Cisco anyconnect 3.1 - Certificate Validation Failure.
When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
Prior to the test;
On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
* ASA identity certificate's have EKU attribute = Server Authentication, Key Usage = Digital Signature, Key Encipherment.
On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
* Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
* User Certificate's has EKU attribute = Client Authentication.
As in the ASDM Logs, it almost work.
In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
Is there anyone could help.???
Keshara from Sri Lanka.
Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect.
Similar Messages
-
ORA-29024: Certificate validation failure when trying to redirect to https
Hi, I was trying to redirect the page to another https website using utl_http.request,
I configured Oracle wallet and import the certificate, and successfully to get the webpage content in sqlplus by
select utl_http.request('https://<website>,null,<wallet>,<wallet password>) from dual,
but when I trying to use the same way in a button process of Apex, the error ORA-29024: Certificate validation failure prompt.
Anyone know what wrong with it?
Thanks
Vincent PekHi, Sorry, I found that after i reboot my laptop , it's working now.
-
Anyconnect web install getting certificate validation failure.
I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC.
Any ideas why this is not working?
Sent from Cisco Technical Support iPad AppThe client PC has a machine certificate. The ASA has a copy of the certificate from the CA that signed the machine cert. I am logging in with a user account not an admin account. Note that if anyconnect is installed on the client PC, I can use it to connect just fine. It's only the web install that fails. Below is the output of the debug crypto ca 255:
asa-vpn-1/act# CERT_API: Authenticate session 0x30c0bcbf, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51 | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x30c0bcbf asynchronously
CERT_API: Async unlocked for session 0x30c0bcbf
CERT_API: process msg cmd=1, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CERT_API: Async unlocked for session 0x30c0bcbf
CERT API thread sleeps!
CERT_API: Authenticate session 0x310022b5, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51 | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x310022b5 asynchronously
CERT_API: Async unlocked for session 0x310022b5
CERT_API: process msg cmd=1, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CERT_API: Async unlocked for session 0x310022b5
CERT API thread sleeps!
CERT_API: Authenticate session 0x314d3205, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x314d3205 asynchronously
CERT_API: Async unlocked for session 0x314d3205
CERT_API: process msg cmd=1, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CERT_API: Async unlocked for session 0x314d3205
CERT API thread sleeps!
CERT_API: Authenticate session 0x31ad6583, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31ad6583 asynchronously
CERT_API: Async unlocked for session 0x31ad6583
CERT_API: process msg cmd=1, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CERT_API: Async unlocked for session 0x31ad6583
CERT API thread sleeps!
CERT_API: Authenticate session 0x31c167bb, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31c167bb asynchronously
CERT_API: Async unlocked for session 0x31c167bb
CERT_API: process msg cmd=1, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CERT_API: Async unlocked for session 0x31c167bb
CERT API thread sleeps!
CERT_API: Authenticate session 0x3209b801, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3209b801 asynchronously
CERT_API: Async unlocked for session 0x3209b801
CERT_API: process msg cmd=1, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CERT_API: Async unlocked for session 0x3209b801
CERT API thread sleeps!
CERT_API: Authenticate session 0x3266eb61, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3266eb61 asynchronously
CERT_API: Async unlocked for session 0x3266eb61
CERT_API: process msg cmd=1, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CERT_API: Async unlocked for session 0x3266eb61
CERT API thread sleeps!
CERT_API: Authenticate session 0x328359af, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x328359af
CERT_API: Async locked for session 0x328359af
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x328359af asynchronously
CERT_API: Async unlocked for session 0x328359af
CERT_API: process msg cmd=1, session=0x328359af
CERT_API: Async locked for session 0x328359af
CERT_API: Async unlocked for session 0x328359af
CERT API thread sleeps!
CERT_API: Authenticate session 0x32c7c677, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x32c7c677 asynchronously
CERT_API: Async unlocked for session 0x32c7c677
CERT_API: process msg cmd=1, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CERT_API: Async unlocked for session 0x32c7c677
CERT API thread sleeps!
CERT_API: Authenticate session 0x3305560d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3305560d asynchronously
CERT_API: Async unlocked for session 0x3305560d
CERT_API: process msg cmd=1, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CERT_API: Async unlocked for session 0x3305560d
CERT API thread sleeps!
CERT_API: Authenticate session 0x3378de7d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3378de7d asynchronously
CERT_API: Async unlocked for session 0x3378de7d
CERT_API: process msg cmd=1, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CERT_API: Async unlocked for session 0x3378de7d
CERT API thread sleeps! -
How to hide password/pin reset screens-certificate validation failure
Hi forum folk,
I wonder if you can assist?
We run a vpn web VPN portal from our ASA 5540 - in order to access this web portal the users are required to install a valid certificate> This works perfectly. However, I have recently been informaed that users that do not possess a valid certificate can still access two screens on our portal. Namely the change password and the change pin screens - see images below:
As far as I can see these screens don't serve any function - if any information is entered in the password/pin boxes and continue is pressed then they just get presented with the following screen:
Is there a way to disable these screens from appearing to users if they dont have a certificate?
Any help would be much appreciated.
Best regards,
Thomas.Hi tstockma ,
In order to change your keystore password without entering the current password, you will need to backup your data and perform a security wipe. The following KB article provides the steps to perform the security wipe and also to create a new keystore password. "How to reset the keystore password on a BlackBerry smartphone" http://bbry.lv/Nr8fyB
Please make sure to backup your data before performing these steps. The following KB articles provide the steps to backup.
"How to back up BlackBerry smartphone data using BlackBerry Desktop Software for Windows" http://bbry.lv/IWfPl0
"Back up and restore BlackBerry smartphone data on a Mac computer using BlackBerry Desktop Software" http://bbry.lv/L9UqAk
Hope this helps.
-FS
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.
Click Solution? for posts that have solved your issue(s)! -
Re: utl_http connect https got ORA-29024: Certificate validation failure
Hi,
I think you can answer my question. I posted my question in the general discussion but no luck so far. I would appreciate if you can help.
1. I would like to use PL/SQL Server Pages (PSP). My understanding after reading the documentation from Oracle is that I need to install Oracle Web Toolkit that should enable be to use mod_PLSQL etc.
My question is if I download & install the Oracle 11g from the Oracle site, will it have the Webtool kit? Also, is it easy to configure mod_PLSQL?
Thanks,
AlThis has nothing to do with utl_http and not even with forms. Besides it is easy to verify if the objects for the web toolkit are installed: just check if the objects mentioned in the documentation are available in your database.
cheers -
AnyConnect machine certificate validation error
Hi,
I'm trying to get certificate authentication to work for AnyConnect (3.1.02040) using already existing certificates in the machine store (Windows 7 clients).
I get the choose certificate prompt, but when I choose the correct certificate I just get a "Certificate validation failure" error.
So I tried and install a certificate from my lab CA - also in the machine store. And that worked as a charm.
When comparing the logs from DART - I see the following error message from the non-working certificate:
Date : 07/25/2014
Time : 11:39:02
Type : Error
Source : acvpnui
Description : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1146
Invoked Function: HttpSendRequest
Return Code: 12186 (0x00002F9A)
Description: WINDOWS_ERROR_CODE
After googling I found someon explaining the error code as:
"This is a WinInet/WinHttp error 12xxx will always be one of these.
what it means is you don't have the rights to access the private key for this Client certificate."
Is this correct, and in that case how do I fix the access rights for the certificate?
Thanks,
CharlieI've started to look through the certificates again now and stumbled across the "Manage private keys.."-option.
The working certificate had a SID with read rights besides the system and administrator rights. So I tried just adding read rights for the domain users group to the old certificate, and it just started working!
Which is weird since it didn't work regardless of running AnyConnect as admin or not. Well well, at least it works. Thanks for taking the time Karthik! -
Problem witch Anyconnect - Reading computer certificate
Hi everyone.
We are having an issue with our Windows 8.1 domain computer and Anyconnect.
We have deployed computer certificates to all our domain computers, and use them for our wireless networks, which works great.
When Anyconnect is started as a domain user, it wont allow us to connect using the machine certificate. We get an error message saying: "Certificate validation failure" and the message history says: "No valid certificates available for authentication".
If we run anyconnect as an administrator, there are no problems, and the connection is established right away.
We have tried giving domain users read access to: HKLM\software\microsoft\systemcertificates, but it didn´t help.
We have tested the same setup on OSX Yosemite, and there it works fine.
We have had succes deploying a user certificate to the user(Windows 8.1), but we will prefer using the computer certificate.
Any ideas? If you need more information, please let me know.
Best RegardsFrom: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html
"In the Preferences (Part 1) pane of Profile Editor, use the Certificate Store list box to configure in which certificate store AnyConnect searches for certificates. Use the Certificate Store Override checkbox to allow AnyConnect to search the machine certificate store for users with non-administrative privileges."
Rob. -
Cisco AnyConnect 3.0.2 and Mac OS X 10.7
I'm having trouble getting this to work, after my upgrade to Mac OS X Lion the Anyconnect client can no longer login. Reinstalling didn't work for me. What are other experiencing?
Can you be more specific regarding the problem? And when the problem started?
I was having trouble with AnyConnect that began about a week before Lion was released. I was running with Snow Leopard and AnyConnect Mobile Security Client 3.0.2052. I started to get 'Certificate Validation Failure' messages. I ended up setting the ASA certificate to be ALWAYS TRUSTED, as it is a self-generated certificate from the ASA. The only 'problem/change' from previous operation is that every time I connect via VPN I need to enter my keychain credentials to allow the AnyConnect app to access the keychain. Even when I chose to ALWAYS TRUST the application, it continues to prompt for the keychain password.
The same ASA client (3.0.2052) is now working with Lion. I have the 3.0.3050 client downloaded but have not installed it yet.
By the way, there is an issue with 10.7 and Java, where 10.7 does not come with a Java runtime. See:
http://support.apple.com/kb/DL1421
-rb -
Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN
Dear All,
i have the folloing case :
i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
so what the setting of the mail and smtp server should be ,
was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
Best regards,Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given. -
Cisco AP disable PEAP server certificate validation
Hi,
My question if it is possible on Cisco 1600 AP's to disable the server certificate validation on a dot1x peap authentication method (please provide if any the appropiate CLI)
I now the in PEAP for a PEAP user implementation you want to validate the the server as that this is PEAP phase 1.
But we want only user PEAP as machine authentication, which I don't care the validation of the server. hence like in Windows you have a check box, so you can disable the validation of it.
Thanks in advance,
Kind regards,
MichelNot really, let me explain the toplogy;
we want to enable 802.1x on the network switches and let the Cisco AP authenticate the AP (PEAP-MSCHAPv2) on the switch via 802.1x. Therefore we specify the following config on the AP:
eap profile PEAP
method peap
dot1x credentials test
username
password xxxxxx
interface GigabitEthernet0
dot1x pae supplicant
dot1x credentials test
dot1x supplicant eap profile PEAP
The question is the a possebility to disable the server certificate validation (as like in Windows) because we want to verify the AP, and yes I know for PEAP-user implementation it is a good practise to validate the server certificate.
Kind regards,
Michel -
Issue with Cisco AnyConnect Secure Mobility Client in Macbook Pro
Hi all,
I am getting "No valid certificates available for uthentication" message while trying to connect Cisco AnyConnect VPN. I am having a valid certificate in Keychain Access. I couldn't find an option to import the certificate to the VPN. Please help.There seem to be much more problems with 3.1.04049
Especially with certificate authentication.
I opened some TAC cases.
Try 3.1.04063 that came out at 07-24-13.
TAC said that there are some fixes in it... -
Problems with Cisco AnyConnect Secure Mobility Client 3.1
Since I upgraded to Cisco AnyConnect Secure Mobility Client 3.1, I am unable to start my VPN.
The service does not start correctly anymore. I tried reinstabut no help.
Could anyone help me please?
Here my logs.
Thank you very much.
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: FileMoveFiles
File: ..\Common\Utility\NativeSysFileCopy.cpp
Line: 388
Invoked Function: ::FindFirstFile
Return Code: 3 (0x00000003)
Description: The system cannot find the path specified.
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: wWinMain
File: .\InstallHelper.cpp
Line: 354
Invoked Function: FileMoveFiles
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: FileMoveFiles
File: ..\Common\Utility\NativeSysFileCopy.cpp
Line: 388
Invoked Function: ::FindFirstFile
Return Code: 3 (0x00000003)
Description: The system cannot find the path specified.
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: wWinMain
File: .\InstallHelper.cpp
Line: 354
Invoked Function: FileMoveFiles
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: FileMoveFiles
File: ..\Common\Utility\NativeSysFileCopy.cpp
Line: 388
Invoked Function: ::FindFirstFile
Return Code: 3 (0x00000003)
Description: The system cannot find the path specified.
Date : 07/23/2013
Time : 08:49:37
Type : Error
Source : acvpninstall
Description : Function: wWinMain
File: .\InstallHelper.cpp
Line: 354
Invoked Function: FileMoveFiles
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:40
Type : Information
Source : acvpnva
Description : Function: CInstaller::PerformAction
File: .\VACon.cpp
Line: 522
Successfully installed service acsock
Date : 07/23/2013
Time : 08:49:40
Type : Warning
Source : acvpninstall
Description : Function: XmlLocalACPolMgr::GenerateLocalPolicy
File: .\Xml\XmlLocalACPolMgr.cpp
Line: 415
Local Security Policy file already exists and therefore will not be generated
Date : 07/23/2013
Time : 08:49:40
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:49:40
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:49:40
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:49:40
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:49:40
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:40
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:40
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:49:41
Type : Error
Source : acvpnagent
Description : Function: CSocketSupport::ipv6EnabledOnVA
File: .\IPC\SocketSupport_win.cpp
Line: 284
Invoked Function: CSocketSupport::ipv6EnabledOnVA
Return Code: 2 (0x00000002)
Description: cannot open VPNVA Enum registry key (VA driver not installed?)
Date : 07/23/2013
Time : 08:49:41
Type : Error
Source : acvpnagent
Description : Function: CSocketSupport::ipv6EnabledOnVA
File: .\IPC\SocketSupport_win.cpp
Line: 284
Invoked Function: CSocketSupport::ipv6EnabledOnVA
Return Code: 2 (0x00000002)
Description: cannot open VPNVA Enum registry key (VA driver not installed?)
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Function: CCvcConfig::readConfigParamFromFile
File: .\vpnconfig.cpp
Line: 5824
The specified configuration file for MUS service does not exist
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Function: CThread::createThread
File: .\Utility\Thread.cpp
Line: 238
The thread (0x00001F84) has been successfully created.
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent started, version 3.1.04059
Date : 07/23/2013
Time : 08:49:41
Type : Information
Source : acvpnagent
Description : Function: CInterfaceRouteMonitorCommon::logInterfaces
File: .\Routing\InterfaceRouteMonitorCommon.cpp
Line: 477
IP Address Interface List:
FE80:0:0:0:DDA0:24CA:FE35:4D19
148.110.133.126
FE80:0:0:0:19A3:961F:C11C:3724
192.168.164.1
FE80:0:0:0:80B3:F3CD:CA44:952E
169.254.149.46
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:45
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:45
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CSocketSupport::ipv6EnabledOnVA
File: .\IPC\SocketSupport_win.cpp
Line: 284
Invoked Function: CSocketSupport::ipv6EnabledOnVA
Return Code: 2 (0x00000002)
Description: cannot open VPNVA Enum registry key (VA driver not installed?)
Date : 07/23/2013
Time : 08:49:45
Type : Error
Source : acvpnagent
Description : Function: CSocketSupport::ipv6EnabledOnVA
File: .\IPC\SocketSupport_win.cpp
Line: 284
Invoked Function: CSocketSupport::ipv6EnabledOnVA
Return Code: 2 (0x00000002)
Description: cannot open VPNVA Enum registry key (VA driver not installed?)
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Function: CCvcConfig::readConfigParamFromFile
File: .\vpnconfig.cpp
Line: 5824
The specified configuration file for MUS service does not exist
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Function: CThread::createThread
File: .\Utility\Thread.cpp
Line: 238
The thread (0x00001F20) has been successfully created.
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent started, version 3.1.04059
Date : 07/23/2013
Time : 08:49:45
Type : Information
Source : acvpnagent
Description : Function: CInterfaceRouteMonitorCommon::logInterfaces
File: .\Routing\InterfaceRouteMonitorCommon.cpp
Line: 477
IP Address Interface List:
FE80:0:0:0:DDA0:24CA:FE35:4D19
148.110.133.126
FE80:0:0:0:19A3:961F:C11C:3724
192.168.164.1
FE80:0:0:0:80B3:F3CD:CA44:952E
169.254.149.46
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\CustomerExperienceFeedback are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\CustomerExperienceFeedback\
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Help are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Help\
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\l10n are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\l10n\
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 31
Attributes for C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script are 0x2010
Date : 07/23/2013
Time : 08:49:48
Type : Information
Source : acvpninstall
Description : Function: SetInheritACLsFromParent
File: .\ACLManager.cpp
Line: 56
Obtaining ACLs for directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script\
Date : 07/23/2013
Time : 08:49:49
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:49:50
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:49:50
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:49:50
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:49:50
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:50
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:49:50
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Function: CCvcConfig::readConfigParamFromFile
File: .\vpnconfig.cpp
Line: 5824
The specified configuration file for MUS service does not exist
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Function: CThread::createThread
File: .\Utility\Thread.cpp
Line: 238
The thread (0x000016C0) has been successfully created.
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent started, version 3.1.04059
Date : 07/23/2013
Time : 08:49:50
Type : Information
Source : acvpnagent
Description : Function: CInterfaceRouteMonitorCommon::logInterfaces
File: .\Routing\InterfaceRouteMonitorCommon.cpp
Line: 477
IP Address Interface List:
FE80:0:0:0:DDA0:24CA:FE35:4D19
148.110.133.126
FE80:0:0:0:19A3:961F:C11C:3724
192.168.164.1
FE80:0:0:0:80B3:F3CD:CA44:952E
169.254.149.46
Date : 07/23/2013
Time : 08:50:10
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:50:11
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:50:11
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:50:11
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:50:11
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:50:11
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:50:11
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Function: CCvcConfig::readConfigParamFromFile
File: .\vpnconfig.cpp
Line: 5824
The specified configuration file for MUS service does not exist
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Function: CThread::createThread
File: .\Utility\Thread.cpp
Line: 238
The thread (0x00001F34) has been successfully created.
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent started, version 3.1.04059
Date : 07/23/2013
Time : 08:50:11
Type : Information
Source : acvpnagent
Description : Function: CInterfaceRouteMonitorCommon::logInterfaces
File: .\Routing\InterfaceRouteMonitorCommon.cpp
Line: 477
IP Address Interface List:
FE80:0:0:0:DDA0:24CA:FE35:4D19
148.110.133.126
FE80:0:0:0:19A3:961F:C11C:3724
192.168.164.1
FE80:0:0:0:80B3:F3CD:CA44:952E
169.254.149.46
Date : 07/23/2013
Time : 08:50:19
Type : Information
Source : acvpnui
Description : Cisco AnyConnect Secure Mobility Client GUI started, version 3.1.04059
Date : 07/23/2013
Time : 08:50:20
Type : Information
Source : acvpnui
Description : Initializing vpnapi version 3.1.04059 ().
Date : 07/23/2013
Time : 08:50:21
Type : Information
Source : acvpnui
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:50:21
Type : Information
Source : acvpnui
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:50:21
Type : Warning
Source : acvpnui
Description : Function: ClientIfcBase::getCurrentState
File: .\ClientIfcBase.cpp
Line: 2058
API service not ready
Date : 07/23/2013
Time : 08:50:21
Type : Information
Source : acvpnui
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:50:21
Type : Warning
Source : acvpnui
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.nam.api
Date : 07/23/2013
Time : 08:50:21
Type : Information
Source : acvpnui
Description : Function: L2Api::attach
File: .\L2Api.cpp
Line: 87
The NAM/L2 Api could not be found or failed to load, skipping.
Date : 07/23/2013
Time : 08:50:21
Type : Warning
Source : acvpnui
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.websecurity.api
Date : 07/23/2013
Time : 08:50:21
Type : Information
Source : acvpnui
Description : Function: SSApi::attach
File: ..\common\SSApi.cpp
Line: 51
The Web Security API could not be found or failed to load, skipping.
Date : 07/23/2013
Time : 08:50:21
Type : Error
Source : acvpnui
Description : Function: MFDartBox::getDARTInstallDir
File: .\MFDartBox.cpp
Line: 332
Invoked Function: MsiEnumProductsExW
Return Code: 259 (0x00000103)
Description: No more data is available.
Date : 07/23/2013
Time : 08:50:21
Type : Warning
Source : acvpnui
Description : Function: ClientIfcBase::getStats
File: .\ClientIfcBase.cpp
Line: 1723
Called when API service not ready.
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: CSocketTransport::connectTransport
File: .\IPC\SocketTransport.cpp
Line: 981
Invoked Function: ::WSAConnect
Return Code: 10061 (0x0000274D)
Description: No connection could be made because the target machine actively refused it.
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: CIpcTransport::connectIpc
File: .\IPC\IPCTransport.cpp
Line: 252
Invoked Function: CSocketTransport::connectTransport
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECT
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: CIpcTransport::terminateIpcConnection
File: .\IPC\IPCTransport.cpp
Line: 404
Invoked Function: CSocketTransport::writeSocketBlocking
Return Code: -31588319 (0xFE1E0021)
Description: SOCKETTRANSPORT_ERROR_NO_SOCKET_HANDLE:The socket transport does not possess a valid socket handle.
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: ApiIpc::initIpc
File: .\ApiIpc.cpp
Line: 423
Invoked Function: CIpcTransport::connectIpc
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECT
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: ApiIpc::initiateAgentConnection
File: .\ApiIpc.cpp
Line: 336
Invoked Function: ApiIpc::initIpc
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECT
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: ApiIpc::run
File: .\ApiIpc.cpp
Line: 570
Invoked Function: ApiIpc::initiateAgentConnection
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECT
Date : 07/23/2013
Time : 08:50:22
Type : Error
Source : acvpnui
Description : Function: ClientIfcBase::attach
File: .\ClientIfcBase.cpp
Line: 606
Client failed to attach.
Date : 07/23/2013
Time : 08:50:25
Type : Error
Source : acvpnui
Description : Function: CMainFrame::OnCreate
File: .\mainfrm.cpp
Line: 342
Invoked Function: The VPN service is not responding or available.
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:50:25
Type : Information
Source : acvpnui
Description : Function: ClientIfcBase::detach
File: .\ClientIfcBase.cpp
Line: 438
Shutting down vpnapi
Date : 07/23/2013
Time : 08:50:25
Type : Error
Source : acvpnui
Description : Function: ConnectMgr::activateConnectEvent
File: .\ConnectMgr.cpp
Line: 1352
NULL object. Cannot establish a connection at this time.
Date : 07/23/2013
Time : 08:50:25
Type : Information
Source : acvpnui
Description : Cisco AnyConnect Secure Mobility Client GUI exiting, version 3.1.04059 , return code 0 [0x00000000]
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:51:12
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:51:12
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:51:12
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:51:12
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:51:12
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:51:12
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true
IPProtocolSupport: IPv4,IPv6
AllowManualHostInput: true
BlockUntrustedServers: true
PublicProxyServerAddress:
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Function: CCvcConfig::readConfigParamFromFile
File: .\vpnconfig.cpp
Line: 5824
The specified configuration file for MUS service does not exist
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Function: CThread::createThread
File: .\Utility\Thread.cpp
Line: 238
The thread (0x0000162C) has been successfully created.
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent started, version 3.1.04059
Date : 07/23/2013
Time : 08:51:12
Type : Information
Source : acvpnagent
Description : Function: CInterfaceRouteMonitorCommon::logInterfaces
File: .\Routing\InterfaceRouteMonitorCommon.cpp
Line: 477
IP Address Interface List:
FE80:0:0:0:DDA0:24CA:FE35:4D19
148.110.133.126
FE80:0:0:0:19A3:961F:C11C:3724
192.168.164.1
FE80:0:0:0:80B3:F3CD:CA44:952E
169.254.149.46
Date : 07/23/2013
Time : 08:52:13
Type : Information
Source : acvpnagent
Description : Cisco AnyConnect Secure Mobility Client Agent starting, version 3.1.04059
Date : 07/23/2013
Time : 08:52:13
Type : Error
Source : acvpnagent
Description : Function: CBencodeStream::LoadStream
File: ..\..\PhoneHome\Bencode.cpp
Line: 126
Unable to open file for reading
Date : 07/23/2013
Time : 08:52:13
Type : Error
Source : acvpnagent
Description : Function: CBencodeDictionary::CBencodeDictionary
File: ..\..\PhoneHome\Bencode.cpp
Line: 1422
Bencode dictionary internalize failed
Date : 07/23/2013
Time : 08:52:13
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CPhoneHomeVpn
File: .\PhoneHomeVpn.cpp
Line: 187
Failed to create Bencode dictionary
Date : 07/23/2013
Time : 08:52:13
Type : Error
Source : acvpnagent
Description : Function: CPhoneHomeVpn::CreateSingletonInstance
File: .\PhoneHomeVpn.cpp
Line: 82
Invoked Function: CPhoneHomeVpn
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:52:13
Type : Warning
Source : acvpnagent
Description : Function: CMainThread::CMainThread
File: .\MainThread.cpp
Line: 1017
Invoked Function: CPhoneHomeVpn::CreateSingletonInstance
Return Code: -23396343 (0xFE9B0009)
Description: PHONEHOMEVPN_ERROR_UNEXPECTED
Date : 07/23/2013
Time : 08:52:13
Type : Warning
Source : acvpnagent
Description : Function: PluginLoader::QuickCreatePlugin
File: c:\temp\build\thehoff\ElGreco_MR40.391570230547\ElGreco_MR4\vpn\Common\Utility/PluginLoader.h
Line: 195
Invoked Function: PluginLoader::CreateInstance
Return Code: -29360116 (0xFE40000C)
Description: PLUGINLOADER_ERROR_COULD_NOT_CREATE
com.cisco.anyconnect.leaf
Date : 07/23/2013
Time : 08:52:13
Type : Information
Source : acvpnagent
Description : Function: MsgCatalog::initMsgCatalog
File: .\i18n\MsgCatalog.cpp
Line: 246
Current locale: fr-LU
Date : 07/23/2013
Time : 08:52:13
Type : Information
Source : acvpnagent
Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 100
No profile is available.
Date : 07/23/2013
Time : 08:52:13
Type : Information
Source : acvpnagent
Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: All
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPThere seem to be much more problems with 3.1.04049
Especially with certificate authentication.
I opened some TAC cases.
Try 3.1.04063 that came out at 07-24-13.
TAC said that there are some fixes in it... -
Setting up IPsec VPNs to use with Cisco Anyconnect
So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accountingHi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
Any way to bypass server certificate validation in AIR client?
Is there any way to bypass certificate validation and server identification for secure Channels or ChannelSets? I am aware of the existing workaround to import my own certificate into the user's CA chain, but I feel that having greater control on the client-side is preferred.
If there is not a way to bypass client-side certificate validation I will be filing this as a feature request at http://bugs.adobe.com
Thanks,
Karl
When producing a client-server solution it is occasionally useful to override the default behavior of HTTPS certificate validation and server identification. I would like to request the ability to override these systems in the AIR environment for applications installed with the "UNRESTRICTED" system access option.
Simply allowing the use of self-signed certificates without verification (perhaps signified by a secure protocol identifier other than "https") would provide adequate functionality, but some users may desire finer control.
This issue is partly addressed by bugs FP-711 and FP-214 but I feel it is important that any enhancement include the BlazeDS Channel in the case that the AIR application has unrestricted system access.
When deploying an AIR client application which is securely connected to a network appliance which is controlled by the same developer it is desirable to bypass the overhead of acquiring a PKI issued certificate for every customer. Independent, open-source, and not-for-profit developers could see increased ability to adopt the AIR platform with this improvement.
When deploying a network appliance to be used with an AIR application the requirement for a PKI issued certificate complicates the deployment of the network appliance by requiring DNS access, and thereby requiring Internet connectivity. Some customer sites require network isolation.
It is possible to generate a developer-specific certificate and import that certificate into the AIR client host's Trusted Root Certification Authorities list. This workaround deteriorates PKI best practices and complicates the installation of AIR software. It is not possible to depend solely on the ".air" packaging for installation with the added requirement to install a new CA on the user's host.
Java provides the requested functionality by allowing developers to provide their own implementations of javax.net.ssl.TrustManager for verification and javax.net.ssl.HostnameVerifier for identification. We have used this technique to communicate over the SDEE protocol with Cisco IDS devices which do not usually have PKI issued certificates.Hi Robert,
No specific option to controle TOP/First features use.
However other options exist to control IQ resources.
Eg. Query_temp_sopace_limit, Query_Time, Max_IQ_Threads_Per_Connection, Max_Cartesian_Result.
Regards,
Tayeb. -
CTRANSPORT_ERROR_TIMEOUT with Cisco AnyConnect Secure Mobility Client 3.1.05170
Hi,
I use Cisco AnyConnect Secure Mobility Client 3.1.05170 to connect to my company network and it has been working successfully for a while and until Sunday evening Feb 8.
Today, this solution is no longer working and I've reproduced the same issue on 3 different Mac's which have 10.10.2 (on 2 Mac's) and 10.9.5 (on 1 Mac).
I can navigate on internet without any problem but when I launch the connection in Cisco AnyConnect Secure Mobility Client, it time outs and I get the following errors:
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type information sent to the user: Contacting <company server name removed for security reasons>.
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnui[7926]: Initiating VPN connection to the secure gateway https://<company server name removed for security reasons>
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host <company server name removed for security reasons>, profile myaccess1.xml)
Feb 10 10:37:31 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 718 Invoked Function: CHostLocator::resolveHostNameAlt Return Code: -29294571 (0xFE410015) Description: DNSREQUEST_ERROR_EMPTY_RESPONSE
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: getHostIPAddrByName File: ../../vpn/Common/IPC/SocketSupport.cpp Line: 322 Invoked Function: ::getaddrinfo Return Code: 35 (0x00000023) Description: unknown
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function: CSocketSupport::getHostIPAddrByName Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: ResolveHostname File: ../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::resolveHostName Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO failed to resolve host name <company server name removed for security reasons> to IPv6 address
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: logResolutionResult File: ../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host <company server name removed for security reasons> has been resolved to IP address 144.24.19.20
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Writing to hosts file: 144.24.19.20 <company server name removed for security reasons> ###Cisco AnyConnect VPN client modified this file. Please do not modify contents until this comment is removed.
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnagent[2013]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4893 The requested VPN connection to <company server name removed for security reasons> will target the following IP protocols and addresses: primary - IPv4 (address 144.24.19.20), secondary - N/A.
Feb 10 10:37:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: getUserName File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 1939 PasswordEntry username is nwipfli
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: PeerCertVerifyCB File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 857 Return success from VerifyServerCertificate
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: SendRequest File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 1422 Invoked Function: curl_easy_perform Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT 28 : Error
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: sendRequest File: ../../vpn/Api/ConnectIfc.cpp Line: 3191 Invoked Function: CTransport::SendRequest Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: connect File: ../../vpn/Api/ConnectIfc.cpp Line: 481 Invoked Function: ConnectIfc::sendRequest Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: TranslateStatusCode File: ../../vpn/Api/ConnectIfc.cpp Line: 3008 Invoked Function: TranslateStatusCode Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT Connection attempt has timed out. Please verify Internet connectivity.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: doConnectIfcConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1963 Invoked Function: ConnectIfc::connect Return Code: -30015442 (0xFE36002E) Description: CTRANSPORT_ERROR_TIMEOUT
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type warning sent to the user: Connection attempt has failed.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2614 Content type (unknown) received. Response type (host unreachable) from <company server name removed for security reasons>:
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type warning sent to the user: Unable to contact <company server name removed for security reasons>.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2724 Unable to contact <company server name removed for security reasons>
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Message type error sent to the user: Connection attempt has timed out. Please verify Internet connectivity.
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2050 ConnectMgr::processIfcData failed
Feb 10 10:38:32 nicolass-macbook-pro-2-2.home acvpnui[7926]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.
Any idea about a solution ?
Thanks in advance
NicolasThere seem to be much more problems with 3.1.04049
Especially with certificate authentication.
I opened some TAC cases.
Try 3.1.04063 that came out at 07-24-13.
TAC said that there are some fixes in it...
Maybe you are looking for
-
Non-english character display as square box
Hi all, I'm not very sure if this question should be asked here or in the JRE board, thus I'm trying here also I have been trying an opensourced application called Alliancep2p (could be obtained from www.alliancep2p.com) using JRE 1.6 on an English W
-
Changed Yahoo email password due to being hacked, I think. Tried changing of Ipad mini but reverts to old password when go to account settings again. Tried deleting and adding mail account anew, but same deal. How do I get password to permanently
-
What are the Exists are available after saving purchase order
Actually My requirement is, When I am clicking on Save button of purchase order, it should send a mail to some person. I know the procedure sending mail through ABAP. But, I don't know where exactly I have to incorporate that code. Please help findin
-
I Have added and deleted Facebook, I have changed my password. I even got a new phone. Nothing works. My ipad worked for most of Sunday but now it will not stay on.
-
Mgmt Via Dynamic Interface not working on 5505 version 7.2.111.3
Folks, I have posted this question a couple of times on the forum but did not get a solution. I am trying to manage my 5508 controller from a dynamic interface which is assigned to port 7 of the controller. I have a switch connected to that