AnyConnect client no assigned address error
I am trying to set up the AnyConnect client (v2.4.0196) and when it tries to connect it fails with a no assigned address error. I look in the logs of the ASA and see a No IPv6 address available for SVC connection. IPv6 is disabled on the ASA.
Does anyone know how to prevent the AnyConnect client from trying to get an IPv6 address?
Thanks in advance...
Note that 2.4 is still beta, 2.3.2016 is the latest supported release today.
Having said that, I rather suspect an ASA issue than a client issue. Can you confirm whether or not an ipv4 address is assigned?
I.e. is there something in the logs like:
Oct 13 2009 09:05:55: %ASA-6-737026: IPAA: Client assigned 192.168.0.1 from local pool
Oct 13 2009 09:05:55: %ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'
(note these are level 6 messages)
Similar Messages
-
AnyConnect Client v3.1 driver error on windows 7
Hello,
I used AnyConnect Client v3.0 on my windows 7 machine and worked well. But after automatic upgrade to v3.1 by the VPN server(ASA) and it does not work any more. It seems that VPN authentication is successful but activation of VPN adapter fails.
I see two error messages below:
The VPN client driver has encountered an error. Please restart your computer or device, then try again.
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
Message History:
[30/08/2013 6:03:14 PM] Ready to connect.
[30/08/2013 6:04:20 PM] Contacting vpn.example.com.
[30/08/2013 6:04:25 PM] User credentials entered.
[30/08/2013 6:04:26 PM] Establishing VPN session...
[30/08/2013 6:04:26 PM] Checking for profile updates...
[30/08/2013 6:04:26 PM] Checking for product updates...
[30/08/2013 6:04:26 PM] Checking for customization updates...
[30/08/2013 6:04:26 PM] Performing any required updates...
[30/08/2013 6:04:32 PM] Establishing VPN session...
[30/08/2013 6:04:32 PM] Establishing VPN - Initiating connection...
[30/08/2013 6:04:33 PM] Establishing VPN - Examining system...
[30/08/2013 6:04:33 PM] Establishing VPN - Activating VPN adapter...
[30/08/2013 6:05:13 PM] Establishing VPN - Repairing VPN adapter...
[30/08/2013 6:06:00 PM] Disconnect in progress, please wait...
[30/08/2013 6:11:53 PM] Connection attempt has failed.
[30/08/2013 6:11:54 PM] Ready to connect.
I already did most of suggestions below from google but still the issue has not been resolved.
- Rebooted the laptop
- Confirm ICS disabled
- Remove Anyconnect client from the laptop and reinstall
- http://www.lehigh.edu/~inlts/comp/docs/vpn/cisco-drvr.html
Cheers
JeongI am also facing the exact same issue. I even tried with the newer version. But it does not work. During connection, it asks for accepting the banner and the suddenly the cisco adapter driver gets uninstalled from device manager and cisco pops-up the error screen.
" the VPN client driver encountered an error. Please restart your computer or device and try again"
Please help. -
AnyConnect client 3.1 installation error
Some of my VPN users are getting the following error on Windows 7 64 bit computer. I have uploaded the client to a website. The VPN users are supposed to download and install the client from the web-site. Then they enter the URL to connect to our VPN. This worked fine during the test and only some users are having issues. This seems like Windows issue. Any ideas? Did anyone experience this?
Error
“There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personal or package vendor”
Client- anyconnect-win-3.1.02026-web-deploy-k9.exeI was able to resolve this issue.
This was the error in Windows events-
Event ID: 11722 Product:
Cisco AnyConnect Secure Mobility Client -- Error 1722.
There is a problem with this Windows Installer package.
A program run as part of the setup did not finish as expected.
Contact your support personnel or package vendor.
Action kdf_acsock64_Install, location:
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\VACon64.exe, command: kdf -install "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\\" acsock
ISSUE
Virus damaged the Windows Firewall and Firewall service wasn’t running. When AnyConnect tried to register itself with the Firewall, it failed as the Firewall was damaged.
RESOLUTION
We decided to reimage the computer rather than fixing the issue. Reason- the Virus might have caused other damages that we were not able to detect. -
Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
IngoHi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo -
Assigning AnyConnect Client Profiles based on the machine?
I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
Is there anyway to accomplish this?Hi
Did you ever resolve this issue? I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
Has anyone got any idea how I could do this?
thanks
Steve -
Hello, I am a software engineer and have been trying to connect to my client's VPN using the AnyConnect Secure Mobility Client (version 3.1.04066) and keep receiving the error "The VPN client driver encountered an error. Please try again or restart your system."
I am on a Windows 7 system with an intel i7-2670QM cpu. My computer model is an HP Pavilion dv7.
I have tried uninstalling the software, re-installing it. I've tried restarting my system multiple times through the process. I've checked the registry and made sure the name was setup correctly. I have checked and made sure that the correct services are not enabled. I have also tried what was suggested on the support page and checked the integrity of catroot2 as well as renaming it and regenerating the folder. None of these have been able to fix my problem.
For information, this is the message history when I try to connect:
[12/8/2014 8:55:49 AM] Ready to connect.
[12/8/2014 9:27:19 AM] Contacting vpn.[hostaddressremoved].com.
[12/8/2014 9:27:22 AM] Please enter your username and password.
[12/8/2014 9:27:29 AM] User credentials entered.
[12/8/2014 9:27:30 AM] Please respond to banner.
[12/8/2014 9:27:31 AM] User accepted banner.
[12/8/2014 9:27:31 AM] Establishing VPN session...
[12/8/2014 9:27:32 AM] Checking for profile updates...
[12/8/2014 9:27:32 AM] Checking for product updates...
[12/8/2014 9:27:32 AM] Checking for customization updates...
[12/8/2014 9:27:32 AM] Performing any required updates...
[12/8/2014 9:27:32 AM] Establishing VPN session...
[12/8/2014 9:27:32 AM] Establishing VPN - Initiating connection...
[12/8/2014 9:27:33 AM] Establishing VPN - Examining system...
[12/8/2014 9:27:33 AM] Establishing VPN - Activating VPN adapter...
[12/8/2014 9:27:33 AM] Establishing VPN - Attempting to repair VPN adapter...
[12/8/2014 9:27:33 AM] Disconnect in progress, please wait...
[12/8/2014 9:28:22 AM] Connection attempt has failed.
[12/8/2014 9:28:24 AM] Ready to connect.
I have tried every kind of search I can think of to find any other solutions to try, and I cannot find anything else. Does anyone have any other recommendations of what to try in order to be able to connect to my client?
-TheJayDudeYes, I am sorry to say that several people have seen the same issue. It seems like the issue is specific to Yosemite and Anyconnect. My very technical staff and I have tried many things. The default route is missing and the file /var/run/resolv.conf is also missing which means that both the route and DNS server are messed up. We re-added the default route manually which allows us to ping the servers and even access them via the IP address
Run the command below before starting the VPN to get the default route
netstat -nr | grep default
Then run the following to re-add the default route.
route add default xxx.xxx.xxx.xxx
BUT there is no way that I can find to fix the DNS entry.
We tried re-adding the DNS entries in the /var/run/resolv.conf and then restarting the DNS service
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist
Password:
$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist
BUT THIS DOES NOT WORK!
If anyone can help us solve the DNS issue, at least we have a work-around for our technical people until Cisco and/or Apple can resolve it.
Here is a link to the same issue at Cisco.
https://supportforums.cisco.com/discussion/12334071/cisco-anyconnect-secure-mobi lity-client-os-x-yosemite-vpn-not-working-if-mac -
Error 751011 - Mac OSX anyconnect client
Hi all,
I'm running into the following error when I use a Mac OSX anyconnect client when I try to connect. Our Windows 7 anyconnect clients login just fine.
3
Oct 25 2013
16:19:54
751011
Local:x.x.x.x:4500 Remote:y.y.y.y:34573 Username:Unknown Failed user authentication. Error: General Failure
%ASA-3-751011: Local: localIP:port Remote:remoteIP:port Username:
username/group Failed user authentication. Error: error
A failure occured during user authentication within EAP for an IKE version 2 remote access connection.
• localIP:port—The local IP address and port number
• remoteIP:port—The remote IP address and port number
• username/group—The username or group associated with this connection attempt
• error—The error string that indicates the specific error
Any ideas of what could be causing this? We are using certifcate and LDAP for AAA.
Thanks in Advance.
BillHi Harry,
I have resolved the issue. I didn't realize that I had to have the Mac Anyconnect pkg file copied to the flash of the ASA. Once I did that the authentication issue went away.
Bill -
Anyconnect clients with intermittant timeout/high MS
I'm having a problem where some clients are pinging servers on my lan just fine, but every so often it hangs with about 2500-3000ms then continues just fine for another 30-40 pings. If I connect with another machine running the same version of Anyconnect (the latest version) it pings consistenty.
Noticing a lot of strange issues with Anyconnect recently - is there any server side logging that can be enabled to gain more insight on what's going on with specific clients? I had to reboot another ASA earlier today to remedy a problem where some new clients could connect but couldn't ping anything...while others would work like nothing was wrong...connecting/disconnecting like usual.
Thanks in advanceHi,
I wil be difficult to figure out exactly what is going on without a TAC case but here are a couple of pointers that might help you to see what is going on:
1.) Filtered buffered logs on the ASA itself.
To verify if the traffic is dropped on the ASA or not, you can setup buffered logging:
logging buffer-size
logging buffered debugging
logging on
Then, check the IP address which is assigned to your AnyConnect client which is unable to pass traffic and check the entries related to it in the logs:
show logging | i
2.) Check the statistics of the AnyConnect session on the ASA
This command will show you a couple of counters related to your session and might give you a hint of what is wrong:
show vpn-sessiondb detail svc filter a-ipaddress
You can replace a-ipaddress by p-ipaddress or name if you want to filter on public IP of the client or username.
3.) Logs generated by the AnyConnect client itself
If you launch the event viewer from a Windows host where AnyConnect is installed ("eventvwr" command), you'll see that there is a new log type named "Cisco AnyConnect VPN Client". The client will write in there all the logs related to your connection.
If you are using Linux, the logs will either be stored under /var/log/messages or /var/log/syslog.
For OSX, it would be /var/log/system.log.
If you still don't see where the issue is after those steps. my advise would be to open a TAC case to have the issue investigated.
Regards,
Nicolas -
XE connection problem after using Cisco AnyConnect Client
Hello
I have a rather annoying problem connecting to an XE instance AFTER I have disconnected from a VPN via a Cisco AnyConnect VPN Agent.
Sequence of operations:
- start Oracle XE and work normally
- connect to client's vpn
- do other stuff
- DISCONNECT from Client's VPN
-> unable to connect to XE service any more, unless I reboot
The problem does not happen with other vpn clients like Cisco VPN Service, Juniper, Checkpoint.
Details:
- sqlplus connection WITH service name (eg sqlplus user/pwd@XE): FAILURE with ORA-12170
- but...sqlplus connection WITHOUT service name (eg sqlplus user/pwd): SUCCESS (weird !)
- tnsping XE: TNS-12535 error
- lsnrctl status output (sorry, italian localized)
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 22-GIU-2011 14:19
:38
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connessione a (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))
STATO del LISTENER
Alias LISTENER
Versione TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Data di inizio 22-GIU-2011 12:26:15
Tempo di attivitÓ 0 giorni 1 ore 53 min. 22 sec.
Livello trace off
Sicurezza ON: Local OS Authentication
SNMP OFF
Servizio predefinito XE
File di parametri listenerC:\programs\oraclexe\app\oracle\product\10.2.0\server\
network\admin\listener.ora
File di log listener C:\programs\oraclexe\app\oracle\product\10.2.0\server\
network\log\listener.log
Summary table degli endpoint di ascolto...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC_FOR_XEipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=MyPCName)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Summary table dei servizi...
Il servizio "CLRExtProc" ha 1 istanze.
L'istanza "CLRExtProc", stato UNKNOWN, ha 1 handler per questo servizio...
Il servizio "PLSExtProc" ha 1 istanze.
L'istanza "PLSExtProc", stato UNKNOWN, ha 1 handler per questo servizio...
Il servizio "XEXDB" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Il servizio "XE_XPT" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Il servizio "xe" ha 1 istanze.
L'istanza "xe", stato READY, ha 1 handler per questo servizio...
Environment:
Win7 Pro SP1
Oracle XE 10.2.0
I have stopped the Win firewall and the problem is still there, so it is not a firewall problem
listener.ora configuration
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = C:\programs\oraclexe\app\oracle\product\10.2.0\server)
(PROGRAM = extproc)
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\programs\oraclexe\app\oracle\product\10.2.0\server)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(ADDRESS = (PROTOCOL = TCP)(HOST = MyPCName)(PORT = 1521))
DEFAULT_SERVICE_LISTENER = (XE)
tnsnames.ora
XE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = MyPCName)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
Any help ?Hi;
Pelase close this tread as answered and keep update issue at:
Re: XE connection problem after using Cisco AnyConnect Client
Regard
Helios -
Windows 8.1 Preview not working with AnyConnect Client
I had Windows 8 and was running Cisco AnyConnect client 3.0.10055 perfectly.
I upgraded to the Windows 8.1 preview and it tries to download update and then it fails and disconnects with the following message:
An unknown termination error occurred in the client.
Tried uninstalling and reinstalling the client, no luck.
Any ideas?
Thanks,
EricI had the same issue with windows 8.1 x64. I believe there is an issue with the windows 8.1 update process where it fails to update some of the drivers properly. I have noticed this issue with other windows drivers after the update. Follow the steps below and you VPN should work again.
1. Uninstall Cisco Anyconnect client.
2. Go to Device Manager and Disable Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
3. Go to C:\Windows\System32 and rename vpnva64.sys to vpnva64_Old.sys.
4. Reinstall Cisco Anyconnect client.
5. Go to Device Manager, you see duplicated Cisco AnyConnect VPN Virtual Adapters. Uninstall one of them but do not check the option to remove the driver.
6. Apply the registry fix in this blog: http://www.tomontech.com/2012/03/pro-tip-cisco-anyconnect-vpn-client-and-windows-8-consumer-preview/
7. Try to connect again and your Cisco VPN should work. -
SSL Certificate Mismatch with AnyConnect client
Hello,
We are having a problem with the AnyConnect client when connecting to our VPN. We are running the following:
AnyConnect v2.4.0202
(2 each) ASA v8.2(1) -- active/standby failover
AnyConnect Essentials Licensing
NOTE: We are not using certificates for authentication.
Primary clients: Windows XP and Windows 7
Problem
We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
Steps to Reproduce
Install the AnyConnect (AC) client via https://vpn.company.com/. Connection occurs here without issue.
Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
The user must press Yes to bypass mismatch.
PROBLEM: On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
The issue is we have a valid certificate that should be used for the connection. However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name. This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
I have not been able to find any documentation on Cisco.com relating to this issue. In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
Thanks,
-MattTim,
I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again. I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump. It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
The only other article/post I've come across on Cisco's site that comes close is here:
Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do. However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
I will let you know if I find any smoking guns in the doco link you sent. Any other thoughts appreciated. I can't believe Cisco made the setup of the AC client this convoluted.
Thanks!
-Matt -
Clients not receiving addresses from DHCP
I have a Cisco 2811 router and have configured it to be a DHCP server at a remote site. It seems like it should be pretty straight forward to configure DHCP. Apparently I'm missing something because I can't get clients to receive an address. Below are the applicable parts of the config. I also have tried associating the DHCP pool with the Claims vrf and that did not work either.
ip dhcp excluded-address 10.10.30.0 10.10.30.99
ip dhcp excluded-address 10.10.30.201 10.10.30.255
ip dhcp pool Claims_Office
network 10.10.30.0 255.255.255.0
domain-name fmi.com
default-router 10.10.30.253
dns-server 10.10.10.191
lease 7
interface FastEthernet0/0
description Claims Office
vrf forwarding Claims
ip address 10.10.30.253 255.255.255.0
duplex auto
speed auto
no mop enabled
interface FastEthernet0/0/0.1205
description Claims Office
vrf forwarding Claims
encapsulation dot1Q 1205
ip address 192.168.103.2 255.255.255.252Unfortunately that didn't work. Here is the output before:
Pool Claims_Office :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.10.30.1 10.10.30.1 - 10.10.30.254 0
And after:
Pool Claims_Office :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.10.30.1 10.10.30.1 - 10.10.30.254 0
What I want is for it to assign addresses from 10.10.30.100-199 -
Anyconnect client problem, load balancing fqdn changes after update client?
Hi,
We use two asa's in loadbalancing. Users use the loadbalancing fqdn name to connect. This works fine until we push new client anyconnect software, that the connect to field changes from the fqdn to the appliance ip address where the client downloaded the software. So loadbalancing will not work anymore. Is there a solution for this?
Thx,
MarcThis sounds like CSCsz39019:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz39019
Symptom:
Anyconnect client preserves the FQDN name of the ASA its connecting to instead
of load-balancing cluster FQDN.
Workaround:
When the cluster member appears in the host list, user can select the correct
host by clicking the drop down. The next time user starts the client, the
cluster member will no longer be visible. It will have been replaced with the cluster name last selected.
This should be fixed in 2.3(2028)
2.4(192) and 2.5(53) or any higher release. Keep an eye out for the next release with this fix. -
802.1x and DHCP assigned addresses
I've done a lot of reading on this but I am still confused. I'm not a Microsoft guru so I don't really know waht is going on with login scripts, or cached user/pass.
Scenario 1
==========
I have 802.1x implemented and Joe the contractor comes into the office and plugs in his laptop. He is a guest. I allow guests to have access to a guest VLAN. How can Joe automatically get an IP address, or does he have to do ipconfig /renew?
Scenario 2
==========
What is the behind the scenes process that takes place for my corporate users that login to a domain....how do they get DHCP assigned addresses?
ThanksI assume from what you have written 'Joe' doesn't have an 802.1x supplicant on his PC? Therefore the switchport eapol frames are ignored by the PC and after a timeout the port is placed in the guest vlan. You need to make sure DHCP is enabled for the guest vlan - either add the appropriate entried to the protecting ACL or add a scope on the router? Depending on the timeouts you may have some delay issues here; I would test this before you roll it out.
For clients with 802.1x supplicants what happens is the PC effectively thinks it is disconnected from the network until the supplicant has authenticated. Once it has authenticated the PC thinks the network adapter is then connected and it will attempt to lease an IP address by broadcasting a DHCP request.
There are however a few 802.1x supplicants and I am not sure how they all integrate with the host O/S. I know the built-in Microsoft one operates as I have described.
HTH
Andy -
AnyConnect Client Profile in ASDM
I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu. Also check that your ASDM username have enough privelege."
My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this. Righ now I have
anyconnect-win-3.0.10055-k9.pkg installed.
This is a lab setup using GNS3.
Any ideas?Hi Marius,
I would assume you are running ASA 8.0x, right?
Please check this out:
"If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
Security Appliance Software Requirements
So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
Let me know.
Thanks.
Portu
Please rate any posts you find helpful.
Maybe you are looking for
-
How can I accomplish the following 1. Cut and paste the path. For example on the PC, i can go into explorer and cut and paste the physical path such as c:\my docs\folder\folder\folder The reason I like to do this is that I have some files that are fa
-
How come... some apps on old Curve can't be found for new Curve?
I was recently forced to upgrade from an earlier 9000 series Curve to a 9360. On my earlier phone, I had a bunch of good apps, including one for my bank of choice. Now that I've upgraded (??), I can't find the bank's app anywhere in the app store.
-
I was recently speaking with someone about the security deposit ($400.00) that I needed to pay when I signed up with Verizon. That person mentioned that I have to basically stalk them to return the money, because if I don't they wont automatically cu
-
Weird ringing noise when laptop is plugged into AC - HP ENVY 14-2050se Beats Edition Notebook PC
Hi, last month I bought this HP ENVY 14-2050se Beats Edition Notebook from a nearby electronics store and I loved it from first sight. Except a few problems emerged when I first turned it on at home. First, yes I did a full hp recovery factory restor
-
I have a strange audiobook issue. For background, I'm running iTunes 7.1.1 on Windows Vista Business, and have a 30GB video iPod. Ok. I bought the audiobook of "The Great Gatsby" from iTunes. It is in my iTunes as an audiobook, is checked to sync and