OS X 10.8.3 AnyConnect 2.5.3054 Network Access Unavailable

Similar Messages

• Anyconnect Secure Mobility Client, Network Access Module, wired PEAP

  Hello there,
  I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well.  With default configuration it is Trusting any Root CA certificates installed on the OS.  Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?
  In Network Access Module profile editor it has two options about Certificates:
  One is Certificate Trusted Authority which has two options by its self  first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future  in that way.
  Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option ?

  Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.
  Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:
  I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.
  Hope this helps!

• Cisco's AnyConnect Network Access Manager (NAM)

  Hi dears,
  I configurate EAP_FAST in Cisco ISE and want wired users authenticate from ISE. I install Network Access Manager Profile Editor and Cisco Anyconnect Security Mobility Client on PC. I configure Network Access Manager  when i want to save as that I did not see the . \newConfigFiles folder. Then I did that: Organize’, ‘Folder and Search Options’, ‘Show hidden files, folders, and drives. but in this case i did see the network access manager folder.
  I need a to install Cisco’s AnyConnect Network Access Manager (NAM) on PC. HOW  I get this soft? I have a smartnet for ISE. 
  Which email address(to cisco) i must be write to get this soft?
  Thanks.

  You can download the Network Access Manager module from CCO.  This link should work if you have a CCO account.
  http://software.cisco.com/download/release.html?mdfid=283000185&softwareid=282364313&release=3.1.05160&relind=AVAILABLE&rellifecycle=&reltype=latest&i=rs
  The file name will be similar to anyconnect-win-3.1.05160-pre-deploy-k9.iso.  Just unzip the ISO with 7zip or Winrar and you will see the NAM msi file  anyconnect-nam-win-3.1.05149-k9.msi.

• AnyConnect + Network Access Manager (NAM) + Certificate

  Hello,
  I want to use Network Access Manager with Anyconnect.
  I configured a WiFi network with EAP-TLS authentication.
  The certificate used for EAP-TLS has the following EKU:
  - clientAuth (1.3.6.1.5.5.7.3.2)
  - emailProtection (1.3.6.1.5.5.7.3.4)
  - msSmartcardLogin (1.3.6.1.4.1.311.20.2.2)
  It works with Microsoft Wireless Zero Configuration.
  With NAM, I have this error "No valid certificates available. Please insert a smart card or install a valid certificate"
  If I remove msSmartcardLogin EKU, it works with NAM.
  I can't remove this EKU because Smart card logon is used.
  Why msSmartcardLogin EKU generates this error?
  How can I resolve it?
  Thanks a lot for your support.
  Patrick

  Hi,
  I am having the same issue, but have noticed that every now and then the NAM will fail to detect the certificate 3 times then suddently in the NAM event log there will be a message that saying "“Enumerating certificate store 'user personal'.” and it would  retrieve the local certificate for authentication.
  Has anyone else experienced this problem? and knows the fix?
  Regards,
  JZ
  anyconnect fails to detect the local certificate store about 3 time before “Enumerating certificate store 'user personal'.” And retrieves the local user certificate for authentication.

• AnyConnect VPN Clients IP Address access rules

  I setup ASA5540 for SSL-VPN (clientless) works fine.
  But I try to use Client (AnyConnect) to access internal resources, it is failed.  It is stiil initiate sessions from remote client IP.
  I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
  How I setup it?

  I use Cisco VPN client (remote access VPN)to connect ASA.
  There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
  Second, remote client  connect ASA, I should get the client IP address which I setup on ASA.
  It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
  How I setup this ( SSL VPN on this ASA works).

• Is Anyconnect Network Access Manager module supported on iOS ?

  Hi there,
  I can't seem to find any reference in regards to support for iOS / android . Can someone please confirm this is the case? much appreciated !!

  AnyConnect VPN is available for iOS, not Anyconnect NAM.

• AnyConnect Trusted Network Access Problem

  Hi,
  I am running a test deployment of AnyConnect with 100 users.  The target is to develop the solution to be 'always on' and to easily transition between trusted and non-trusted networks using NAM and VPN modules with certificate based authentication.
  I have the following network groups configured:
  TRUSTED-WIRED
  UNTRUSTED-WIRED
  TRUSTED-WIFI
  UNTRUSTED-WIFI
  The untrusted groups allowed users to add local networks.  The trusted groups are centrally controlled and secured.
  I had all this working well, but since I upgraded my ASA HA pair I have issues connecting to the internal trusted network.  The VPN and certificate based user authentication is working fine.  When I try and use the client on the trusted internal network with basic ICMP tests I get the following error message:
  C:\>arp -a
  Internet Address      Physical Address      Type
  10.192.196.1          00-24-97-48-dd-00     dynamic
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static
  C:\>ping 10.192.196.1
  Pinging 10.192.196.1 with 32 bytes of data:
  PING: transmit failed. General failure.
  PING: transmit failed. General failure.
  PING: transmit failed. General failure.
  PING: transmit failed. General failure.
  Ping statistics for 10.192.196.1:
      Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
  I am actively researching this problem now.  I'm not sure if it is directly related to the upgrade or something I have inadvertently configured/selected during the upgrade.  It's a test lab/PoC environment but will be going live early in 2013, so I would obviously like to get passed this little issue.
  Any other ideas/thoughts would be most welcome in my hour of need!!
  Cheers
  Dave

  having a similar problem with windows 8, worked once, now it wont work again getting same symptoms as you, i see the arp for default gateway, routing table looks correct, but  traceroute to internal routes goes out local internet connection and i get general failure when pinging. Let me know if you find anything.

• AnyConnect Network Access Manager and Windows 10

  Hello,
  I'm currently testing Windows 10 for a client that use AnyConnect NAM (without VPN) to manage his wired and wireless corporate networks.
  After some tests with the latest 3.1 version, it seems that NAM is breaking something in Windows 10 Tech Preview.
  Immediately after the installation, trying to start an application as an Administrator doesn't allow me to enter user credentials anymore and at the logon screen, I can only use a Microsoft Account. I'm unable to enter my Domain credentials.
  Any idea on how to prevent this?
  Regards,
  Gerald

  For info, newest version 3.1.07021 fixed the problem.
  NAM is now working correctly on Windows 10 Tech Preview.

• ASA 5505 Anyconnect VPN Users can't access Internet

  Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet.  Im looking to accomplish this without split tunneling.. Thanks

  on 8.2.5 version or lower:  Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet.  Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
  nat (outside) 1 192.168.2.0 255.255.255.0
  on 8.3 version or greater:  
  object network vpn-user-subnet
   subnet 192.168.2.0 255.255.255.0
   nat (outside,outside) dynamic interface
  Hope this helps.
  Thanks
  Rizwan Rafeek

• OS X 10.6.8 and AnyConnect 2.5.3051

  We recently upgraded the OS X AnyConnect image on our ASA to 2.5.3051. For most people, including many others using OS X 10.6.8, this is working fine.
  However, we have one OS X 10.6.8 client who consistantly sees this error:
       Network Access: Unavailable - No Networks Detected
  I've only seen that error when I truly did not have network connectivity;  but this individual does actually have Internet connectivity, can browse the web, get email etc. The only thing he cannot do is connect to our ASA using the AnyConnect client.
  I suspect downgrading the client image to the older version will fix his issue but we truly don't want to do that.
  Anybody else seen this?  Any suggestions?
  thanks,
  Lynne

  I ran into the same issue.  Disabling the "Back to my Mac" feature of MobileMe resolved the issue.
  See bug details below.
  Fabien
  CSCtr43275 Bug Details
  AnyConnect VPN fails on Mac with MobileMe Back to my Mac enabled
  Symptom:
  VPN connectivity failure on Mac when MobileMe "Back to my Mac" is enabled.
  Conditions:
  Problem  occurs for MobileMe users with "Back to my Mac" enabled. Both MobileMe  "Back to my Mac" and Cisco AnyConnect insist on using a virtual adapter  with the same name "utun0". Neither application is capable of creating a  secondary interface for example "utun1". Since MobileMe initiates when  the computer boots, it always grabs the utun0 interface first, causing  Cisco AnyConnect to fail.
  Workaround:
  In  order to use AnyConnect for the purposes of the pilot, you must turn  off Back to my Mac before you connect to the VPN. Once VPN is  disconnected, you may re-enable Back to my Mac.

• Anyconnect created profile not shown in connection list, especially the wireless profiles.

  Dears,
  Kindly advise as we encounter anyConnect issue, when creating profile for using with ISE, the new created profile is not shown in the connection list.
  I’m using profile editor to create profile for EAP-Fast, the issue is that the profile that was created not shown in the connection list.
  i put the xml file in the correct location
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles
  in windows 7.
  it is shown in saved networks but not shown in the connection list.
  we tried profile editor version 4 but the same issue still exist.

  Hi,
  Test the System Connector Type in the Portal.
  Connector should be any one of the Types :JDBC, ODBO, XMLA, OLAP then only the BI systems will be appear in the BI integartion wizard,
  Govindu

• Configuration File goes bad in Cisco AnyConnect Secure Mobility Client.

  Hi everyone
  We are running a Cisco ISE Version: 1.3.0.876 Patch 1 for 802.1X deployment (Wired + Wireless) with posture assessment where the supplicant for the endpoint is Cisco Anyconnect Secure Mobility Client v4.0.00061.
  Symptoms:
  The Configuration is working fine both Wired and Wireless, but the issue is that some user suddenly start to have issue connecting Wireless with the Cisco Anyconnect dislpaying System Scan: Bypassing Anconnect Scan
  (Some info are masked)
  and When I digged into this found that the configuration.xml files in the path: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles is renamed automatically into configuration_bad.xml.
  Workaround:
  Copy and paste a normal configuration.xml into the same path again.
  Restart the Cisco anyconnect services or restart the Endpoint.
  Question:
  So was wondering if anybody has a clue why this configutatyion.xml turned into bad??
  I'm goin to dig into the Event Viewer for logs about this before going to Cisco TAC

  first poster -
  "Downloads from random internet sites are 5-10 times faster than anything from a server on the VPN."
  Your corporate network may just have too little bandwidth, your taking a poor internet route between carriers (ISP's are often maxed out believe it or not), there is a speed an duplex problem or you have a bad MTU. test all of them. your pc's MTU should be 1300. MAX on all interfaces. use the setmtu.exe tool.
  Jcohen - if you disable the IPS on the ASA does the slow transfer problem go away?

• Connections drop when using Cisco Anyconnect Secure Mobility Client

  Folks I have a strange issues. I have a few laptops that I'm testing using the Cisco AnyConnect Secure Mobility Client Network Access Manager. We like the interface and overall are happy, but have one nagging issue. Periodically the connection drops when using the client, and the only way to reconnect is to choose the Network repair option on the client. That fixes it just fine, but we shouldn't have to do this. The same clients using the built in WIndows supplicant do not have this problem. We are on version 3.0.07059.

  Right now I'm testing on a single access point (autonomous) with WEP! The same laptop works fine without the Cisco client. Usually it is several hours, 12 or more when it happens, but I've seen it less than that. And I've seen it up for over a day and a half. At this point I just don't trust the client to roll out to a larger audience.

• AnyConnect customized NAM Profile Problem

  Hello,
  i have a problem with the deployment of customized NAM profiles for AnyConnect 3.0.1047 clients on a Windows XP machine. I successfully installed via msiexec the anyconnect-win-3.0.1047-pre-deploy-k9.msi /passive /log c:\temp\anyconnect-base.log PRE_DEPLOY_DISABLE_VPN=1 and then the
  anyconnect-nam-win-3.0.1047-k9.msi /passive /log c:\temp\anyconnect-nam.log.
  But the folders ...\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager and the subloder logs, newConfigFiles and setup where not created during setup prozedure.
  So i created a profile with the AnyConnect profile editor and saved it as userConfiguration.xml in the setup folder. After restarting the anyconnect just ignores the xml file and starts with some default. In the try icon i see a wired LAN called wired. I can create another wired LAN from the advanced configuration of the client but i rather would use a customized profile without accessing every client.
  Any Ideas?
  Thanks in advanced for your feedback
  Alex

  Hi Tarik,
  thanks for your answer. I'll uninstall anyconnect disable the antivirus software and try again. I got some logfiles from the DART tool, i think i have some other issues. Here is some output of the logfile. it is particular this line which worries me.
  9: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Invalid development version of configuration file.
  1: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: SSO Logon Module service entry does not exist
  2: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: Starting main service
  3: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: main service failed to start
  3: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: Starting oneTimeTimer with 24 seconds left
  4: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDA68, err=0(OS_OK), thread_id=2044
  5: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDBA0, err=0(OS_OK), thread_id=136
  7: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\/configuration.xml ...
  8: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>   false   false                                                                                                                          
  9: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Invalid development version of configuration file.
  10: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\/userConfiguration.xml ...
  11: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8"?> Local networks true true
  12: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file system/internalConfiguration.xml ...
  13: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8"?>
  6: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDD18, err=0(OS_OK), thread_id=152
  14: BS3206: Aug 01 2011 01:19:48.406 -0100: %NAM-6-INFO_MSG: %[tid=1812]: Successfully initialized SAE Ver: 3.0.1047.0 (Mar 23 2011 16:26:07)
  15: BS3206: Aug 01 2011 01:19:48.406 -0100: %NAM-6-INFO_MSG: %[tid=1812][comp=SAE]: API (0) AC NAM Auth Version: 3.0.1047.0
  16: BS3206: Aug 01 2011 01:19:48.453 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m0142EBF0, err=0(OS_OK), thread_id=264

• Anyconnect 4 as 802.1x supplicant replacement for Windows - where to put config xml file?

  I want to try out Anyconnect NAM as a 802.1x supplicant replacement in Windows 8.1
  And I have made myself a fine little config xml file that I want to test.
  But where do I put that config file?
  Should I rename it to something special, or should Anyconnect NAM have some extra startup parameters?
  Thank you.

  The file must be called "configuration.xml" and if you already installed NAM, then put the file in \Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigfiles\ and restart the anyconnect service
  If instead you are creating an install package for deploying, you can put the configuration in a directory named Profiles/NAM/  together with the msi package, the installation will import the config itself.when you run the msi file.