No Agents Were Found in Pool Default. Configure an Agent for the Pool and Try Again.

This document describes a troubleshooting scenario which applies to applications that practise not piece of work through the Cisco AnyConnect VPN Client.

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version eight.10.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, brand sure that you understand the potential affect of any command.

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Customer for end-users with Microsoft Windows-based computers. These sections accost and provide solutions to the issues:

• Installation and Virtual Adapter Issues
• Disconnection or Disability to Establish Initial Connection
• Problems with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Issues

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

                       \Windows\setupapi.log                

   • Windows Vista:

     Note: Hidden folders must be made visible in order to see these files.

                       \Windows\Inf\setupapi.app.log
                         \Windows\Inf\setupapi.dev.log                

   If you see errors in the setupapi log file, you can turn upwardly verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial spider web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

                       \Documents and Settings\<username>\Local Settings\Temp\                

   • Windows Vista:

                       \Users\<username>\AppData\Local\Temp\                

   If this is an automatic upgrade, this log is in the temp directory of the system:

                 \Windows\Temp            

   The filename is in this format: anyconnect-win-x.10.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the about recent file for the version of the customer you want to install. The ten.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the engagement and time of the install.

3. Obtain the PC system information file:
   1. From a Command Prompt/DOS box, type this:
      • Windows XP / Windows 2000:

                              winmsd /nfo c:\msinfo.nfo                    

      • Windows Vista:

                              msinfo32 /nfo c:\msinfo.nfo                    

      Note: Later on you type into this prompt, await. Information technology tin can take between 2 to five minutes for the file to complete.

   2. Obtain a systeminfo file dump from a Control Prompt:

      Windows XP and Windows Vista:

                        systeminfo c:\sysinfo.txt                

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connexion

If you experience connection issues with the AnyConnect customer, such equally disconnections or the disability to constitute an initial connection, obtain these files:

• The configuration file from the ASA in order to make up one's mind if annihilation in the configuration causes the connection failure:

  From the console of the ASA, blazon write net x.x.x.x:ASA-Config.txt where x.10.x.x is the IP address of a TFTP server on the network.

  OR

  From the console of the ASA, blazon show running-config . Let the configuration complete on the screen, so cut-and-paste to a text editor and salvage.

• The ASA outcome logs:
  1. In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

                       config concluding
     logging enable
     logging timestamp
     logging grade auth console debugging
     logging class webvpn panel debugging
     logging class ssl console debugging
     logging course svc panel debugging                

  2. Originate an AnyConnect session and ensure that the failure can exist reproduced. Capture the logging output from the console to a text editor and save.
  3. In society to disable logging, issue no logging enable .
• The Cisco AnyConnect VPN Client log from the Windows Result Viewer of the client PC:
  1. Choose Get-go > Run.
  2. Enter:

     eventvwr.msc /s

  3. Correct-click the Cisco AnyConnect VPN Client log, and select Save Log File equally AnyConnect.evt.

     Notation: Ever save information technology every bit the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might exist related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can run across the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your estimator. A VPN connection will not exist established error message error on the customer PC. In order to resolve this consequence, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to institute a VPN connection while multiple users are logged on simultaneously on the same car. Enhancement request CSCsx15061 was filed to accost this characteristic.

Annotation: Brand sure that port 443 is not blocked and so the AnyConnect client tin can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this mistake bulletin: The installer was non able to showtime the Cisco VPN client, clientless access is non bachelor .

In order to resolve this issue, upgrade the AnyConnect client version to exist compatible with the ASA software image.

When y'all log in the first fourth dimension to the AnyConnect, the login script does non run. If yous disconnect and log in over again, so the login script runs fine. This is the expected beliefs.

When y'all connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Customer) Access > AnyConnect Connexion Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error bulletin when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets . This error means that the DTLS aqueduct was torn due to Expressionless Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and event these commands:

          webvpn
            svc keepalive thirty
            svc dpd-interval client fourscore
            svc dpd-interval gateway 80        

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version viii.four(1) and later as shown here:

          webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 5        

Problems with Passing Traffic

When bug are detected with passing traffic to the private network with an AnyConnect session through the ASA, consummate these data-gathering steps:

1. Obtain the output of the prove vpn-sessiondb detail svc filter proper name <username> ASA control from the panel. If the output shows Filter Name: XXXXX , then gather the output for evidence access-list XXXXX. Verify that the admission-list XXXXX does not block the intended traffic flow.
2. Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
3. Bank check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client as a outcome of NAT. For case, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

   access-list in_nat0_out extended allow ip whatsoever ten.136.246.0 255.255.255.0
   ip local pool IPPool1 x.136.246.1-10.136.246.254 mask 255.252.0.0
   nat (inside) 0 access-listing in_nat0_out

4. Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.

   Example:

                                 !--- Route exterior 0 0 is an incorrect argument.                            
   route outside 0 0 x.145.50.1
   route inside 0 0 10.0.4.ii              tunneled            

   For example, if the VPN Client needs to admission a resource which is not in the routing tabular array of the VPN Gateway, the bundle is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in club to resolve this. The tunneled keyword can be used in this instance.

5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You lot could exempt the specific application that is used past AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.

   ASA(config)#              policy-map global_policy              
   ASA(config-pmap)#              class inspection_default              
   ASA(config-pmap-c)#              no inspect skinny            

AnyConnect Crash Issues

Consummate these data-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In order to exercise this, cull Start > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Save    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Tabular array           : Checked
   Dump All Thread Contexts    : Checked
   Append To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, assemble the .log and .dmp files from C:\Documents and Settings\All Users\Awarding Information\Microsoft\Dr Watson. If these files appear to be in utilize, then use ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Client log from the Windows Outcome Viewer of the client PC:
   1. Choose Start > Run.
   2. Enter:

                        eventvwr.msc /s                

   3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File As AnyConnect.evt.

      Note: E'er save information technology every bit the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, practice not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation result in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Effort a scaling set of pings in guild to determine if it fails at a certain size. For case, ping -fifty 500, ping -fifty 1000, ping -l 1500, ping -l 2000.

It is recommended that you lot configure a special grouping for users that experience fragmentation, and ready the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows yous to remediate users who feel this issue, merely not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

          ASA(config)#group-policy <name> attributes
          webvpn
          svc mtu 1200

Uninstall Automatically

Problem

The AnyConnect VPN Customer uninstalls itself one time the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the go along installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this event, configure the svc keep-installer installed control nether group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Proper name (FQDN).

When you lot have a load-balancing cluster set upwardly for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster once again, the cluster FQDN is non seen in the Connect to entries. Instead, the node ASA entry to which the customer has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it concluding connected. This beliefs is observed and a problems has been filed. For complete details virtually the bug, refer to Cisco issues ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Fill-in Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Fill-in Server pane in the AnyConnect contour. Complete these steps:

1. Download the AnyConnect Contour Editor (registered customers just) . The file name is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Go to the server listing tab.
   2. Click Add.
   3. Type the master server on the Hostname field.
   4. Add the backup server below the backup server list on the Host address field. Then, click Add.
3. Once you have the XML file, you need to assign it to the connection you employ on the ASA.
   1. In ASDM, choose Configuration > Remote Admission VPN > Network (Client) Access > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Grouping Policy section.
   4. Select your grouping-policy and click Edit.
   5. Select Advanced and so click SSL VPN Customer.
   6. Click New. Then, you need to type a name for the Profile and assign the XML file.
4. Connect the customer to the session in order to download the XML file.

This entry in the SetupAPI.log file suggests that the catalog system is decadent:

W239 driver signing class list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Fault 0xfffffde5: Unknown Error., bold all device classes are subject to driver signing policy.

You tin also receive this error message: Mistake(three/17): Unable to start VA, setup shared queue, or VA gave upwardly shared queue .

You can receive this log on the client: "The VPN customer driver has encountered an error" .

Repair

This effect is due to Cisco problems ID CSCsm54689. In social club to resolve this consequence, brand sure that Routing and Remote Access Service is disabled before you commencement AnyConnect. If this does not resolve the issue, complete these steps:

1. Open a control prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run internet cease CryptSvc .
3. Run:

   esentutl /p%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

4. When prompted, choose OK in order to attempt the repair.
5. Go out the command prompt.
6. Reboot.

Failed Repair

If the repair fails, complete these steps:

1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc .
3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
4. Exit the command prompt.
5. Reboot.

Analyze the Database

You tin analyze the database at whatever fourth dimension in society to make up one's mind if it is valid.

1. Open a command prompt equally an Admimistrator on the PC.
2. Run:

   esentutl /grand%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

   Refer to System Catalog Database Integrity for more information.

Error: Unable to Update the Session Management Database

While the SSL VPN is continued through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-three-211001: Memory allocation Error. The adaptive security apparatus failed to allocate RAM system retention .

Solution 1

This event is due to Cisco bug ID CSCsm51093. In society to resolve this issue, reload the ASA or upgrade the ASA software to the acting release mentioned in the bug. Refer to Cisco issues ID CSCsm51093 for more data.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: "Module c:\Programme Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed to register"

When you use the AnyConnect client on laptops or PCs, an mistake occurs during the install:

"Module C:\Programme Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed
to register..."

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 reckoner.
• Remove the VMware applications. Once AnyConnect is installed, VMware applications tin can be added back to the PC.
• Add the ASA to their trusted sites.
• Re-create these files from the \ProgramFiles\Cisco\CiscoAnyconnect folder to a new folder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating system on the laptop/PC.

The log bulletin related to this error on the AnyConnect client looks like to this:

DEBUG: Error 2911:  Could non remove the folderC:\Program Files\Cisco\Cisco AnyConnect
VPN Customer\.
The installer has encountered an unexpected error installing this bundle. This may
betoken a trouble with this package. The error code is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
DEBUG: Mistake 2911:  Could not remove the folder C:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this package. This may
point a problem with this package. The mistake code is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
Info 1721. In that location is a problem with this Windows Installer parcel. A program required for
this install to complete could not be run. Contact your support personnel or packet
vendor. Action: InstallHelper.exe, location: C:\Program Files\Cisco\Cisco AnyConnect VPN
Client\InstallHelper.exe, command: -acl "C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client\\" -r

Error: "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator"

When clients effort to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

"Illegal address form" or "Host or network is 0" or "Other error"

Solution

The upshot occurs because of the ASA local IP pool depletion. As the VPN pool resources is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error normally occurs when the local pool for address assignment is wearied, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Fault: Session could not exist established. Session limit of ii reached.

When you try to connect more than than two clients with the AnyConnect VPN Client, you receive the Login Failed fault message on the Client and a alert message in the ASA logs that states Session could non exist established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This mistake occurs because the AnyConnect essential license is not supported by ASA version viii.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error bulletin.

Solution 2

This mistake tin can as well occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to exist established. If the session-limit is set as ii, then the user cannot establish more than two sessions even though the license installed supports more sessions. Gear up the session-limit to the number of VPN sessions required in club to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

Yous receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if yous enable AnyConnect on the outside interface of the ASA with ASDM. For more than data on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group customer-group User xxxx IP x.x.x.10 Transmitting large packet 1220 (threshold 1206)

The %ASA-six-722036: Group < customer-group > User < xxxx > IP < 10.ten.x.ten> Transmitting large package 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large package was sent to the client. The source of the packet is not aware of the MTU of the client. This can as well be due to compression of not-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent'south vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires re-hallmark and must be started manually. Please contact your network ambassador if this problem persists. The following message was received from the secure gateway: no assigned address" .

This error is likewise received when you connect to the AnyConnect Client: "The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-hallmark. The post-obit message was received from the secure gateway:Host or network is 0" .

This error is too received when yous connect to the AnyConnect Client: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network ambassador if the problem persists. The following message was received from the secure gateway: No License" .

Solution

The router was missing pool configuration later reload. You need to add the concerned configuration back to the router.

Router#show run | in pool
                    
ip local pool SSLPOOL 192.168.30.ii 192.168.30.254
          svc accost-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network ambassador if the problem persists. The following bulletin was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: "Unable to update the session management database"

When you try to authenticate in WebPortal, this mistake bulletin is received: "Unable to update the session management database" .

Solution

This problem is related to memory allotment on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

Equally a permanent workaround, upgrade the retention to 512MB.

As a temporary workaround, try to free the memory with these steps:

1. Disable the threat-detection.
2. Disable SVC compression.
3. Reload the ASA.

Mistake: "The VPN client driver has encountered an error"

This is an fault message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

1. Right-click My Figurer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Backdrop, then log on, and select Allow service to interact with the desktop.

   This sets the registry Blazon value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent.

   Annotation: If this is to exist used, then the preference would be to use the .MST transform in this case. This is because if you set this manually with these methods, it requires that this be set later every install/upgrade process. This is why there is a demand to identify the awarding that causes this problem.

   When Routing and Remote Admission Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an error. error message. In order to resolve this issue, brand sure that Routing and RRAS is disabled earlier starting AnyConnect. Refer to Cisco issues ID CSCsm54689 for more than data.

Mistake: "Unable to process response from 30.30.xxx.xxx"

AnyConnect clients fail to connect to a Cisco ASA. The mistake in the AnyConnect window is "Unable to procedure response from xxx.thirty.xxx.thirty" .

Solution

In order to resolve this error, endeavor these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Alter the port number to 444 from the existing 443 and reenable it on 443.

For more than information on how to enable WebVPN and alter the port for WebVPN, refer to this Solution.

Error: "Login Denied , unauthorized connection machinery , contact your administrator"

AnyConnect clients fail to connect to a Cisco ASA. The fault in the AnyConnect window is "Login Denied , unauthorized connection mechanism , contact your administrator" .

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and brand sure it is as required to resolve the issue.

<

Error: "Anyconnect package unavailable or corrupted. Contact your organisation administrator"

This error occurs when you lot attempt to launch the AnyConnect software from a Macintosh client in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect package to the flash of the ASA.
2. Modify the WebVPN configuration in order to specify the AnyConnect parcel that is used.

   webvpn
                 svc prototype disk0:/anyconnect-macosx-i386-2.iii.2016-k9.pkg 2
                 svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg three

   The svc epitome command is replaced by the anyconnect image control in ASA Version eight.iv(ane) and later as shown here:

   hostname(config)#webvpn              
   hostname(config-webvpn)#anyconnect paradigm disk0:/                
   anyconnect-win-3.0.0527-k9.pkg 1
                 
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-macosx-i386-3.0.0414-k9.pkg ii
               

Fault: "The AnyConnect package on the secure gateway could non be located"

This error is acquired on the user's Linux car when it tries to connect to the ASA past launching AnyConnect. Hither is the complete fault:

          "The AnyConnect parcel on the secure gateway could not be located. You lot may
be experiencing network connectivity issues. Please endeavor connecting again."        

Solution

In order to resolve this error message, verify whether the Operating System (Bone) that is used on the client machine is supported past the AnyConnect customer.

If the OS is supported, and then verify if the AnyConnect package is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this document for more information.

Error: "Secure VPN via remote desktop is not supported"

Users are unable to perform a remote desktop admission. The Secure VPN via remote desktop is not supported error message appears.

Solution

This outcome is due to these Cisco issues IDs: CSCsu22088 and CSCso42825. If yous upgrade the AnyConnect VPN Client, information technology tin can resolve the result. Refer to these bugs for more information.

Fault: "The server certificate received or its chain does not comply with FIPS. A VPN connexion will non be established"

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you lot must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be constitute at C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\AnyConnectLocalPolicy.xml . If this file is non plant in this path, then locate the file at a different directory with a path such equally C:\Documents and Settings\All Users\Application Data\Cisco AnyConnectVPNClient\AnyConnectLocalPolicy.xml . One time you locate the xml file, make changes to this file as shown hither:

Change the phrase:

<FipsMode>true</FipsMode>

To:

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: "Certificate Validation Failure"

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec customer. In order for document hallmark to piece of work, yous must import the client certificate to your browser and alter the connection profile in order to use certificate authentication. Y'all besides need to enable this command on your ASA in gild to allow SSL customer-certificates to exist used on the exterior interface:

ssl certificate-hallmark interface outside port 443

Error: "VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience"

When AnyConnect Version 2.iv.0202 is installed on a Windows XP PC, information technology stops at updating localization files and an fault message shows that the vpnagent.exe fails.

Solution

This beliefs is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Fault: "This installation packet could not be opened. Verify that the bundle exists"

When AnyConnect is downloaded, this fault message is received:

"Contact your organization ambassador. The installer failed with the following fault: This installation bundle could not be opened. Verify that the package exists and that y'all can access it, or contact the application vendor to verify that this is a valid Windows Installer bundle."

Solution

Complete these steps in club to ready this issue:

1. Remove whatsoever anti-virus software.
2. Disable the Windows firewall.
3. If neither Footstep ane or two helps, then format the machine and so install.
4. If the problem even so persists, open a TAC Case.

Error: "Fault applying transforms. Verify that the specified transform paths are valid."

This error message is recieved during the automobile-download of AnyConnect from the ASA:

          "Contact your system administrator. The installer failed with the following mistake:
Error applying transforms. Verify that the specified transform paths are valid."        

This is the mistake message received when connecting with AnyConnect for MacOS:

          "The AnyConnect packet on the secure gateway could not exist located. You may be
experiencing network connectivity problems. Delight try connecting once more."        

Solution

Consummate one of these workarounds in club to resolve this issue:

1. The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect image for MacOS in the ASA.
2. From the ASDM, follow the Network (Customer) Access > AnyConnect Custom > Installs path and delete the AnyConnect bundle file. Brand sure the package remains in Network (Customer) Access > Avant-garde > SSL VPN > Client Setting.

If neither of these workarounds resolve the upshot, contact Cisco Technical Support.

Error: "The VPN client commuter has encountered an error"

This error is received:

          The VPN client driver has encountered an error when connecting through Cisco
AnyConnect Client.        

Solution

This issue tin be resolved when y'all uninstall the AnyConnect Client, so remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: "A VPN reconnect resulted in different configuration setting. The VPN network setting is existence re-initialized. Applications utilizing the private network may need to be restored."

This error is received when yous try to launch AnyConnect:

          "A VPN reconnect resulted in unlike configuration setting. The VPN network
setting is being re-initialized. Applications utilizing the individual network may
demand to be restarted."        

Solution

In order to resolve this mistake, use this:

group-policy <Name> attributes
          webvpn
          svc mtu 1200

The svc mtu command is replaced past the anyconnect mtu command in ASA Version viii.4(ane) and later as shown here:

hostname(config)#grouping-policy <Name> attributes
                    
hostname(config-group-policy)#webvpn          
hostname(config-grouping-webvpn)#anyconnect mtu 500          
        

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when information technology connects to the Client:

The VPN connexion is non immune via a local proxy. This can be changed
through AnyConnect profile settings.

Solution

The issue can be resolved if you make these changes to the AnyConnect contour:

Add together this line to the AnyConnect profile:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
false</AllowLocalProxyConnections>

IE Proxy Setting is Non Restored later AnyConnect Disconnect on Windows 7

Trouble

In Windows seven, if the IE proxy setting is configured for Automatically find settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored dorsum to Automatically detect settings afterwards the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can non be enabled until all these sessions are closed.

This mistake message is received on Cisco ASDM when you endeavour to enable the AnyConnect Essentials license:

          There are currently 2 clientless SSL VPN sessions in progress. AnyConnect
Essentials can not be enabled until all these sessions are airtight.        

Solution

This is the normal beliefs of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. Information technology is entirely configured on the ASA and provides the total AnyConnect capability, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Enshroud Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot exist used at the aforementioned time equally the shared SSL VPN premium license. When y'all demand to use one license, yous need to disable the other.

Error: Connexion tab on Internet pick of Net Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you lot enable this characteristic, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Fault message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if y'all make sure the exercise not crave pre-authentication checkbox is checked for the users.

Error: The document you are viewing does non lucifer with the name of the site you are trying to view.

During the AnyConnect profile update, an fault is shown that says the certificate is invalid. This occurs with Windows merely and at the profile update phase. The error bulletin is shown here:

          The document y'all are viewing does not match with the name of the site
y'all are trying to view.        

Solution

This tin be resolved if you modify the server list of the AnyConnect profile in society to use the FQDN of the document.

This is a sample of the XML contour:

<ServerList>
            <HostEntry>
          
            <HostName>vpn1.ccsd.cyberspace</HostName>
          
            </HostEntry>
          
</ServerList>
        

Note: If there is an existing entry for the Public IP accost of the server such as <HostAddress> , and so remove information technology and retain only the FQDN of the server (for instance, <HostName> simply non <Host Address> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows vii Car

When the AnyConnect is launched from the CSD vault, information technology does not work. This is attempted on Windows seven machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Contour Does Non Get Replicated to the Standby After Failover

The AnyConnect iii.0 VPN client with ASA Version viii.4.1 software works fine. All the same, later failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco issues ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Customer Crashes if Cyberspace Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Description : Function:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .\AdapterNetworkStateIfc.cpp
Line: 147
Invoked Function: InternetSetOption
Return Code: 12010 (0x00002EEA)
Description: The length is wrong for the pick type
Clarification : Role: CTransportWinHttp::InitTransport
File: .\CTransportWinHttp.cpp
Line: 252
Invoked Function: CConnectedStateIfc::SetConnectedStateToConnected
Return Code: -25362420 (0xFE7D000C)
Description: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION
        

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear afterward relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connexion error message is received. In the AnyConnect upshot log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is constitute.

Solution

This occurs when the headend is configured for split up-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more than other client attributes are configured in the grouping-policy, such as dns-server.

In gild to resolve this event, complete these steps:

1. Reduce the number of entries in the dissever-tunnel list.
2. Utilise this configuration in order to disable DTLS:

   group-policy groupName attributes
                 webvpn
                 svc dtls none

For more data, refer to Cisco bug ID CSCtc41770.

Error Message: "Connectedness attempt has failed due to invalid host entry"

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In guild to resolve this outcome, endeavour either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your figurer.

For more information, refer to Cisco bug ID CSCti73316.

Error: "Ensure your server certificates tin pass strict mode if y'all configure e'er-on VPN"

When you enable the Ever-On feature on AnyConnect, the Ensure your server certificates tin can pass strict manner if you configure e'er-on VPN fault message is received.

Solution

This fault bulletin implies that if you want to utilise the Always-On characteristic, you need a valid sever certificate configured on the headend. Without a valid server document, this feature does not work. Strict Cert Fashion is an pick that yous set up in the AnyConnect local policy file in club to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connexion fails.

Error: "An internal error occurred in the Microsoft Windows HTTP Services"

This Diagnostic AnyConnect Reporting Tool (DART) shows 1 failed attempt:

******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Mistake
Source      : acvpnui
Clarification : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1170
            Invoked Part: HttpSendRequest            
Render Code: 12004 (0x00002EE4)
Clarification:            An internal fault occurred in the Microsoft              
Windows HTTP Services            
*****************************************
Engagement        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
          
Description : Function: ConnectIfc::connect
File: .\ConnectIfc.cpp
Line: 472
Invoked Part: ConnectIfc::sendRequest
Render Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Engagement        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
          
Clarification : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 2999
Invoked Office: ConnectIfc::TranslateStatusCode
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
            Connection effort failed.  Please try again.          
          
******************************************
        

Likewise, refer to the consequence viewer logs on the Windows car.

Solution

This could exist caused due to a corrupted Winsock connection. Reset the connection from the control promt with this control and restart your windows machine:

netsh winsock reset

Refer to the How to decide and to recover from Winsock2 abuse in Windows Server 2003, in Windows XP, and in Windows Vista knowledge base commodity for more information.

Error: "The SSL ship received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway."

This Diagnostic AnyConnect Reporting Tool (Dart) shows one failed effort:

******************************************
Appointment        : 10/27/2014
Time        : xvi:29:09
Type        : Error
Source      : acvpnui
Clarification : Function: CTransportWinHttp::handleRequestError
File: .\CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Channel Failure.  May exist a result of a unsupported crypto configuration on the Secure Gateway.
          
******************************************
Date        : 10/27/2014
Fourth dimension        : 16:29:09
Type        : Error
Source      : acvpnui
          
Description : Office: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Render Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
          
******************************************
Date        : ten/27/2014
Fourth dimension        : xvi:29:09
Type        : Fault
Source      : acvpnui
          
Description : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 3026
Invoked Function: ConnectIfc::TranslateStatusCode
Render Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connection attempt failed.  Please try once more.
******************************************
        

Solution

Windows 8.1 does not support RC4 according to the following KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command "ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1" OR edit the Windows Registry file on the customer machine as mentioned beneath:

https://technet.microsoft.com/en-us/library/dn303404.aspx

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Client
• Technical Support & Documentation - Cisco Systems

baileybeek1981.blogspot.com

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html

Share this post