Anyconnect trouble Windows7

Hi,
I'm having a lot of trouble getting Anyconnect make a connection from a Win7 machine. Installation went ok, and after pushing the connect button the client tries to connect but after a while i get the following messages:
- Establishing VPN - Activating VPN adapter
- The VPN client driver has encountered an error
- Unable to establish VPN
Checked the follong things:
- is the user info correct? (ip address gateway, username and password)
- firewall settings (campus, local)
- virus scanners
- http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809b4754.shtml solution
- Routing and Remote Access Service is disabled
- used admin privs to install and run
- different versions 2.4 and 2.5
All to no avail.
Strange however Windows XP is not a problem.
Any help much apreciated,
Erik

Thanks. Installed the 3.0 version but with the same result:
Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
[Fri Jun 29 12:32:09 2012] Ready to connect.
[Fri Jun 29 12:32:13 2012] Contacting aaa.bbb.xxx.yyy
[Fri Jun 29 12:32:16 2012] Please enter your username and password.
[Fri Jun 29 12:32:27 2012] Establishing VPN session...
[Fri Jun 29 12:32:29 2012] Checking for profile updates...
[Fri Jun 29 12:32:29 2012] Checking for product updates...
[Fri Jun 29 12:32:30 2012] Downloading - 100%
[Fri Jun 29 12:32:30 2012] Checking for customization updates...
[Fri Jun 29 12:32:30 2012] Performing any required updates...
[Fri Jun 29 12:32:30 2012] Establishing VPN session...
[Fri Jun 29 12:32:30 2012] Establishing VPN - Initiating connection...
[Fri Jun 29 12:32:31 2012] Establishing VPN - Examining system...
[Fri Jun 29 12:32:31 2012] Establishing VPN - Activating VPN adapter...
[Fri Jun 29 12:32:31 2012] Disconnect in progress, please wait...
[Fri Jun 29 12:32:31 2012] Ready to connect.
[Fri Jun 29 12:34:10 2012] Connection attempt has failed.
[Fri Jun 29 12:34:17 2012] Ready to connect.

Similar Messages

ASA5510 + AnyConnect trouble

Hi,
Can't get it to work log says:Syslog ID: 716023 Group <DfltGrpPolicy> User <wmdata> IP <217.xx.xx.xx> Session could not be established: session limit of 2 reached.
And license tab says "Clientless SSL VPN Peers: 2 "
But active VPN Tunnels is 0 on all.
So where is the license gone ?
Thanks

Nordintom,
This is a bug in 8.0(2) that is fixed in 8.0(3). It will also resolve itself if you reboot the firewall.
I'll post the bugID when I find it.

Trouble with Windows7 and Gigabit link on Cisco 3560X switch

Hello,
In my company, we are using Cisco IP Phones 7945G (with 2 gigabit network ports) and Cisco 3560X-48P (1GB ports) switches for our users.
Our client computers are running on Windows 7 SP1 (64bit - Enterprise edition) and are connected behind the IP Phone. We use a "Boradcom
Xtreme Gigabit" onboard network card on the computers. All ports (on the switch site and IP Phone side) and on the network card of the computer are configured in "auto negotiation". Duplex and speed are set to "auto".
We tried now to deploy a new engineering software and we are facing a very strange problem. This means that the engineer software fails to download some files from the server. We are using a flat network, all the servers and computers are on the same network segment with no firewall inbetween.
The firewall and Anti-virus on the computers are configured to allow all incoming/outing connections.
To troubleshoot, I tried to change all the network cables but I still get same result --> download fails.
I connected the client computer directly to the Cisco 3560X switch, without the IP Phone and I get the same result.
I installed a separate network card from INTEL (Intel PRO1000 PT) but I get the same result.
As last test, I have connected to same client computer directly to a Cisco 2960-8TC switch (100Mbit; auto negotiate) and here is working fine. The software successfully downloads all the files from the server.
If I connect the computer behind the Cisco 7945 IP Phone, set the speed and duplex of the PC-Port on the Cisco IP Phone 7945G to "100MBit/full duplex" is also working fine.
Is there any know issue with Windows7 and Gigabit network connections?
Do I need to set any Registry key on my Windows 7?
The firmware version of my Cisco 3560X-48P switch is 12.2(53)SE2; do I need to update it?
The firmware version of the IP Phone 7945G is 9.2.1.
Thanks in advanced for your help.
Marc Hoffmann

Hello, Thanks for your answers. First of all, I have updated the firmware of my Cisco Catalyst 3560X-48P switch to the version 12.2(55)SE5. Unfortunately, this did not solve my problem. As second step, I ran an TDR test on my 3560X switch but I do not get any result. The "Pair status" always says "not completed". Even if I wait for 5 minutes, the status remains at "Not completed". Am I doing something wrong ? To do the TDR test, I use the commande "test cable-diagnostics tdr interface gigabitEthernet 0/XY". For your information, the port gigabitEthernet 0/XY is in a "Connected" status when I run the "show int status" command. Jeff, I think there is no issue on the server side, because if I connect my workstation on a 100MB switch (example Cisco Catalyst 2960-8TC-L) the application works absolutely fine. Also, if I run the application locally on the server, it works fine. As next step, I will connect the workstation directly on our backbone switch and try the same test. Is there perhaps any Registry key in our Windows7 which could cause this trouble? If you have any other ideas or options, please let me know. Thanks a lot, Marc Hoffmann

Trouble playing MOV file in Windows7

Let me start off by saying that this does work in windowsXP
I have a file that was created using Autodesk 3d max and saved in a .mov format. The file is a panoramic image where you can click and drag to change the view. When I try to open the file on a windows7 machine (have tried several all with the same result) the quicktime window opens but not image is displayed. In the quicktime player window there is a black box at the top 1 inch of the player however the rest of the player window is transparent.
I have tried updating video drivers, direcx drivers, re-installing quicktime, adding codec packs, tried using quicktime-alternative, but nothing seems to work. I went as far as getting a .mov converter and trying to save the file in different formats, but the file loses its functionality (no longer a panoramic click and drag-view)
Im about ready to try anything here, so start throwing out ideas! thanks.

After jumping through several hoops, I was able to speak with the design team. Apparently there is an older version of the file that was working but required a revision. Since the revision it no longer worked in windows7. ahh the simple things...

Trouble with Cisco Anyconnect VPN Client

Hello,
our Cisco AnyConnect VPN Client has stopped working, we are a medical office and we are attempting to connect to "clientvpn.e-mds.com" however it will not connect, the username and password we input are irrelevant it doesnt come up with a "wrong credentials" window it just erases the password and at the bottom of the window it says "Please enter your username and password". our version is 2.5.0217 does anyone know anything to try? any help would be appreciated

you may want to try the OS X networking forums:
http://discussions.apple.com/forum.jspa?forumID=733

Having trouble installing the new update for my itunes for windows7 64bit

i keep getting the same error everytime i do it every time <Edited by Host>

Errors 201 & 205 & 206 & 207 or several U43 errors
-http://helpx.adobe.com/creative-cloud/kb/error-downloading-cc-apps.html
or
A chat session where an agent may remotely look inside your computer may help
Creative Cloud chat support (all Creative Cloud customer service issues)
http://helpx.adobe.com/x-productkb/global/service-ccm.html

Trouble installing CS5 on windows7

I am trying to install CS5 on windows 7 and getting an error message
- 1 fatal error(s), 4 error(s), 2 warning(s)
WARNING: OS requirements not met for {694213D7-1E0E-4C8F-B822-E2E3680C0FCE}
WARNING: OS requirements not met for {AE29D445-8164-4CD1-8824-FCE85C0BB179}
what do I need to do?

The errors seem to be indicating your operating system doesn't meet the tech specs for the software. HAve you checked what you have against what is needed?

Trouble with Cisco AnyConnect VPN after getting new Airport Extreme

So I had a previous version Time Capsule that I used for years, and it started having issues where it would start spontaneously rebooting. I decided to get a new Airport Extreme (the new taller one) and went in without a hitch. Problem it, though, I work from home sometimes with my company provided Windows 7 laptop and I'm experiencing issues around the VPN hanging for 15-20 seconds then coming back, maybe 1x or 2x per hour. Especially noticeable when I'm on higher bandwidth applications like Lync meetings or Remote Desktop sessions. Never had the issue on the old Time Capsule, it was always solid (until the device itself started dying), and I don't have the issue when I'm in my office using the same VPN software. Never an issue with any of the computers in the house on the regular internet, non-VPN connection. Is there a setting I missed somewhere in my setup of the new Airport that can help to stabilize that VPN connection? Seems in newer versions, some of the options have been taken away or harder to find.
Running version 7.7.3 on the Airport Extreme.
Andy Martin

Hi Geo,
fnfErr
= -43, /*File not found*/
Bootup holding CMD+r, or the Option/alt key to boot from the Restore partition & use Disk Utility from there to Repair the Disk, then Repair Permissions.
Any change on reboot?

How can I use my time capsule with windows7

How can I use my time capsule with windows7?

This is asked regularly.
https://discussions.apple.com/message/10978060#10978060
Look at the more like this. On the right column next to the post.
Load airport utility for windows.. which will also load bonjour for windows.
In windows explorer type \\TCname or \\TCipaddress (replacing with the actual values.. names with spaces will give you trouble so change all names in the TC to SMB compatible or actual ip address).

Setting up IPsec VPNs to use with Cisco Anyconnect

So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
    308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
    0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
    365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
    8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
    37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
    234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
    3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
    03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
    cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
    18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
    beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
    af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accounting

Hi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

Trouble restoring and backing up

Hi
I have the iphone 4 running 5.0.1 and am having trouble backing it up and restoring from that backup. Then i right click on the device the menu drops down fine and it will look as if it is backing up when i click on it. But when i try and to restore it from taht backup it fails.
When i click restore from backup it get a pop up saying
choose backup to restore from. this will only restore your contacts etc
then i click the last backup from the drop down menu
and click restore
the next pop up says
restoring ipone from backup
est time remaining
this stays on for anywhere from a few seconds to about a minute
then i get final pop up that says
itunes could not restore the ipone because backup session failed
i have tried to deleting the last backup and doing it again. I have deleted itunes and re downloaded and intstalled again and still get the same problems.
I am running Windows7 and the latest itunes 10.5.33 and firefox.
oh i have tried backing up to icloud and to my pc and get same errors on both
any help would be great thanks.

anyone? help please?

AnyConnect client reconnects after 1 minute

AnyConnect client reconnects after 1 minute; WHY
version 3.1.02026
ASA:asa911-k8.bin
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.

Hello Michael,
The problem here is because we cannot succesfully establish a DTLS tunnel. This could happen because:
- DTLS is blocked somewhere in the path
- A non-default DTLS port is being used
If DTLS is blocked in the middle the issue is because as of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.
As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).
In order to eliminate this visible transition of DTLS > TLS, you can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).
1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.
group-policy ac_users_group attributes
webvpn
anyconnect mtu 1300
This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.
2. The second option is to allow fragmentation.
group-policy ac_users_group attributes
webvpn
anyconnect ssl df-bit-ignore enable
With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.
3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:
sysopt conn tcpmss 1460
In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.
If DTLS is not blocked in the middle another potential cause for the DTLS failure that DTLS is configured on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.
The workaround for this problem is:
Disable the WebVPN.
Enter the DTLS port.
Enable the WebVPN.
Regards,
-Gustavo Medina

Renewed Cert on ASA, Upgraded from AnyConnect 2.5 to 3.1

We had been running AnyConnect 2.5 against our ASA and the Cert on our ASA Expired. the 2.5 Client (and all of the iPad Clients) had a way of saying, its cool, connect anyway if the Cert is not valid.
I finially got around to renewing the cert on the ASA. We have an Internal CA that I renewed it against. So if the CA's Cert was not installed in your trusted Cert Store you would get an error. Many Clients can Connect just fine with the new 3.1 client, Auto-upgrade, etc (besides it lopping off the /vpn from the connection URL)
We have a few of the clients that cannot connect. they get an error like:
The certificate on the secured gateway is invalid. A VPN connection will not be established
They have the CA's Root Cert installed in their trusted Cert Store. The Cert on the ASA has the proper CN, and Expiration date, so that should not be the issue.
When I look in the Syslog I see:
%ASA-7-725008: SSL client outside-interface:<Client Public IP>/50088 proposes the following 8 cipher(s).
%ASA-6-725001: Starting SSL handshake with client outside-interface:<Client Public IP>/50088 for TLSv1 session.
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags FIN ACK on interface outside-interface
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags PSH ACK on interface outside-interface
%ASA-6-725007: SSL session with client outside-interface:<Client Public IP>/50089 terminated.
%ASA-4-113019: Group = SSL-VPN, Username = <userID>, IP = <Client Public IP>, Session disconnected. Session Type: SSL, Duration: 0h:00m:31s, Bytes xmt: 9787, Bytes rcv: 3991, Reason: User Requested
%ASA-6-716002: Group #%cLt#%SSLVPNGrpPolicy> User #%cLt#%<UserID>> IP #%cLt#%<Client Public IP>> WebVPN session terminated: User Requested.
%ASA-6-725002: Device completed SSL handshake with client outside-interface:<Client Public IP>/50089
The other Interesting thing is in ADSM when I monitor the VPN Connections, All of the Trouble users show up in the "Clientless SSL VPN/Clientless" Section, where as the users that work fine are all in the "SSL VPN Client/WithClient" section. Though all of the ones in the
"SSL VPN Client/WithClient" section have 'Clientless SSL-Tunnel DTLS-Tunnel' as the Protocol.
We have completely removed AnyConnect and Manually installed the Client.
We have connected to the ASA's SSLVPN URL and had it install the Client.
All the same result. It Connects, Asks for a Username/Password, Displayes the Warning Banner to accept, checks for pgrads, then on the Establishing VPN comes up with the Server's Certificate is invalid.
Is this a NAT/PAT issue on the remote end?
Any Suggestions for these guys?
Thank you,
Scott<-

AnyConnect 3.1 is a significant upgrade, even over 3.0.
Over 3.0 it adds an enhanced GUI (common between Windows and Mac), NAM enhancement, crypto suite B enhancements, HostScan/Posture performance enhancements, IPv6 support, better untrusted certificate handling, plug-in component tiles, etc.
3.0+ offers IPSec VPN client as opposed to SSL VPN.

AnyConnect 3.1 and Mac OS 10.8

We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue. We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.

Hi there
This is most likely due to:
CSCty61472 Bug Details
DOC: Anyconnect supports specific Extended Key Usage attributes in certs
Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..
Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".
Workaround:
Generate a new ID certificate with the correct Extended Key Usage
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
CSCua89081 Bug Details
DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.
Symptom:
When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.
Conditions:
Use an id certificate on the client that doesn't have an EKU
Workaround:
1. Generate a new ID certificate with the correct Extended Key Usage.
or
2. define an explicit cert matching policy in the client profile.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081
Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).
HTH.
Portu.
Please rate any helpful posts

Anyconnect Issue

I tried setting up the SSL VPN using anyconnect. I can get to the webpage and authenticate, it downloads and installs the client. When the client trys to connect I run into trouble and recieve the following error:
an error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address
Has anyone seen this or have any idea what would cause it.
I am not sure what address it is refering to, if it is IP address there is a pool configured on the ASA and it is configured in the

Are you getting the error on one user only or anyone connecting to webvpn.
WebVPN is also treated as a different tunnel group and yes it should have its own IP local POOL of its own just as the regular RA tunnel group does have.
Also, what version of ASA are you running, and what type of client OS is the user using is it vista?
Rgds
-Jorge

Anyconnect trouble Windows7

Similar Messages

Maybe you are looking for