Vpn Security Check Please Try Again

This certificate describes a troubleshooting scenario which applies to applications that practise not work through the Cisco AnyConnect VPN Client.

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.ten.

The information in this certificate was created from the devices in a specific lab environment. All of the devices used in this certificate started with a cleared (default) configuration. If your network is alive, brand sure that you understand the potential impact of any control.

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for terminate-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

• Installation and Virtual Adapter Issues
• Disconnection or Inability to Institute Initial Connection
• Issues with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Issues

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

                       \Windows\setupapi.log                

   • Windows Vista:

     Note: Subconscious folders must be made visible in order to see these files.

                       \Windows\Inf\setupapi.app.log
                         \Windows\Inf\setupapi.dev.log                

   If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

                       \Documents and Settings\<username>\Local Settings\Temp\                

   • Windows Vista:

                       \Users\<username>\AppData\Local\Temp\                

   If this is an automatic upgrade, this log is in the temp directory of the organisation:

                 \Windows\Temp            

   The filename is in this format: anyconnect-win-10.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such every bit two.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

3. Obtain the PC arrangement information file:
   1. From a Control Prompt/DOS box, type this:
      • Windows XP / Windows 2000:

                              winmsd /nfo c:\msinfo.nfo                    

      • Windows Vista:

                              msinfo32 /nfo c:\msinfo.nfo                    

      Notation: After you lot type into this prompt, wait. Information technology tin can accept between two to v minutes for the file to complete.

   2. Obtain a systeminfo file dump from a Command Prompt:

      Windows XP and Windows Vista:

                        systeminfo c:\sysinfo.txt                

Refer to AnyConnect: Corrupt Driver Database Consequence in guild to debug the driver issue.

Disconnection or Disability to Found Initial Connection

If yous feel connection problems with the AnyConnect customer, such every bit disconnections or the inability to establish an initial connectedness, obtain these files:

• The configuration file from the ASA in social club to decide if anything in the configuration causes the connection failure:

  From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.ten.10.x is the IP address of a TFTP server on the network.

  OR

  From the console of the ASA, blazon bear witness running-config . Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

• The ASA issue logs:
  1. In society to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, upshot these CLI commands:

                       config last
     logging enable
     logging timestamp
     logging grade auth console debugging
     logging grade webvpn panel debugging
     logging class ssl panel debugging
     logging class svc panel debugging                

  2. Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.
  3. In social club to disable logging, issue no logging enable .
• The Cisco AnyConnect VPN Client log from the Windows Upshot Viewer of the customer PC:
  1. Choose Kickoff > Run.
  2. Enter:

     eventvwr.msc /s

  3. Right-click the Cisco AnyConnect VPN Client log, and select Salve Log File equally AnyConnect.evt.

     Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect contour settings mandate a unmarried local user, but multiple local users are currently logged into your estimator. A VPN connectedness will not exist established fault bulletin error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently at that place is no setting that really allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same auto. Enhancement request CSCsx15061 was filed to address this characteristic.

Note: Make sure that port 443 is not blocked and then the AnyConnect customer can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect customer version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless admission is non available .

In order to resolve this issue, upgrade the AnyConnect customer version to exist compatible with the ASA software image.

When you lot log in the first time to the AnyConnect, the login script does not run. If you lot disconnect and log in again, then the login script runs fine. This is the expected beliefs.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect epitome is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any problems to the ASA.

This error tin be resolved by disabling Datagram Transport Layer Security (DTLS). Get to Configuration > Remote Access VPN > Network (Customer) Admission > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this mistake message when the user gets asunder: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to reply to Expressionless Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This fault is resolved if y'all tweak the DPD keepalives and issue these commands:

          webvpn
            svc keepalive 30
            svc dpd-interval client fourscore
            svc dpd-interval gateway eighty        

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later every bit shown here:

          webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval customer five
anyconnect dpd-interval gateway 5        

Issues with Passing Traffic

When issues are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

1. Obtain the output of the show vpn-sessiondb detail svc filter proper name <username> ASA command from the console. If the output shows Filter Proper noun: XXXXX , and then gather the output for testify access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
2. Export the AnyConnect statistics from AnyConnect VPN Customer > Statistics > Details > Consign (AnyConnect-ExportedStats.txt).
3. Check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client equally a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

   access-list in_nat0_out extended permit ip whatever 10.136.246.0 255.255.255.0
   ip local puddle IPPool1 ten.136.246.one-10.136.246.254 mask 255.252.0.0
   nat (inside) 0 access-list in_nat0_out

4. Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for not-decrypted traffic.

   Example:

                                 !--- Route outside 0 0 is an incorrect statement.                            
   road exterior 0 0 ten.145.50.1
   route inside 0 0 x.0.four.ii              tunneled            

   For example, if the VPN Client needs to admission a resource which is non in the routing table of the VPN Gateway, the bundle is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in club to resolve this. The tunneled keyword tin be used in this instance.

5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You lot could exempt the specific awarding that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.

   ASA(config)#              policy-map global_policy              
   ASA(config-pmap)#              class inspection_default              
   ASA(config-pmap-c)#              no inspect skinny            

AnyConnect Crash Issues

Complete these data-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In gild to do this, choose First > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Relieve    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Table           : Checked
   Dump All Thread Contexts    : Checked
   Suspend To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, gather the .log and .dmp files from C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson. If these files announced to exist in use, and then apply ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Customer log from the Windows Event Viewer of the client PC:
   1. Choose Beginning > Run.
   2. Enter:

                        eventvwr.msc /s                

   3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File Equally AnyConnect.evt.

      Notation: E'er relieve it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not piece of work. However, the tunnel is able to pass other traffic such equally small-scale pings.

This can provide clues every bit to a fragmentation issue in the network. Consumer routers are specially poor at packet fragmentation and reassembly.

Effort a scaling ready of pings in lodge to determine if it fails at a certain size. For example, ping -l 500, ping -l chiliad, ping -50 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set up the SVC Maximum Transition Unit of measurement (MTU) for this group to 1200. This allows y'all to remediate users who experience this issue, but non affect the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In club to verify if your user has a fragmentation issue, adapt the MTU for AnyConnect clients on the ASA.

          ASA(config)#group-policy <name> attributes
          webvpn
          svc mtu 1200

Uninstall Automatically

Trouble

The AnyConnect VPN Client uninstalls itself one time the connection terminates. The client logs show that go along installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed selection is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this consequence, configure the svc keep-installer installed control under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When y'all accept a load-balancing cluster gear up for SSL VPN and the customer attempts to connect to the cluster, the asking is redirected to the node ASA and the client logs in successfully. After some time, when the customer tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect customer retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details nearly the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version ii.5.

Fill-in Server List Configuration

A backup server listing is configured in case the chief server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect contour. Complete these steps:

1. Download the AnyConnect Contour Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Go to the server list tab.
   2. Click Add.
   3. Type the chief server on the Hostname field.
   4. Add the fill-in server beneath the backup server list on the Host address field. So, click Add.
3. Once you have the XML file, y'all need to assign it to the connection you lot use on the ASA.
   1. In ASDM, choose Configuration > Remote Access VPN > Network (Client) Admission > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Group Policy department.
   4. Select your group-policy and click Edit.
   5. Select Avant-garde and and then click SSL VPN Client.
   6. Click New. And then, you lot need to type a name for the Profile and assign the XML file.
4. Connect the client to the session in club to download the XML file.

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing form list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., assuming all device classes are subject to driver signing policy.

You can besides receive this fault message: Error(iii/17): Unable to start VA, setup shared queue, or VA gave upwardly shared queue .

You tin can receive this log on the client: "The VPN client driver has encountered an error" .

Repair

This result is due to Cisco bug ID CSCsm54689. In order to resolve this event, brand sure that Routing and Remote Admission Service is disabled before yous first AnyConnect. If this does not resolve the upshot, complete these steps:

1. Open a command prompt as an Ambassador on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc .
3. Run:

   esentutl /p%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

4. When prompted, choose OK in order to attempt the repair.
5. Exit the command prompt.
6. Reboot.

Failed Repair

If the repair fails, complete these steps:

1. Open a command prompt equally an Ambassador on the PC (elevated prompt on Vista).
2. Run internet stop CryptSvc .
3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
4. Go out the command prompt.
5. Reboot.

Analyze the Database

Y'all can analyze the database at any time in order to determine if it is valid.

1. Open a command prompt as an Admimistrator on the PC.
2. Run:

   esentutl /one thousand%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

   Refer to Arrangement Catalog Database Integrity for more information.

Error: Unable to Update the Session Direction Database

While the SSL VPN is continued through a spider web browser, the Unable to Update the Session Management Database. fault message appears, and the ASA logs show %ASA-3-211001: Retentiveness allocation Error. The adaptive security appliance failed to allocate RAM system memory .

Solution one

This issue is due to Cisco problems ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more data.

Solution ii

This issue can also exist resolved if you disable threat-detection on ASA if threat-detection is used.

Fault: "Module c:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed to register"

When you lot use the AnyConnect client on laptops or PCs, an error occurs during the install:

"Module C:\Programme Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed
to register..."

When this error is encountered, the installer cannot motion forrard and the customer is removed.

Solution

These are the possible workarounds to resolve this fault:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. Information technology is a registry trouble with the 2000 figurer.
• Remove the VMware applications. Once AnyConnect is installed, VMware applications tin can be added back to the PC.
• Add the ASA to their trusted sites.
• Copy these files from the \ProgramFiles\Cisco\CiscoAnyconnect binder to a new folder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating system on the laptop/PC.

The log message related to this fault on the AnyConnect client looks similar to this:

DEBUG: Error 2911:  Could not remove the folderC:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this parcel. This may
point a problem with this package. The error code is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
DEBUG: Error 2911:  Could not remove the folder C:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this packet. This may
bespeak a problem with this package. The error lawmaking is 2911. The arguments are:
C:\Programme Files\Cisco\Cisco AnyConnect VPN Client\, ,
Info 1721. There is a problem with this Windows Installer package. A program required for
this install to complete could non exist run. Contact your support personnel or package
vendor. Action: InstallHelper.exe, location: C:\Program Files\Cisco\Cisco AnyConnect VPN
Client\InstallHelper.exe, command: -acl "C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client\\" -r

Error: "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator"

When clients effort to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This bulletin was received from the secure gateway:

"Illegal address class" or "Host or network is 0" or "Other fault"

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN puddle resource is exhausted, the IP pool range must be enlarged.

Cisco problems ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for accost assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and utilize a 24-chip subnet mask for the pool.

Error: Session could non be established. Session limit of 2 reached.

When you lot try to connect more than than two clients with the AnyConnect VPN Customer, you receive the Login Failed mistake message on the Client and a alarm message in the ASA logs that states Session could not be established. Session limit of ii reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.four.

Solution ane

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.ii.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed mistake message.

Solution 2

This error can too occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as 2, and so the user cannot establish more than 2 sessions even though the license installed supports more sessions. Set up the session-limit to the number of VPN sessions required in order to avoid this error message.

Fault: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when y'all try to connect AnyConnect to the ASA.

Solution

This mistake is resolved if y'all enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group customer-group User xxxx IP x.10.x.10 Transmitting large packet 1220 (threshold 1206)

The %ASA-vi-722036: Group < client-grouping > User < xxxx > IP < x.x.ten.10> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log hateful and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the bundle is not enlightened of the MTU of the client. This can also be due to compression of non-compressible information. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the result.

Error: The secure gateway has rejected the agent's vpn connect or reconnect request.

When y'all connect to the AnyConnect Customer, this mistake is received: "The secure gateway has rejected the agent'due south vpn connect or reconnect asking. A new connection requires re-authentication and must be started manually. Delight contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address" .

This error is as well received when y'all connect to the AnyConnect Client: "The secure gateway has rejected the connection attempt. A new connection attempt to the aforementioned or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0" .

This error is as well received when you connect to the AnyConnect Customer: "The secure gateway has rejected the amanuensis's vpn connect or reconnect request. A new connectedness requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License" .

Solution

The router was missing pool configuration afterwards reload. You need to add the concerned configuration dorsum to the router.

Router#evidence run | in pool
                    
ip local puddle SSLPOOL 192.168.30.2 192.168.30.254
          svc accost-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect asking. A new connexion requires a re-authentication and must be started manually. Please contact the network ambassador if the problem persists. The following message was received from the secure gateway: No License" mistake occurs when the AnyConnect mobility license is missing. Once the license is installed, the outcome is resolved.

Error: "Unable to update the session management database"

When you endeavour to authenticate in WebPortal, this error message is received: "Unable to update the session direction database" .

Solution

This problem is related to retention allocation on the ASA. This issue is mostly encountered when the ASA Version is eight.2.one. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the retentivity to 512MB.

As a temporary workaround, try to free the retention with these steps:

1. Disable the threat-detection.
2. Disable SVC compression.
3. Reload the ASA.

Error: "The VPN client commuter has encountered an error"

This is an error message obtained on the client car when you try to connect to AnyConnect.

Solution

In guild to resolve this error, complete this procedure in club to manually gear up the AnyConnect VPN agent to Interactive:

1. Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Backdrop, and then log on, and select Allow service to interact with the desktop.

   This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent.

   Notation: If this is to be used, so the preference would be to use the .MST transform in this instance. This is because if you lot gear up this manually with these methods, it requires that this exist prepare after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

   When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client commuter has encountered an fault. error message. In lodge to resolve this issue, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco bug ID CSCsm54689 for more data.

Error: "Unable to process response from xxx.xxx.xxx.xxx"

AnyConnect clients neglect to connect to a Cisco ASA. The error in the AnyConnect window is "Unable to process response from 30.30.xxx.thirty" .

Solution

In gild to resolve this error, try these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Change the port number to 444 from the existing 443 and reenable it on 443.

For more information on how to enable WebVPN and modify the port for WebVPN, refer to this Solution.

Error: "Login Denied , unauthorized connexion mechanism , contact your administrator"

AnyConnect clients neglect to connect to a Cisco ASA. The fault in the AnyConnect window is "Login Denied , unauthorized connection mechanism , contact your administrator" .

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make certain it is as required to resolve the issue.

<

Mistake: "Anyconnect packet unavailable or corrupted. Contact your arrangement ambassador"

This error occurs when you effort to launch the AnyConnect software from a Macintosh customer in society to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect parcel to the flash of the ASA.
2. Modify the WebVPN configuration in social club to specify the AnyConnect package that is used.

   webvpn
                 svc image disk0:/anyconnect-macosx-i386-two.3.2016-k9.pkg 2
                 svc epitome disk0:/anyconnect-macosx-powerpc-ii.three.2016-k9.pkg 3

   The svc image control is replaced past the anyconnect image control in ASA Version 8.4(1) and later on equally shown here:

   hostname(config)#webvpn              
   hostname(config-webvpn)#anyconnect epitome disk0:/                
   anyconnect-win-3.0.0527-k9.pkg 1
                 
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-macosx-i386-iii.0.0414-k9.pkg 2
               

Mistake: "The AnyConnect package on the secure gateway could not be located"

This error is caused on the user'due south Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the complete fault:

          "The AnyConnect package on the secure gateway could not be located. You lot may
be experiencing network connectivity problems. Please try connecting over again."        

Solution

In order to resolve this fault message, verify whether the Operating System (Os) that is used on the client machine is supported by the AnyConnect client.

If the OS is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or non. Run across the Anyconnect bundle unavailable or corrupted section of this certificate for more information.

Error: "Secure VPN via remote desktop is non supported"

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported fault message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Customer, it can resolve the upshot. Refer to these bugs for more data.

Error: "The server document received or its chain does not comply with FIPS. A VPN connectedness will not be established"

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In social club to resolve this error, you lot must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually exist found at C:\ProgramData\Cisco\Cisco AnyConnect VPN Customer\AnyConnectLocalPolicy.xml . If this file is not found in this path, then locate the file at a dissimilar directory with a path such equally C:\Documents and Settings\All Users\Application Data\Cisco AnyConnectVPNClient\AnyConnectLocalPolicy.xml . Once you locate the xml file, brand changes to this file equally shown here:

Change the phrase:

<FipsMode>true</FipsMode>

To:

<FipsMode>simulated</FipsMode>

And then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: "Certificate Validation Failure"

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate hallmark to work, you must import the client certificate to your browser and alter the connexion contour in order to employ document authentication. You also demand to enable this command on your ASA in lodge to permit SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: "VPN Agent Service has encountered a trouble and needs to close. We are deplorable for the inconvenience"

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: "This installation package could not be opened. Verify that the package exists"

When AnyConnect is downloaded, this error message is received:

"Contact your system administrator. The installer failed with the following mistake: This installation package could not be opened. Verify that the package exists and that y'all can access it, or contact the application vendor to verify that this is a valid Windows Installer packet."

Solution

Complete these steps in order to fix this consequence:

1. Remove any anti-virus software.
2. Disable the Windows firewall.
3. If neither Step 1 or two helps, then format the machine and and so install.
4. If the trouble still persists, open a TAC Instance.

Mistake: "Error applying transforms. Verify that the specified transform paths are valid."

This error message is recieved during the auto-download of AnyConnect from the ASA:

          "Contact your system administrator. The installer failed with the following mistake:
Error applying transforms. Verify that the specified transform paths are valid."        

This is the error message received when connecting with AnyConnect for MacOS:

          "The AnyConnect parcel on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again."        

Solution

Complete one of these workarounds in gild to resolve this issue:

1. The root crusade of this error might exist due to a corrupted MST translation file (for case, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect paradigm for MacOS in the ASA.
2. From the ASDM, follow the Network (Client) Admission > AnyConnect Custom > Installs path and delete the AnyConnect package file. Brand sure the package remains in Network (Client) Access > Avant-garde > SSL VPN > Client Setting.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: "The VPN customer driver has encountered an error"

This fault is received:

          The VPN customer driver has encountered an error when connecting through Cisco
AnyConnect Client.        

Solution

This issue can be resolved when you lot uninstall the AnyConnect Client, and and then remove the anti-virus software. Later this, reinstall the AnyConnect Customer. If this resolution does not work, and then reformat the PC in gild to gear up this issue.

Mistake: "A VPN reconnect resulted in different configuration setting. The VPN network setting is existence re-initialized. Applications utilizing the private network may need to exist restored."

This error is received when you lot try to launch AnyConnect:

          "A VPN reconnect resulted in different configuration setting. The VPN network
setting is being re-initialized. Applications utilizing the private network may
need to be restarted."        

Solution

In society to resolve this error, use this:

group-policy <Name> attributes
          webvpn
          svc mtu 1200

The svc mtu command is replaced by the anyconnect mtu command in ASA Version viii.4(1) and later as shown here:

hostname(config)#grouping-policy <Name> attributes
                    
hostname(config-group-policy)#webvpn          
hostname(config-group-webvpn)#anyconnect mtu 500          
        

AnyConnect Error While Logging In

Trouble

The AnyConnect receives this mistake when it connects to the Client:

The VPN connexion is non allowed via a local proxy. This tin can exist changed
through AnyConnect profile settings.

Solution

The outcome tin be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect contour:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
false</AllowLocalProxyConnections>

IE Proxy Setting is Not Restored later AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically discover settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is non restored dorsum to Automatically observe settings later the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Fault: AnyConnect Essentials can non exist enabled until all these sessions are closed.

This mistake message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

          There are currently 2 clientless SSL VPN sessions in progress. AnyConnect
Essentials tin can not be enabled until all these sessions are closed.        

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot exist used at the aforementioned fourth dimension as the shared SSL VPN premium license. When y'all need to utilise i license, you need to disable the other.

Error: Connectedness tab on Cyberspace choice of Internet Explorer hides afterward getting connected to the AnyConnect customer.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this characteristic, it hides the Connections tab in Microsoft Internet Explorer for the elapsing of an AnyConnect VPN session. If you lot disable the characteristic, it leaves the display of the Connections tab unchanged.

Fault: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others tin can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if yous make sure the do non require pre-authentication checkbox is checked for the users.

Fault: The certificate you are viewing does not friction match with the name of the site you are trying to view.

During the AnyConnect contour update, an fault is shown that says the certificate is invalid. This occurs with Windows merely and at the contour update phase. The error bulletin is shown hither:

          The certificate you are viewing does non match with the proper name of the site
you are trying to view.        

Solution

This tin can be resolved if you modify the server listing of the AnyConnect contour in order to use the FQDN of the certificate.

This is a sample of the XML contour:

<ServerList>
            <HostEntry>
          
            <HostName>vpn1.ccsd.net</HostName>
          
            </HostEntry>
          
</ServerList>
        

Note: If there is an existing entry for the Public IP address of the server such as <HostAddress> , then remove it and retain only the FQDN of the server (for example, <HostName> but non <Host Address> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows seven Automobile

When the AnyConnect is launched from the CSD vault, it does non work. This is attempted on Windows seven machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Contour Does Not Become Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.iv.1 software works fine. However, afterward failover, there is no replication for the AnyConnect profile related configuration.

Solution

This trouble has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries like to these:

Description : Part:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .\AdapterNetworkStateIfc.cpp
Line: 147
Invoked Function: InternetSetOption
Return Code: 12010 (0x00002EEA)
Description: The length is incorrect for the option type
Description : Role: CTransportWinHttp::InitTransport
File: .\CTransportWinHttp.cpp
Line: 252
Invoked Function: CConnectedStateIfc::SetConnectedStateToConnected
Return Lawmaking: -25362420 (0xFE7D000C)
Description: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION
        

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In society to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear subsequently relaunch.

Fault Bulletin: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect customer fails to connect and the Unable to establish a connection error bulletin is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is constitute.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In society to resolve this outcome, consummate these steps:

1. Reduce the number of entries in the split up-tunnel listing.
2. Utilize this configuration in order to disable DTLS:

   group-policy groupName attributes
                 webvpn
                 svc dtls none

For more data, refer to Cisco bug ID CSCtc41770.

Error Message: "Connexion attempt has failed due to invalid host entry"

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the utilize of a certificate.

Solution

In order to resolve this upshot, try either of these possible solutions:

• Upgrade the AnyConnect to Version iii.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco problems ID CSCti73316.

Fault: "Ensure your server certificates can pass strict style if you configure e'er-on VPN"

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN fault message is received.

Solution

This fault message implies that if you want to use the Always-On feature, you lot need a valid sever certificate configured on the headend. Without a valid server document, this feature does not work. Strict Cert Mode is an option that you set up in the AnyConnect local policy file in order to ensure the connections employ a valid certificate. If y'all enable this option in the policy file and connect with a bogus document, the connection fails.

Fault: "An internal error occurred in the Microsoft Windows HTTP Services"

This Diagnostic AnyConnect Reporting Tool (Sprint) shows one failed endeavor:

******************************************
Date        : 03/25/2014
Fourth dimension        : 09:52:21
Type        : Mistake
Source      : acvpnui
Clarification : Role: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1170
            Invoked Function: HttpSendRequest            
Return Lawmaking: 12004 (0x00002EE4)
Clarification:            An internal error occurred in the Microsoft              
Windows HTTP Services            
*****************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
          
Description : Office: ConnectIfc::connect
File: .\ConnectIfc.cpp
Line: 472
Invoked Function: ConnectIfc::sendRequest
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Engagement        : 03/25/2014
Time        : 09:52:21
Type        : Mistake
Source      : acvpnui
          
Description : Office: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 2999
Invoked Function: ConnectIfc::TranslateStatusCode
Return Lawmaking: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
            Connection try failed.  Please try again.          
          
******************************************
        

Also, refer to the outcome viewer logs on the Windows auto.

Solution

This could exist caused due to a corrupted Winsock connection. Reset the connection from the control promt with this command and restart your windows auto:

netsh winsock reset

Refer to the How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista knowledge base article for more than data.

Error: "The SSL transport received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway."

This Diagnostic AnyConnect Reporting Tool (DART) shows 1 failed endeavor:

******************************************
Date        : ten/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Clarification : Function: CTransportWinHttp::handleRequestError
File: .\CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Channel Failure.  May be a consequence of a unsupported crypto configuration on the Secure Gateway.
          
******************************************
Date        : ten/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
          
Description : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Return Lawmaking: -30015418 (0xFE360046)
Clarification: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
          
******************************************
Engagement        : 10/27/2014
Time        : 16:29:09
Type        : Fault
Source      : acvpnui
          
Clarification : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 3026
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connection attempt failed.  Please try again.
******************************************
        

Solution

Windows 8.1 does not support RC4 according to the following KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command "ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1" OR edit the Windows Registry file on the client car as mentioned below:

https://technet.microsoft.com/en-us/library/dn303404.aspx

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Customer
• Technical Support & Documentation - Cisco Systems

jacobsondows1957.blogspot.com

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

Share this post