its Startup Type to Manual or Automatic if it is Disabled before it will allow you to start it.

Do the following:

• Press Windows key + R to invoke the Run dialog.
• In the Run dialog box, type services.msc and hit Enter to open Services.
• In the Services window, scroll and locate the Cisco AnyConnect Secure Mobility Agent service.
• Double-click on the entry to edit its properties.
• In the properties window, click the drop-down on the Startup type and select Automatic.
• Next, make sure the service is started.
• Click Apply > OK to save changes.
• Relaunch the Cisco AnyConnect VPN software.

If you confirm all services are set as suggested, but the issue remains, you can restart your PC and see if that helps.

Read: How to restore missing or deleted Services in Windows

3] Reinstall Cisco AnyConnect VPN software

For most affected PC users, what worked for them is Solution 1]. But in the event this isn’t the case for you, reinstalling the VPN client should get the job done! And when you uninstall, make sure all the files from the AnyConnect installation directory are deleted (if not, delete them manually). So, to uninstall the software, we recommend using any of the free third-party software uninstaller for Windows 11/10. Once the clean uninstall is completed, you can download the latest version of the software and install normally on your device.

If the issue persists, try the next solution.

4] Reset Windows 11/10

In the unlikely event neither of the solutions above worked for you to fix the error in view, then it’s safe to assume you may be facing some sort of system corruption. In this case, you can reset Windows 11/10 with the option to keep your personal files. Once the reset procedure completes successfully on your device, you can then reinstall the latest version of the software.

Hope this helps!

Related post: Fix VPN Connection, Can’t connect to VPN connection error

Why is Cisco AnyConnect not working?

If Cisco AnyConnect is not working on your Windows 11/10 PC, you may need to allow the app through Windows Firewall. In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall. Click Change settings. Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall. If that’s not the case, click Allow another app and add it.

Why can’t I log into Cisco AnyConnect?

The “Login failed” error message appears when you have entered an incorrect or invalid username or password combination, when trying to log into the Campus or 2-factor VPN services, via the Web VPN gateway with your browser, or via the Cisco AnyConnect client.

Campus Staff and Other University 2-factor VPNs

Campus Staff VPN:

Login authorization requirements: Single Sign-On credentials only

If you are connecting to the Campus VPN service, using the Cisco Any Connect Secure Mobility Client, your connection should be campusvpn.warwick.ac.uk/staff

The “Login failed” error message appears when you have entered an invalid username or password combination.

Make sure you enter your single sign-on (SSO) username and password credentials correctly.

Note: the “Login failed error message window/s will keep appearing if you continually enter your SSO credentials incorrectly.

Campus VPN Login:

Using Web browser connection URL: https://campusvpn.warwick.ac.uk/staff

Unsuccessful SSO credentials entered: “Login failed”

Using Cisco AnyConnect client connection: campusvpn.warwick.ac.uk/staff

When connecting via the Cisco AnyConnect client, make sure that campusvpn.warwick.ac.uk is the connection you are connecting to, and displayed in the ‘Connect’ box. If you continually get the “Login failed” error message, first ensure you are entering your correct SSO credentials. If still failing, you may need to change/reset your password.

Unsuccessful SSO credentials entered: “Login failed”

---

Other University 2-factor VPNs:

Login Authorization requirements: Single Sign-On credentials + 2-factor Token Key-Fob code or One Time Password (OTP)

If you are connecting to a 2-factor VPN service, your connection should be campusvpn.warwick.ac.uk/name.

E.g. campusvpn.warwick.ac.uk/its = the 2-factor VPN service for IT Services staff only.

Note:

• You will only see the 2-factor login prompt window if you have entered your SSO credentials correctly
• After entering your OTP Token code, you are still unable to connect; you may need your Token Key-fob resynchronized with the FortiAuthenticator 2-factor system. Contact the Service Desk to resynchronize your 2-factor Token.

Using Web browser connection URL: https://campusvpn.warwick.ac.uk/its

Successful SSO credentials entered: OTP prompt

Unsuccessful SSO credentials entered: “Login failed”

Using Cisco AnyConnect client connection: campusvpn.warwick.ac.uk/its

Successful SSO credentials entered: OTP prompt

Unsuccessful SSO credentials entered: “Login failed”

---

Password Resets:

Occasionally your password can get out of sync across the centrally managed systems, which can prevent you from logging in. Try changing your password and log in again.

You can change your password using the Password Self-Service System.

Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors

Available Languages

Download Options

Objective

The objective of this document is to show you basic troubleshooting steps on some common errors on the Cisco AnyConnect Secure Mobility Client. When installing the Cisco AnyConnect Secure Mobility Client, errors may occur and troubleshooting may be needed for a successful setup.

Note that the errors discussed in this document is not an exhaustive list and varies with the configuration of the device used.

For additional information on AnyConnect licensing on the RV340 series routers, check out the article AnyConnect Licensing for the RV340 Series Routers.

Software Version

Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors

Note: Before attempting to troubleshoot, it is recommended to gather some important information first about your system that might be needed during the troubleshooting process. To learn how, click here.

1. Problem: Network Access Manager fails to recognize your wired adapter.

Solution: Try unplugging your network cable and reinserting it. If this does not work, you may have a link issue. The Network Access Manager may not be able to determine the correct link state of your adapter. Check the Connection Properties of your Network Interface Card (NIC) driver. You may have a «Wait for Link» option in the Advanced Panel. When the setting is On, the wired NIC driver initialization code waits for auto negotiation to complete and then determines if a link is present.

2. Problem: When AnyConnect attempts to establish a connection, it authenticates successfully and builds the Secure Socket Layer (SSL)session, but then the AnyConnect client crashes in the vpndownloader if using Label-Switched Path (LSP) or NOD32 Antivirus.

Solution: Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32 AV.

3. Problem: If you are using an AT&T Dialer, the client operating system sometimes experiences a blue screen, which causes the creation of a mini dump file.

Solution: Upgrade to the latest 7.6.2 AT&T Global Network Client.

4. Problem: When using McAfee Firewall 5, a User Datagram Protocol (UDP)Datagram Transport Layer Security (DTLS) connection cannot be established.

Solution: In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging and uncheck the Block incoming fragments automatically check box in McAfee Firewall.

5. Problem: The connection fails due to lack of credentials.

Solution: The third-party load balancer has no insight into the load on the Adaptive Security Appliance (ASA) devices. Because the load balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices, using the internal ASA load balancing instead is recommended.

6. Problem: The AnyConnect client fails to download and produces the following error message:

Solution: Upload the patch update to version 1.2.1.38 to resolve all dll issues.

7. Problem: If you are using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify the IP forwarding table.

Solution: Disable the Bonjour Printing Service by typing net stop “bonjour service” at the command prompt. A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web site.

8. Problem: An error indicates that the version of TUN or network tunnel is already installed on this system and is incompatible with the AnyConnect client.

Solution: Uninstall the Viscosity OpenVPN Client.

9. Problem: If a Label-Switched Path (LSP) module is present on the client, a Winsock catalog conflict may occur.

Solution: Uninstall the LSP module.

10. Problem: If you are connecting with a Digital Subscriber Line (DSL) router, DTLS traffic may fail even if successfully negotiated.

Solution: Connect to a Linksys router with factory settings. This setting allows a stable DTLS session and no interruption in pings. Add a rule to allow DTLS return traffic.

11. Problem: When using AnyConnect on some Virtual Machine Network Service devices, performance issues have resulted.

Solution: Uncheck the binding for all IM devices within the AnyConnect virtual adapter. The application dsagent.exe resides in C:WindowsSystemdgagent. Although it does not appear in the process list, you can see it by opening sockets with TCPview (sysinternals). When you terminate this process, normal operation of AnyConnect returns.

12. Problem: You receive an “Unable to Proceed, Cannot Connect to the VPN Service” message. The VPN service for AnyConnect is not running.

Solution: Determine if another application conflicted with the service by going to the Windows Administration Tools then make sure that the Cisco AnyConnect VPN Agent is not running. If it is running and the error message still appears, another VPN application on the workstation may need to be disabled or even uninstalled. After taking that action, reboot, and repeat this step.

13. Problem: When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right after CSTP state = CONNECTED. The following message appears:

Solution: Uninstall Kaspersky and refer to their forums for additional updates.

14. Problem: If you are using Routing and Remote Access Service (RRAS), the following termination error is returned to the event log when AnyConnect attempts to establish a connection to the host device:

Solution: Disable the RRAS service.

15. Problem: If you are using a EVDO wireless card and Venturi driver while a client disconnect occurred, the event log reports the following:

Solutions:

If you encounter other errors, contact the support center for your device.

For further information and community discussion on AnyConnect licensing updates, click here.

Источник

IT Services

Campus and 2-factor VPN

Campus VPN:

Login authorization requirements: Single Sign-On credentials only

If you are connecting to the Campus VPN service, your connection should be campusvpn.warwick.ac.uk

The “Login failed” error message appears when you have entered an incorrect or invalid username or password combination, when trying to log into the Campus or 2-factor VPN services, via the Web VPN gateway with your browser, or via the Cisco AnyConnect client.

Make sure you enter your single sign-on (SSO) username and password credentials correctly.

Note: the “Login failed error message window/s will keep appearing if you continually enter your SSO credentials incorrectly.

Using Web browser connection URL: https://campusvpn.warwick.ac.uk

Unsuccessful SSO credentials entered: “Login failed”

Using Cisco AnyConnect client connection: campusvpn.warwick.ac.uk

When connecting via the Cisco AnyConnect client, make sure that campusvpn.warwick.ac.uk is the connection you are connecting to, and displayed in the ‘Connect’ box. If you continually get the “Login failed” error message, first ensure you are entering your correct SSO credentials. If still failing, you may need to change/reset your password.

Unsuccessful SSO credentials entered: “Login failed”

2-factor VPN:

Login Authorization requirements: Single Sign-On credentials + 2-factor Token Key-Fob code or One Time Password (OTP)

If you are connecting to a 2-factor VPN service, your connection should be vpn.warwick.ac.uk/name.

E.g. vpn.warwick.ac.uk/its = the 2-factor VPN service for IT Services staff only.

Note:

Using Web browser connection URL: https://vpn.warwick.ac.uk/its

Successful SSO credentials entered: OTP prompt

Unsuccessful SSO credentials entered: “Login failed”

Using Cisco AnyConnect client connection: vpn.warwick.ac.uk/its

Successful SSO credentials entered: OTP prompt

Unsuccessful SSO credentials entered: “Login failed”

Password Resets:

Occasionally your password can get out of sync across the centrally managed systems, which can prevent you from logging in. Try changing your password and log in again.

Need help?

Call the helpdesk on 024 765 73737 Available 9:00 to 17:00 Monday to Friday
Use our online Help Desk at any time to ask a question or track your requests.

Источник

Available Languages

Download Options

Contents

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

Installation and Virtual Adapter Issues

Complete these steps:

Note: Hidden folders must be made visible in order to see these files.

If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

If this is an initial web deploy install, this log is located in the per-user temp directory.

If this is an automatic upgrade, this log is in the temp directory of the system:

The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

Windows XP and Windows Vista:

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

AnyConnect Crash Issues

Complete these data-gathering steps:

When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

Failed Repair

If the repair fails, complete these steps:

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

Error Messages

Error: Unable to Update the Session Management Database

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

The log message related to this error on the AnyConnect client looks similar to this:

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group User IP Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

The «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an error. error message. In order to resolve this issue, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco bug ID CSCsm54689 for more information.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

Solution

In order to resolve this error, try these workarounds:

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

true

false

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

«Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.»

Solution

Complete these steps in order to fix this issue:

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

This is the error message received when connecting with AnyConnect for MacOS:

Solution

Complete one of these workarounds in order to resolve this issue:

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

Solution

In order to resolve this error, use this:

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Error: «The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Solution

Windows 8.1 does not support RC4 according to the following KB update:

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

Источник

Исправлено: AnyConnect не смог установить соединение с указанным безопасным шлюзом —

Сообщение об ошибке ‘AnyConnect не смог установить соединение с указанным безопасным шлюзом’Появляется, когда пользователи пытаются подключиться к VPN с помощью клиента AnyConnect. Эта проблема возникает из-за того, что VPN-клиент AnyConnect не может успешно выполнить процесс соединения с удаленным сервером, и на его пути существуют некоторые блокировки. Сегодня мы рассмотрим упомянутое сообщение об ошибке, включая причины сообщения об ошибке и различные решения, которые вы можете реализовать, чтобы избавиться от ошибки.

AnyConnect не смог установить соединение с указанным безопасным шлюзом

По какой причине AnyConnect не смогла установить соединение с указанным сообщением об ошибке безопасного шлюза?

Это может быть связано со многими причинами. Иногда это блокировка антивирусом или брандмауэром, а иногда это может быть вызвано плохим подключением к Интернету. Следующее будет основными причинами; упомянуть вкратце —

• Проблема с антивирусом или брандмауэром: Антивирусное программное обеспечение может иногда вмешиваться в процесс подключения VPN-клиента AnyConnect и не разрешать ему подключаться к внешним сетям или серверам по соображениям безопасности. Много раз это заблокирует много входящих и исходящих соединений. Таким образом, вы не сможете подключиться к своему любимому VPN с помощью Anyconnect.
• Неправильная конфигурация клиента: Если вы неправильно настроили свой клиент Anyconnect и сохраненные в нем конфигурации VPN неверны, тогда вы столкнетесь с проблемами при установлении успешных соединений.
• Интернет ограничения: Время от времени ваш провайдер может заблокировать IP-адреса некоторых стран, и вы не можете сознательно пытаться подключиться к VPN той же страны, которая была заблокирована вашим провайдером. Тогда вы столкнетесь с проблемами.

Чтобы обойти сообщение об ошибке, вы можете следовать решениям, приведенным ниже.

Решение 1. Отключение антивируса

Обо всем по порядку. Поскольку в большинстве случаев проблема вызвана антивирусной блокировкой, которая является распространенным сценарием. Поэтому, в таком случае, вы должны попытаться отключить любой сторонний антивирус, который вы установили в своей системе, а затем попытаться подключиться к VPN с помощью AnyConnect. Надеюсь, это изолирует проблему.

Отключить антивирус

Решение 2. Остановите службу подключения к Интернету

Иногда служба ICS работает, что вызывает проблемы для клиента AnyConnect, чтобы соединиться с VPN. Вам придется отключить его, чтобы решить проблему. Вот как отключить службу:

1. Нажмите Windows + R и введите services.msc
2. Когда откроется окно с сервисами, выполните поиск Общий доступ к интернету оказание услуг. Щелкните правой кнопкой мыши и выберите Стоп.
   Остановка службы ICS
3. Затем выйдите из Сервисы окна, закрыв его.

Решение 3. Отключите общий доступ к подключению к Интернету (ICS)

Было несколько случаев, когда ICS был включен в Windows, тогда пользователи сталкивались с этой проблемой. Чтобы отключить ICS, следуйте инструкциям ниже:

1. Откройте панель управления
2. Идти к Сеть и Интернет-обмен а затем нажмите Смените настройки адаптера.
   Центр коммуникаций и передачи данных
3. После этого вам нужно будет щелкнуть правой кнопкой мыши на подключение к общей сети, а затем нажмите на свойства.
4. В окне свойств нажмите на разделение
5. Оказавшись там, вы должны снять флажок с надписью «Разрешить другим пользователям сети подключаться к Интернету через этот компьютер».
6. После этого нажмите ОК.

Если ваша проблема была вызвана включением ICS, то это должно быть исправлено.

Решение 4. Выберите опцию Подключиться к текущей сети в AnyConnect VPN.

Иногда VPN-клиент Any Connect колеблется между разными сетями, поэтому вам нужно выбрать вариант подключения только к текущей сети. Это может решить проблему для вас. Вот как это сделать:

1. Открой Клиент AnyConnect, и где вы видите сеть написано, щелкните правой кнопкой мыши на нем.
2. Нажмите на «Подключаться только к текущей сети».
   Клиент Cisco AnyConnect

Решение 5. Попробуйте альтернативное соединение

Время от времени используемое вами интернет-соединение может иметь некоторые ограничения или работать неправильно, что является причиной проблемы. В таком случае вам придется использовать альтернативное соединение, например, WiFi или мобильную точку доступа, чтобы узнать, сможете ли вы подключиться к VPN.

Источник

Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors

Available Languages

Download Options

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Objective

The objective of this document is to show you basic troubleshooting steps on some common errors on the Cisco AnyConnect Secure Mobility Client. When installing the Cisco AnyConnect Secure Mobility Client, errors may occur and troubleshooting may be needed for a successful setup.

Note that the errors discussed in this document is not an exhaustive list and varies with the configuration of the device used.

For additional information on AnyConnect licensing on the RV340 series routers, check out the article AnyConnect Licensing for the RV340 Series Routers.

Software Version

Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors

Note: Before attempting to troubleshoot, it is recommended to gather some important information first about your system that might be needed during the troubleshooting process. To learn how, click here.

1. Problem: Network Access Manager fails to recognize your wired adapter.

Solution: Try unplugging your network cable and reinserting it. If this does not work, you may have a link issue. The Network Access Manager may not be able to determine the correct link state of your adapter. Check the Connection Properties of your Network Interface Card (NIC) driver. You may have a «Wait for Link» option in the Advanced Panel. When the setting is On, the wired NIC driver initialization code waits for auto negotiation to complete and then determines if a link is present.

2. Problem: When AnyConnect attempts to establish a connection, it authenticates successfully and builds the Secure Socket Layer (SSL)session, but then the AnyConnect client crashes in the vpndownloader if using Label-Switched Path (LSP) or NOD32 Antivirus.

Solution: Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32 AV.

3. Problem: If you are using an AT&T Dialer, the client operating system sometimes experiences a blue screen, which causes the creation of a mini dump file.

Solution: Upgrade to the latest 7.6.2 AT&T Global Network Client.

4. Problem: When using McAfee Firewall 5, a User Datagram Protocol (UDP)Datagram Transport Layer Security (DTLS) connection cannot be established.

Solution: In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging and uncheck the Block incoming fragments automatically check box in McAfee Firewall.

5. Problem: The connection fails due to lack of credentials.

Solution: The third-party load balancer has no insight into the load on the Adaptive Security Appliance (ASA) devices. Because the load balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices, using the internal ASA load balancing instead is recommended.

6. Problem: The AnyConnect client fails to download and produces the following error message:

Solution: Upload the patch update to version 1.2.1.38 to resolve all dll issues.

7. Problem: If you are using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify the IP forwarding table.

Solution: Disable the Bonjour Printing Service by typing net stop “bonjour service” at the command prompt. A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web site.

8. Problem: An error indicates that the version of TUN or network tunnel is already installed on this system and is incompatible with the AnyConnect client.

Solution: Uninstall the Viscosity OpenVPN Client.

9. Problem: If a Label-Switched Path (LSP) module is present on the client, a Winsock catalog conflict may occur.

Solution: Uninstall the LSP module.

10. Problem: If you are connecting with a Digital Subscriber Line (DSL) router, DTLS traffic may fail even if successfully negotiated.

Solution: Connect to a Linksys router with factory settings. This setting allows a stable DTLS session and no interruption in pings. Add a rule to allow DTLS return traffic.

11. Problem: When using AnyConnect on some Virtual Machine Network Service devices, performance issues have resulted.

Solution: Uncheck the binding for all IM devices within the AnyConnect virtual adapter. The application dsagent.exe resides in C:WindowsSystemdgagent. Although it does not appear in the process list, you can see it by opening sockets with TCPview (sysinternals). When you terminate this process, normal operation of AnyConnect returns.

12. Problem: You receive an “Unable to Proceed, Cannot Connect to the VPN Service” message. The VPN service for AnyConnect is not running.

Solution: Determine if another application conflicted with the service by going to the Windows Administration Tools then make sure that the Cisco AnyConnect VPN Agent is not running. If it is running and the error message still appears, another VPN application on the workstation may need to be disabled or even uninstalled. After taking that action, reboot, and repeat this step.

13. Problem: When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right after CSTP state = CONNECTED. The following message appears:

Solution: Uninstall Kaspersky and refer to their forums for additional updates.

14. Problem: If you are using Routing and Remote Access Service (RRAS), the following termination error is returned to the event log when AnyConnect attempts to establish a connection to the host device:

Solution: Disable the RRAS service.

15. Problem: If you are using a EVDO wireless card and Venturi driver while a client disconnect occurred, the event log reports the following:

Solutions:

• Check the Application, System, and AnyConnect event logs for a relating disconnect event and determine if a NIC card reset was applied at the same time.
• Ensure that the Venturi driver is up to date. Disable Use Rules Engine in the 6.7 version of the AT&T Communications Manager.

If you encounter other errors, contact the support center for your device.

For further information and community discussion on AnyConnect licensing updates, click here.

Источник

AnyConnect VPN Client Troubleshooting Guide — Common Problems

Available Languages

Download Options

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

Installation and Virtual Adapter Issues

Complete these steps:

Obtain the device log file:

Windows XP / Windows 2000:

Note: Hidden folders must be made visible in order to see these files.

If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

Obtain the MSI installer log file:

If this is an initial web deploy install, this log is located in the per-user temp directory.

Windows XP / Windows 2000:

If this is an automatic upgrade, this log is in the temp directory of the system:

The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

Obtain the PC system information file:

From a Command Prompt/DOS box, type this:

Windows XP / Windows 2000:

Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

Obtain a systeminfo file dump from a Command Prompt:

Windows XP and Windows Vista:

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

From the console of the ASA, type show running-config . Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

The ASA event logs:

In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.

In order to disable logging, issue no logging enable .

The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:

Choose Start > Run.

Right-click the Cisco AnyConnect VPN Client log, and select Save Log File as AnyConnect.evt.

Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available .

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

Obtain the output of the show vpn-sessiondb detail svc filter name ASA command from the console. If the output shows Filter Name: XXXXX , then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.

Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).

Check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.

For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.

AnyConnect Crash Issues

Complete these data-gathering steps:

Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

Obtain the Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:

Choose Start > Run.

Right-click the Cisco AnyConnect VPN Client log, and select Save Log File As AnyConnect.evt.

Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.

Create an XML file with the AnyConnect Profile Editor.

Go to the server list tab.

Click Add.

Type the main server on the Hostname field.

Add the backup server below the backup server list on the Host address field. Then, click Add.

Once you have the XML file, you need to assign it to the connection you use on the ASA.

In ASDM, choose Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Connection Profiles.

Select your profile and click Edit.

Click Manage from the Default Group Policy section.

Select your group-policy and click Edit.

Select Advanced and then click SSL VPN Client.

Click New. Then, you need to type a name for the Profile and assign the XML file.

Connect the client to the session in order to download the XML file.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list «C:WINDOWSINFcertclas.inf» was missing or invalid. Error 0xfffffde5: Unknown Error. , assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue .

You can receive this log on the client: «The VPN client driver has encountered an error» .

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Run net stop CryptSvc .

When prompted, choose OK in order to attempt the repair.

Exit the command prompt.

Failed Repair

If the repair fails, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Run net stop CryptSvc .

Rename the %WINDIR%system32catroot2 to catroot2_old directory.

Exit the command prompt.

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

Open a command prompt as an Admimistrator on the PC.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer.

Remove the VMware applications. Once AnyConnect is installed, VMware applications can be added back to the PC.

Add the ASA to their trusted sites.

Copy these files from the ProgramFilesCiscoCiscoAnyconnect folder to a new folder and run the regsvr32 vpnapi.dll command prompt:

• vpnapi.dll
• vpncommon.dll
• vpncommoncrypt.dll

Reimage the operating system on the laptop/PC.

The log message related to this error on the AnyConnect client looks similar to this:

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group User IP Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» .

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

The «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: «Unable to update the session management database» .

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

Disable the threat-detection.

Disable SVC compression.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.

Right-click Properties, then log on, and select Allow service to interact with the desktop.

This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an error. error message. In order to resolve this issue, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco bug ID CSCsm54689 for more information.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Unable to process response from xxx.xxx.xxx.xxx» .

Solution

In order to resolve this error, try these workarounds:

Remove WebVPN from the ASA and reenable it. «Login Denied , unauthorized connection mechanism , contact your administrator» .

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be found at C:ProgramDataCiscoCisco AnyConnect VPN ClientAnyConnectLocalPolicy.xml . If this file is not found in this path, then locate the file at a different directory with a path such as C:Documents and SettingsAll UsersApplication DataCisco AnyConnectVPNClientAnyConnectLocalPolicy.xml . Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

true

false

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

«Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.»

Solution

Complete these steps in order to fix this issue:

Remove any anti-virus software.

Disable the Windows firewall.

If neither Step 1 or 2 helps, then format the machine and then install.

If the problem still persists, open a TAC Case.

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

This is the error message received when connecting with AnyConnect for MacOS:

Solution

Complete one of these workarounds in order to resolve this issue:

The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:

Remove the MST translation table.

Configure the AnyConnect image for MacOS in the ASA.

From the ASDM, follow the Network (Client) Access > AnyConnect Custom > Installs path and delete the AnyConnect package file. Make sure the package remains in Network (Client) Access > Advanced > SSL VPN > Client Setting.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

Solution

In order to resolve this error, use this:

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)

No clientless SSL VPN

Optional Windows Mobile Support

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

Note: If there is an existing entry for the Public IP address of the server such as , then remove it and retain only the FQDN of the server (for example, but not ).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

Reduce the number of entries in the split-tunnel list.

Use this configuration in order to disable DTLS:

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Error: «The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Solution

Windows 8.1 does not support RC4 according to the following KB update:

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

Источник

Step-by-Step to fix Cisco Anyconnect Authentication failed errors

• Takes long time for AnyConnect client to complete VPN Login.
• Cisco anyconnect login failed
• Cisco AnyConnect takes long time to initiate connection and Authentication failed.
• Unable to Proceed, Cannot Connect to the VPN Service.
• VPN Client Driver Encounters Errors after a Microsoft Windows Update.
• Your environment does not meet the access criteria defined by your administrator
• cisco anyconnect login failed

Table Of Contents

• 1 Method 1 : Step-by-Step to fix VPN Authentication failed Error.
• 2 Method 2 : Step-by-Step to fix Cisco Anyconnet VPN Authentication
• 3 Method 3 : Download the Latest Cisco anyconnect secure mobility client
• 4 Why Cisco anyconnect login failed
• 5 Why cisco anyconnect vpn service not available ?

Method 1 : Step-by-Step to fix VPN Authentication failed Error.

Follow the below steps in your Windows 10 computer

Step 1
In the search field, type in Command Prompt, or just CMD.
Right click the top result, and select Run as Administrator.
Step 2
Enter net stop CryptSvc.
Step 3
Analyze the database to verify its validity by entering

esentutl /g %systemroot%System32catroot2{F750E6C3—38EE—11D1—85E5—00C04FC295EE}catdb

Step 4
When prompted, choose OK to attempt the repair. Exit the command prompt and reboot the computer.

Method 2 : Step-by-Step to fix Cisco Anyconnet VPN Authentication

Step 1
In the search field, type in Command Prompt, or just CMD.
Right click the top result, and select Run as Administrator.
Step 2
Enter net stop CryptSvc.
Step 3
Rename the following directory:

rename %/WINDIR%system32catroot2 to catroot2_old

Step 4
Exit the command prompt and reboot the computer.

Method 3 : Download the Latest Cisco anyconnect secure mobility client

Cisco anyconnect for windows download and Cisco anyconnect secure mobility client mac Click here

Steps to install Cisco anyconnect secure mobility client on Windows and Mac

Extract the zip file and click on Setup.exe

Select the list of services required that your corporate network supports

Please note : Do not install all services as this may not require and will cause lot of problem in connecting to vpn

After selecting the required services click installed services.

Latest version Cisco anyconnect secure mobility client will be installed

Note : When upgrading to version Cisco anyconnect secure mobility client, old version will be removed automatically no need to do manual uninstallation

Why Cisco anyconnect login failed

Check for Windows update, if any patches waiting for update or reboot, apply and reboot.
If the computer was in sleep mode or Hibernation mode, Reboot your computer.
Open Task manager, go to Details tab> search for vpngui.exe, end task.
Connect your laptop to Mobile hotspot and try connecting to Cisco anyconnect.

Above Steps will resolve Cisco anyconnect login failed Problem.

Why cisco anyconnect vpn service not available ?

In Windows 10 search type in Task Manager, open the app, then Go to Details scroll down to look for vpnui.exe , select and click on End task.
Scroll down look for vpnagent.exe, select and click on End task

In Windows 10 Search type in services, open the app, scroll down and look for
Cisco AnyConnect Secure Mobility Agent for Windows check services are running or not, if not start the service
Cisco Secure Operations Check services are running or not, if not start the service

You Might Also like To Know….