Unable to Connect Ot Due to Network Issues Please Try Again Later Privatetunnel

This document describes a troubleshooting scenario which applies to applications that do non work through the Cisco AnyConnect VPN Client.

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version eight.x.

The information in this document was created from the devices in a specific lab surround. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you empathize the potential impact of any command.

This typical troubleshooting scenario applies to applications that do not piece of work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

• Installation and Virtual Adapter Bug
• Disconnection or Inability to Plant Initial Connectedness
• Problems with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Issues

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

                       \Windows\setupapi.log                

   • Windows Vista:

     Note: Hidden folders must be made visible in order to come across these files.

                       \Windows\Inf\setupapi.app.log
                         \Windows\Inf\setupapi.dev.log                

   If you see errors in the setupapi log file, yous can plow upwards verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

                       \Documents and Settings\<username>\Local Settings\Temp\                

   • Windows Vista:

                       \Users\<username>\AppData\Local\Temp\                

   If this is an automatic upgrade, this log is in the temp directory of the system:

                 \Windows\Temp            

   The filename is in this format: anyconnect-win-x.10.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most contempo file for the version of the client y'all want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

3. Obtain the PC system data file:
   1. From a Command Prompt/DOS box, type this:
      • Windows XP / Windows 2000:

                              winmsd /nfo c:\msinfo.nfo                    

      • Windows Vista:

                              msinfo32 /nfo c:\msinfo.nfo                    

      Note: Later you type into this prompt, expect. It tin have between two to five minutes for the file to consummate.

   2. Obtain a systeminfo file dump from a Command Prompt:

      Windows XP and Windows Vista:

                        systeminfo c:\sysinfo.txt                

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the commuter issue.

Disconnection or Inability to Found Initial Connectedness

If y'all experience connection problems with the AnyConnect client, such equally disconnections or the inability to establish an initial connection, obtain these files:

• The configuration file from the ASA in society to determine if anything in the configuration causes the connection failure:

  From the console of the ASA, blazon write net 10.x.x.x:ASA-Config.txt where 10.x.ten.x is the IP address of a TFTP server on the network.

  OR

  From the panel of the ASA, type show running-config . Let the configuration complete on the screen, and so cut-and-paste to a text editor and salvage.

• The ASA upshot logs:
  1. In club to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

                       config terminal
     logging enable
     logging timestamp
     logging class auth console debugging
     logging class webvpn panel debugging
     logging course ssl console debugging
     logging course svc console debugging                

  2. Originate an AnyConnect session and ensure that the failure tin be reproduced. Capture the logging output from the panel to a text editor and salve.
  3. In club to disable logging, issue no logging enable .
• The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
  1. Choose Start > Run.
  2. Enter:

     eventvwr.msc /due south

  3. Right-click the Cisco AnyConnect VPN Client log, and select Relieve Log File every bit AnyConnect.evt.

     Note: Always save information technology every bit the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the consequence might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connectedness will not be established mistake message error on the client PC. In guild to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that really allows a user to establish a VPN connection while multiple users are logged on simultaneously on the aforementioned machine. Enhancement asking CSCsx15061 was filed to address this feature.

Annotation: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the result might exist caused by an incompatibility between the AnyConnect client version and the ASA software epitome version. In this instance, the user receives this fault message: The installer was not able to get-go the Cisco VPN client, clientless admission is non available .

In club to resolve this issue, upgrade the AnyConnect client version to exist compatible with the ASA software image.

When you log in the start fourth dimension to the AnyConnect, the login script does non run. If you disconnect and log in over again, so the login script runs fine. This is the expected behavior.

When you lot connect the AnyConnect VPN Client to the ASA, you might receive this fault: User not authorized for AnyConnect Client access, contact your ambassador .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any problems to the ASA.

This mistake tin can exist resolved past disabling Datagram Transport Layer Security (DTLS). Get to Configuration > Remote Access VPN > Network (Client) Admission > AnyConnect Connexion Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files prove this error bulletin when the user gets asunder: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to reply to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Expressionless Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

          webvpn
            svc keepalive 30
            svc dpd-interval customer 80
            svc dpd-interval gateway eighty        

The svc keepalive and svc dpd-interval commands are replaced past the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version eight.4(one) and later equally shown here:

          webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval customer 5
anyconnect dpd-interval gateway 5        

Bug with Passing Traffic

When bug are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

1. Obtain the output of the show vpn-sessiondb detail svc filter proper name <username> ASA command from the console. If the output shows Filter Proper name: XXXXX , so get together the output for show access-listing XXXXX. Verify that the access-listing XXXXX does not block the intended traffic menses.
2. Consign the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
3. Check the ASA configuration file for nat statements. If Network Accost Translation (NAT) is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

   access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
   ip local pool IPPool1 ten.136.246.one-10.136.246.254 mask 255.252.0.0
   nat (within) 0 access-list in_nat0_out

4. Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of final resort for non-decrypted traffic.

   Example:

                                 !--- Route outside 0 0 is an incorrect statement.                            
   route exterior 0 0 10.145.l.1
   route within 0 0 x.0.iv.2              tunneled            

   For instance, if the VPN Client needs to access a resources which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in club to resolve this. The tunneled keyword tin be used in this instance.

5. Verify if the AnyConnect traffic is dropped past the inspection policy of the ASA. You could exempt the specific awarding that is used by AnyConnct client if y'all implement the Modular Policy Framework of Cisco ASA. For instance, y'all could exempt the skinny protocol with these commands.

   ASA(config)#              policy-map global_policy              
   ASA(config-pmap)#              grade inspection_default              
   ASA(config-pmap-c)#              no inspect skinny            

AnyConnect Crash Issues

Complete these data-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In guild to practise this, cull Get-go > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Relieve    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Table           : Checked
   Dump All Thread Contexts    : Checked
   Suspend To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, gather the .log and .dmp files from C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson. If these files appear to be in use, then employ ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
   1. Choose Outset > Run.
   2. Enter:

                        eventvwr.msc /s                

   3. Right-click the Cisco AnyConnect VPN Customer log, and select Salvage Log File Equally AnyConnect.evt.

      Annotation: E'er save it equally the .evt file format.

Fragmentation / Passing Traffic Bug

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such equally small pings.

This can provide clues equally to a fragmentation issue in the network. Consumer routers are specially poor at packet fragmentation and reassembly.

Try a scaling set of pings in gild to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -50 2000.

It is recommended that you configure a special grouping for users that feel fragmentation, and set the SVC Maximum Transition Unit (MTU) for this grouping to 1200. This allows you to remediate users who feel this issue, only not bear on the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

          ASA(config)#group-policy <name> attributes
          webvpn
          svc mtu 1200

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself in one case the connection terminates. The client logs show that keep installed is fix to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In guild to resolve this result, configure the svc continue-installer installed command under group-policy.

Upshot Populating the Cluster FQDN

Trouble: AnyConnect customer is pre-populated with the hostname instead of the cluster Fully Qualified Domain Proper noun (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the asking is redirected to the node ASA and the client logs in successfully. After some time, when the customer tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host proper name to which it terminal connected. This behavior is observed and a bug has been filed. For complete details well-nigh the issues, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Fill-in Server List Configuration

A backup server list is configured in case the main server selected by the user is non reachable. This is defined in the Backup Server pane in the AnyConnect contour. Complete these steps:

1. Download the AnyConnect Profile Editor (registered customers only) . The file proper noun is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Get to the server listing tab.
   2. Click Add.
   3. Blazon the main server on the Hostname field.
   4. Add together the backup server below the backup server list on the Host address field. Then, click Add.
3. Once you have the XML file, you demand to assign it to the connexion you utilize on the ASA.
   1. In ASDM, choose Configuration > Remote Access VPN > Network (Customer) Access > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Group Policy section.
   4. Select your group-policy and click Edit.
   5. Select Avant-garde and then click SSL VPN Customer.
   6. Click New. Then, you need to type a name for the Profile and assign the XML file.
4. Connect the customer to the session in gild to download the XML file.

This entry in the SetupAPI.log file suggests that the catalog arrangement is corrupt:

W239 commuter signing class list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., bold all device classes are subject field to driver signing policy.

Yous can also receive this fault message: Mistake(iii/17): Unable to offset VA, setup shared queue, or VA gave upwards shared queue .

Yous can receive this log on the client: "The VPN client driver has encountered an error" .

Repair

This consequence is due to Cisco bug ID CSCsm54689. In order to resolve this upshot, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the upshot, complete these steps:

1. Open a command prompt equally an Administrator on the PC (elevated prompt on Vista).
2. Run net finish CryptSvc .
3. Run:

   esentutl /p%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

4. When prompted, choose OK in lodge to try the repair.
5. Exit the command prompt.
6. Reboot.

Failed Repair

If the repair fails, consummate these steps:

1. Open up a command prompt as an Ambassador on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc .
3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
4. Exit the control prompt.
5. Reboot.

Analyze the Database

You tin analyze the database at any time in order to make up one's mind if information technology is valid.

1. Open a command prompt equally an Admimistrator on the PC.
2. Run:

   esentutl /thou%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

   Refer to System Catalog Database Integrity for more than information.

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. mistake message appears, and the ASA logs prove %ASA-3-211001: Memory allotment Error. The adaptive security appliance failed to allocate RAM system memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In club to resolve this outcome, reload the ASA or upgrade the ASA software to the acting release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more than data.

Solution 2

This issue tin besides be resolved if you disable threat-detection on ASA if threat-detection is used.

Fault: "Module c:\Programme Files\Cisco\Cisco AnyConnect VPN Customer\vpnapi.dll failed to annals"

When you use the AnyConnect customer on laptops or PCs, an fault occurs during the install:

"Module C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed
to register..."

When this error is encountered, the installer cannot move frontwards and the client is removed.

Solution

These are the possible workarounds to resolve this error:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. Information technology is a registry problem with the 2000 computer.
• Remove the VMware applications. One time AnyConnect is installed, VMware applications tin can be added dorsum to the PC.
• Add the ASA to their trusted sites.
• Copy these files from the \ProgramFiles\Cisco\CiscoAnyconnect folder to a new binder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating system on the laptop/PC.

The log bulletin related to this error on the AnyConnect client looks like to this:

DEBUG: Mistake 2911:  Could not remove the folderC:\Plan Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this parcel. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:\Plan Files\Cisco\Cisco AnyConnect VPN Customer\, ,
DEBUG: Mistake 2911:  Could not remove the folder C:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error lawmaking is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
Info 1721. There is a trouble with this Windows Installer bundle. A program required for
this install to consummate could not exist run. Contact your support personnel or package
vendor. Action: InstallHelper.exe, location: C:\Programme Files\Cisco\Cisco AnyConnect VPN
Customer\InstallHelper.exe, control: -acl "C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client\\" -r

Error: "An mistake was received from the secure gateway in response to the VPN negotiation request. Delight contact your network administrator"

When clients endeavour to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This bulletin was received from the secure gateway:

"Illegal accost class" or "Host or network is 0" or "Other mistake"

Solution

The issue occurs considering of the ASA local IP pool depletion. As the VPN pool resource is wearied, the IP puddle range must exist enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This fault usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and utilize a 24-bit subnet mask for the puddle.

Mistake: Session could not exist established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Customer, y'all receive the Login Failed error bulletin on the Client and a alarm message in the ASA logs that states Session could not be established. Session limit of ii reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You lot need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user volition receive the login failed mistake bulletin.

Solution 2

This error tin besides occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as 2, then the user cannot establish more than 2 sessions even though the license installed supports more than sessions. Set up the session-limit to the number of VPN sessions required in order to avoid this fault bulletin.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

Yous receive the Anyconnect not enabled on VPN server error message when you endeavor to connect AnyConnect to the ASA.

Solution

This mistake is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the exterior interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.ten.x.x Transmitting big packet 1220 (threshold 1206)

The %ASA-6-722036: Group < customer-group > User < xxxx > IP < x.x.x.10> Transmitting large packet 1220 (threshold 1206) mistake bulletin appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the customer. The source of the packet is not aware of the MTU of the client. This can likewise be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the consequence.

Fault: The secure gateway has rejected the agent'southward vpn connect or reconnect request.

When y'all connect to the AnyConnect Client, this error is received: "The secure gateway has rejected the agent'south vpn connect or reconnect asking. A new connectedness requires re-authentication and must exist started manually. Please contact your network administrator if this problem persists. The post-obit bulletin was received from the secure gateway: no assigned accost" .

This error is also received when y'all connect to the AnyConnect Customer: "The secure gateway has rejected the connexion endeavour. A new connection endeavor to the same or another secure gateway is needed, which requires re-authentication. The post-obit bulletin was received from the secure gateway:Host or network is 0" .

This mistake is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network ambassador if the problem persists. The following message was received from the secure gateway: No License" .

Solution

The router was missing pool configuration after reload. Yous need to add together the concerned configuration dorsum to the router.

Router#prove run | in puddle
                    
ip local pool SSLPOOL 192.168.thirty.ii 192.168.30.254
          svc address-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-hallmark and must be started manually. Please contact the network ambassador if the trouble persists. The post-obit message was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. In one case the license is installed, the issue is resolved.

Error: "Unable to update the session management database"

When you lot try to authenticate in WebPortal, this mistake bulletin is received: "Unable to update the session management database" .

Solution

This problem is related to memory allotment on the ASA. This issue is mostly encountered when the ASA Version is 8.2.one. Originally, this requires a 512MB RAM for its complete functionality.

Equally a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, attempt to free the retention with these steps:

1. Disable the threat-detection.
2. Disable SVC compression.
3. Reload the ASA.

Error: "The VPN client driver has encountered an error"

This is an error message obtained on the client machine when you effort to connect to AnyConnect.

Solution

In order to resolve this error, consummate this procedure in lodge to manually prepare the AnyConnect VPN amanuensis to Interactive:

1. Correct-click My Calculator > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Backdrop, then log on, and select Allow service to interact with the desktop.

   This sets the registry Blazon value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Services\vpnagent.

   Note: If this is to be used, then the preference would exist to use the .MST transform in this instance. This is considering if you prepare this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to place the application that causes this problem.

   When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an fault. error bulletin. In order to resolve this event, brand sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco issues ID CSCsm54689 for more information.

Error: "Unable to process response from xxx.xxx.xxx.xxx"

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Unable to process response from xxx.xxx.30.thirty" .

Solution

In lodge to resolve this error, attempt these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Change the port number to 444 from the existing 443 and reenable information technology on 443.

For more information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: "Login Denied , unauthorized connectedness mechanism , contact your administrator"

AnyConnect clients fail to connect to a Cisco ASA. The mistake in the AnyConnect window is "Login Denied , unauthorized connectedness mechanism , contact your administrator" .

Solution

This fault message occurs mostly considering of configuration issues that are improper or an incomplete configuration. Check the configuration and brand certain it is as required to resolve the consequence.

<

Error: "Anyconnect parcel unavailable or corrupted. Contact your system ambassador"

This error occurs when yous try to launch the AnyConnect software from a Macintosh customer in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect bundle to the wink of the ASA.
2. Modify the WebVPN configuration in gild to specify the AnyConnect package that is used.

   webvpn
                 svc image disk0:/anyconnect-macosx-i386-2.three.2016-k9.pkg two
                 svc image disk0:/anyconnect-macosx-powerpc-ii.three.2016-k9.pkg three

   The svc paradigm control is replaced by the anyconnect prototype command in ASA Version 8.4(ane) and afterwards as shown here:

   hostname(config)#webvpn              
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-win-iii.0.0527-k9.pkg 1
                 
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-macosx-i386-three.0.0414-k9.pkg 2
               

Error: "The AnyConnect package on the secure gateway could not be located"

This error is caused on the user'southward Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the consummate error:

          "The AnyConnect package on the secure gateway could not be located. You may
be experiencing network connectivity issues. Please try connecting once again."        

Solution

In order to resolve this error bulletin, verify whether the Operating System (OS) that is used on the client car is supported by the AnyConnect client.

If the Bone is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or not. Encounter the Anyconnect package unavailable or corrupted section of this document for more information.

Mistake: "Secure VPN via remote desktop is not supported"

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is non supported error message appears.

Solution

This effect is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Customer, it can resolve the issue. Refer to these bugs for more than information.

Mistake: "The server certificate received or its concatenation does not comply with FIPS. A VPN connection will non be established"

When yous attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connexion will not exist established error message appears.

Solution

In order to resolve this error, y'all must disable the Federal Data Processing Standards (FIPS) in the AnyConnect Local Policy file. This file tin usually be plant at C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\AnyConnectLocalPolicy.xml . If this file is non found in this path, then locate the file at a different directory with a path such as C:\Documents and Settings\All Users\Awarding Data\Cisco AnyConnectVPNClient\AnyConnectLocalPolicy.xml . In one case you lot locate the xml file, brand changes to this file as shown hither:

Alter the phrase:

<FipsMode>truthful</FipsMode>

To:

<FipsMode>simulated</FipsMode>

And then, restart the computer. Users must accept administrative permissions in order to change this file.

Fault: "Certificate Validation Failure"

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for document hallmark to work, you lot must import the client certificate to your browser and modify the connection profile in order to use certificate authentication. You likewise need to enable this control on your ASA in order to allow SSL customer-certificates to be used on the outside interface:

ssl document-authentication interface outside port 443

Error: "VPN Amanuensis Service has encountered a problem and needs to close. Nosotros are sorry for the inconvenience"

When AnyConnect Version two.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This beliefs is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: "This installation package could not exist opened. Verify that the package exists"

When AnyConnect is downloaded, this fault message is received:

"Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the bundle exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer packet."

Solution

Complete these steps in order to fix this issue:

1. Remove any anti-virus software.
2. Disable the Windows firewall.
3. If neither Pace 1 or 2 helps, then format the automobile and and so install.
4. If the trouble however persists, open a TAC Case.

Mistake: "Error applying transforms. Verify that the specified transform paths are valid."

This error message is recieved during the auto-download of AnyConnect from the ASA:

          "Contact your arrangement administrator. The installer failed with the following error:
Error applying transforms. Verify that the specified transform paths are valid."        

This is the fault bulletin received when connecting with AnyConnect for MacOS:

          "The AnyConnect bundle on the secure gateway could not be located. You lot may be
experiencing network connectivity issues. Please endeavor connecting again."        

Solution

Consummate one of these workarounds in gild to resolve this issue:

1. The root cause of this fault might be due to a corrupted MST translation file (for instance, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect image for MacOS in the ASA.
2. From the ASDM, follow the Network (Customer) Access > AnyConnect Custom > Installs path and delete the AnyConnect package file. Make certain the packet remains in Network (Client) Access > Avant-garde > SSL VPN > Client Setting.

If neither of these workarounds resolve the outcome, contact Cisco Technical Support.

Error: "The VPN client commuter has encountered an error"

This error is received:

          The VPN client driver has encountered an error when connecting through Cisco
AnyConnect Client.        

Solution

This issue tin can be resolved when you uninstall the AnyConnect Client, then remove the anti-virus software. Later this, reinstall the AnyConnect Client. If this resolution does not work, and then reformat the PC in gild to ready this outcome.

Error: "A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored."

This error is received when you endeavour to launch AnyConnect:

          "A VPN reconnect resulted in unlike configuration setting. The VPN network
setting is existence re-initialized. Applications utilizing the private network may
demand to be restarted."        

Solution

In order to resolve this error, utilize this:

group-policy <Name> attributes
          webvpn
          svc mtu 1200

The svc mtu control is replaced by the anyconnect mtu command in ASA Version 8.4(i) and later on as shown here:

hostname(config)#group-policy <Proper name> attributes
                    
hostname(config-group-policy)#webvpn          
hostname(config-group-webvpn)#anyconnect mtu 500          
        

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

The VPN connection is not immune via a local proxy. This can be changed
through AnyConnect profile settings.

Solution

The consequence tin be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
fake</AllowLocalProxyConnections>

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN bug for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco issues ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Mistake: AnyConnect Essentials can non be enabled until all these sessions are airtight.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

          There are currently ii clientless SSL VPN sessions in progress. AnyConnect
Essentials can not be enabled until all these sessions are closed.        

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the total AnyConnect capability, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot exist used at the same time every bit the shared SSL VPN premium license. When yous need to use one license, you need to disable the other.

Error: Connection tab on Internet pick of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Net option of Cyberspace Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you lot enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the characteristic, it leaves the display of the Connections tab unchanged.

Fault: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Mistake bulletin when others tin connect successfully through the AnyConnect VPN.

Solution

This issue tin can be resolved if you brand sure the practise not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not friction match with the proper noun of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the contour update stage. The error message is shown here:

          The certificate yous are viewing does not match with the name of the site
you are trying to view.        

Solution

This can exist resolved if y'all modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

<ServerList>
            <HostEntry>
          
            <HostName>vpn1.ccsd.net</HostName>
          
            </HostEntry>
          
</ServerList>
        

Note: If there is an existing entry for the Public IP accost of the server such equally <HostAddress> , then remove it and retain only the FQDN of the server (for example, <HostName> just not <Host Accost> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows vii Motorcar

When the AnyConnect is launched from the CSD vault, it does non work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Become Replicated to the Standby After Failover

The AnyConnect iii.0 VPN customer with ASA Version 8.4.1 software works fine. Even so, later failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco issues ID CSCtn71662. The temporary workaround is to manually re-create the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect result log contains entries similar to these:

Clarification : Function:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .\AdapterNetworkStateIfc.cpp
Line: 147
Invoked Function: InternetSetOption
Return Code: 12010 (0x00002EEA)
Clarification: The length is incorrect for the option blazon
Description : Part: CTransportWinHttp::InitTransport
File: .\CTransportWinHttp.cpp
Line: 252
Invoked Part: CConnectedStateIfc::SetConnectedStateToConnected
Return Code: -25362420 (0xFE7D000C)
Clarification: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION
        

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear subsequently relaunch.

Fault Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connexion error bulletin is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER mistake is found.

Solution

This occurs when the headend is configured for split-tunneling with a very big split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In guild to resolve this event, complete these steps:

1. Reduce the number of entries in the split-tunnel list.
2. Use this configuration in society to disable DTLS:

   group-policy groupName attributes
                 webvpn
                 svc dtls none

For more data, refer to Cisco bug ID CSCtc41770.

Mistake Message: "Connection attempt has failed due to invalid host entry"

The Connection attempt has failed due to invalid host entry fault bulletin is received while AnyConnect is authenticated with the employ of a certificate.

Solution

In social club to resolve this outcome, try either of these possible solutions:

• Upgrade the AnyConnect to Version iii.0.
• Disable Cisco Secure Desktop on your computer.

For more than information, refer to Cisco bug ID CSCti73316.

Error: "Ensure your server certificates tin pass strict mode if you configure always-on VPN"

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if y'all configure always-on VPN mistake bulletin is received.

Solution

This error message implies that if you want to employ the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this characteristic does not work. Strict Cert Mode is an pick that you set up in the AnyConnect local policy file in order to ensure the connections utilise a valid certificate. If you enable this choice in the policy file and connect with a bogus certificate, the connection fails.

Mistake: "An internal error occurred in the Microsoft Windows HTTP Services"

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Fault
Source      : acvpnui
Description : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1170
            Invoked Function: HttpSendRequest            
Return Code: 12004 (0x00002EE4)
Description:            An internal fault occurred in the Microsoft              
Windows HTTP Services            
*****************************************
Date        : 03/25/2014
Time        : 09:52:21
Blazon        : Error
Source      : acvpnui
          
Description : Function: ConnectIfc::connect
File: .\ConnectIfc.cpp
Line: 472
Invoked Function: ConnectIfc::sendRequest
Render Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Appointment        : 03/25/2014
Fourth dimension        : 09:52:21
Type        : Error
Source      : acvpnui
          
Description : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 2999
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
            Connection attempt failed.  Please effort over again.          
          
******************************************
        

Also, refer to the event viewer logs on the Windows motorcar.

Solution

This could be caused due to a corrupted Winsock connexion. Reset the connexion from the command promt with this command and restart your windows machine:

netsh winsock reset

Refer to the How to determine and to recover from Winsock2 abuse in Windows Server 2003, in Windows XP, and in Windows Vista cognition base article for more information.

Error: "The SSL send received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway."

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed endeavor:

******************************************
Engagement        : 10/27/2014
Fourth dimension        : xvi:29:09
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::handleRequestError
File: .\CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Aqueduct Failure.  May exist a result of a unsupported crypto configuration on the Secure Gateway.
          
******************************************
Appointment        : 10/27/2014
Time        : 16:29:09
Blazon        : Error
Source      : acvpnui
          
Clarification : Role: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Return Code: -30015418 (0xFE360046)
Clarification: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
          
******************************************
Engagement        : 10/27/2014
Time        : sixteen:29:09
Type        : Error
Source      : acvpnui
          
Description : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 3026
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connection attempt failed.  Please try again.
******************************************
        

Solution

Windows 8.1 does non support RC4 according to the following KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command "ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1" OR edit the Windows Registry file on the client machine as mentioned below:

https://technet.microsoft.com/en-u.s.a./library/dn303404.aspx

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Customer
• Technical Back up & Documentation - Cisco Systems

salierlecought.blogspot.com

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

Share this post