The Vpn Client Drive Encountered an Error Please Restart Your Computer Then Try Again

This document describes a troubleshooting scenario which applies to applications that do non work through the Cisco AnyConnect VPN Client.

Requirements

There are no specific requirements for this certificate.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.10.

The information in this certificate was created from the devices in a specific lab environment. All of the devices used in this certificate started with a cleared (default) configuration. If your network is live, make certain that y'all understand the potential touch on of any control.

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections accost and provide solutions to the issues:

• Installation and Virtual Adapter Issues
• Disconnection or Inability to Establish Initial Connection
• Problems with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Problems

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

                       \Windows\setupapi.log                

   • Windows Vista:

     Note: Hidden folders must be made visible in society to see these files.

                       \Windows\Inf\setupapi.app.log
                         \Windows\Inf\setupapi.dev.log                

   If you see errors in the setupapi log file, you tin turn upwards verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

                       \Documents and Settings\<username>\Local Settings\Temp\                

   • Windows Vista:

                       \Users\<username>\AppData\Local\Temp\                

   If this is an automatic upgrade, this log is in the temp directory of the organization:

                 \Windows\Temp            

   The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the almost contempo file for the version of the client you lot want to install. The 10.xxxx changes based on the version, such as two.0.0343, and yyyyyyyyyyyyyy is the appointment and time of the install.

3. Obtain the PC system information file:
   1. From a Command Prompt/DOS box, blazon this:
      • Windows XP / Windows 2000:

                              winmsd /nfo c:\msinfo.nfo                    

      • Windows Vista:

                              msinfo32 /nfo c:\msinfo.nfo                    

      Note: After you type into this prompt, look. It can take between two to 5 minutes for the file to complete.

   2. Obtain a systeminfo file dump from a Command Prompt:

      Windows XP and Windows Vista:

                        systeminfo c:\sysinfo.txt                

Refer to AnyConnect: Decadent Driver Database Upshot in guild to debug the commuter issue.

Disconnection or Disability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such equally disconnections or the disability to plant an initial connection, obtain these files:

• The configuration file from the ASA in order to determine if annihilation in the configuration causes the connexion failure:

  From the panel of the ASA, blazon write cyberspace x.x.ten.x:ASA-Config.txt where ten.x.x.x is the IP address of a TFTP server on the network.

  OR

  From the panel of the ASA, type testify running-config . Permit the configuration consummate on the screen, then cut-and-paste to a text editor and relieve.

• The ASA outcome logs:
  1. In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

                       config concluding
     logging enable
     logging timestamp
     logging form auth console debugging
     logging class webvpn console debugging
     logging class ssl console debugging
     logging class svc console debugging                

  2. Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.
  3. In guild to disable logging, consequence no logging enable .
• The Cisco AnyConnect VPN Client log from the Windows Consequence Viewer of the client PC:
  1. Cull Start > Run.
  2. Enter:

     eventvwr.msc /due south

  3. Right-click the Cisco AnyConnect VPN Customer log, and select Salvage Log File as AnyConnect.evt.

     Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can run into the AnyConnect profile settings mandate a single local user, merely multiple local users are currently logged into your computer. A VPN connection will not exist established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client contour, nonetheless currently at that place is no setting that actually allows a user to constitute a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Brand sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the outcome might be caused past an incompatibility between the AnyConnect client version and the ASA software image version. In this example, the user receives this fault message: The installer was not able to start the Cisco VPN customer, clientless access is non available .

In guild to resolve this issue, upgrade the AnyConnect customer version to be compatible with the ASA software epitome.

When you lot log in the get-go fourth dimension to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you lot might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. One time the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This mistake can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Admission VPN > Network (Client) Access > AnyConnect Connectedness Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files testify this mistake message when the user gets asunder: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to reply to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if y'all tweak the DPD keepalives and effect these commands:

          webvpn
            svc keepalive thirty
            svc dpd-interval client eighty
            svc dpd-interval gateway 80        

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and after as shown here:

          webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway v        

Problems with Passing Traffic

When problems are detected with passing traffic to the individual network with an AnyConnect session through the ASA, complete these data-gathering steps:

1. Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Proper name: XXXXX , then assemble the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
2. Export the AnyConnect statistics from AnyConnect VPN Customer > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
3. Bank check the ASA configuration file for nat statements. If Network Accost Translation (NAT) is enabled, these must exempt information that returns to the customer as a result of NAT. For instance, to NAT exempt (nat 0) the IP addresses from the AnyConnect puddle, use this on the CLI:

   access-list in_nat0_out extended allow ip any ten.136.246.0 255.255.255.0
   ip local pool IPPool1 10.136.246.one-x.136.246.254 mask 255.252.0.0
   nat (within) 0 access-list in_nat0_out

4. Determine if the tunneled default gateway needs to exist enabled for the setup. The traditional default gateway is the gateway of final resort for not-decrypted traffic.

   Example:

                                 !--- Route outside 0 0 is an wrong argument.                            
   route outside 0 0 10.145.50.one
   route within 0 0 10.0.four.2              tunneled            

   For case, if the VPN Client needs to access a resource which is non in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing tabular array in order to resolve this. The tunneled keyword can be used in this instance.

5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For instance, you could exempt the skinny protocol with these commands.

   ASA(config)#              policy-map global_policy              
   ASA(config-pmap)#              class inspection_default              
   ASA(config-pmap-c)#              no inspect skinny            

AnyConnect Crash Problems

Consummate these information-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In social club to do this, choose Get-go > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Save    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Table           : Checked
   Dump All Thread Contexts    : Checked
   Suspend To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, gather the .log and .dmp files from C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson. If these files announced to be in employ, and then use ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Client log from the Windows Issue Viewer of the client PC:
   1. Choose Showtime > Run.
   2. Enter:

                        eventvwr.msc /due south                

   3. Right-click the Cisco AnyConnect VPN Client log, and select Salvage Log File Equally AnyConnect.evt.

      Notation: Always save it as the .evt file format.

Fragmentation / Passing Traffic Bug

Some applications, such equally Microsoft Outlook, practice not work. However, the tunnel is able to pass other traffic such as modest pings.

This tin provide clues as to a fragmentation upshot in the network. Consumer routers are peculiarly poor at parcel fragmentation and reassembly.

Endeavour a scaling set of pings in gild to make up one's mind if it fails at a certain size. For example, ping -l 500, ping -50 1000, ping -l 1500, ping -l 2000.

It is recommended that yous configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this grouping to 1200. This allows you to remediate users who experience this upshot, but non impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In gild to verify if your user has a fragmentation upshot, adjust the MTU for AnyConnect clients on the ASA.

          ASA(config)#group-policy <name> attributes
          webvpn
          svc mtu 1200

Uninstall Automatically

Problem

The AnyConnect VPN Customer uninstalls itself one time the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the continue installed option is selected on the Adaptive Security Device Managing director (ASDM). In lodge to resolve this consequence, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Trouble: AnyConnect customer is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you accept a load-balancing cluster prepare for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. Later on some time, when the client tries to connect to the cluster once more, the cluster FQDN is non seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs considering the AnyConnect client retains the host proper name to which it concluding connected. This beliefs is observed and a bug has been filed. For consummate details nigh the problems, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version ii.5.

Backup Server List Configuration

A backup server listing is configured in case the master server selected by the user is not reachable. This is divers in the Backup Server pane in the AnyConnect profile. Complete these steps:

1. Download the AnyConnect Profile Editor (registered customers just) . The file proper noun is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Go to the server list tab.
   2. Click Add together.
   3. Blazon the main server on the Hostname field.
   4. Add together the fill-in server below the backup server listing on the Host address field. And then, click Add.
3. Once you have the XML file, you lot demand to assign information technology to the connexion you utilize on the ASA.
   1. In ASDM, cull Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Group Policy section.
   4. Select your group-policy and click Edit.
   5. Select Advanced and and then click SSL VPN Customer.
   6. Click New. And so, you demand to type a proper name for the Profile and assign the XML file.
4. Connect the customer to the session in lodge to download the XML file.

This entry in the SetupAPI.log file suggests that the catalog system is decadent:

W239 driver signing class listing "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., assuming all device classes are subject to commuter signing policy.

You can also receive this error message: Fault(three/17): Unable to commencement VA, setup shared queue, or VA gave up shared queue .

Yous can receive this log on the customer: "The VPN client driver has encountered an fault" .

Repair

This upshot is due to Cisco bug ID CSCsm54689. In club to resolve this consequence, brand sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, consummate these steps:

1. Open a control prompt as an Ambassador on the PC (elevated prompt on Vista).
2. Run net cease CryptSvc .
3. Run:

   esentutl /p%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

4. When prompted, choose OK in gild to attempt the repair.
5. Get out the command prompt.
6. Reboot.

Failed Repair

If the repair fails, complete these steps:

1. Open up a command prompt every bit an Administrator on the PC (elevated prompt on Vista).
2. Run net finish CryptSvc .
3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
4. Exit the control prompt.
5. Reboot.

Analyze the Database

Y'all can analyze the database at any time in order to decide if information technology is valid.

1. Open up a command prompt equally an Admimistrator on the PC.
2. Run:

   esentutl /g%systemroot%\System32\catroot2\
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

   Refer to System Catalog Database Integrity for more data.

Error: Unable to Update the Session Direction Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. mistake message appears, and the ASA logs show %ASA-3-211001: Retentiveness allocation Fault. The adaptive security apparatus failed to classify RAM organization memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more data.

Solution 2

This issue can also be resolved if you lot disable threat-detection on ASA if threat-detection is used.

Error: "Module c:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed to register"

When you use the AnyConnect customer on laptops or PCs, an error occurs during the install:

"Module C:\Plan Files\Cisco\Cisco AnyConnect VPN Customer\vpnapi.dll failed
to register..."

When this error is encountered, the installer cannot move forrard and the client is removed.

Solution

These are the possible workarounds to resolve this error:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry trouble with the 2000 computer.
• Remove the VMware applications. Once AnyConnect is installed, VMware applications tin be added dorsum to the PC.
• Add the ASA to their trusted sites.
• Copy these files from the \ProgramFiles\Cisco\CiscoAnyconnect binder to a new folder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating arrangement on the laptop/PC.

The log message related to this mistake on the AnyConnect client looks similar to this:

DEBUG: Error 2911:  Could not remove the folderC:\Plan Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this bundle. This may
indicate a problem with this package. The mistake lawmaking is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
DEBUG: Error 2911:  Could not remove the folder C:\Programme Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected mistake installing this parcel. This may
indicate a trouble with this package. The error lawmaking is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
Info 1721. There is a problem with this Windows Installer package. A program required for
this install to consummate could non be run. Contact your support personnel or package
vendor. Activity: InstallHelper.exe, location: C:\Program Files\Cisco\Cisco AnyConnect VPN
Client\InstallHelper.exe, command: -acl "C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client\\" -r

Error: "An error was received from the secure gateway in response to the VPN negotiation asking. Delight contact your network administrator"

When clients try to connect to the VPN with the Cisco AnyConnect VPN Customer, this error is received.

This message was received from the secure gateway:

"Illegal address class" or "Host or network is 0" or "Other error"

Solution

The result occurs considering of the ASA local IP pool depletion. As the VPN pool resource is wearied, the IP pool range must exist enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error unremarkably occurs when the local pool for address assignment is exhausted, or if a 32-flake subnet mask is used for the accost puddle. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Mistake: Session could not be established. Session limit of 2 reached.

When yous try to connect more than two clients with the AnyConnect VPN Customer, yous receive the Login Failed error message on the Customer and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution ane

This error occurs because the AnyConnect essential license is not supported past ASA version eight.0.iv. You need to upgrade the ASA to version 8.2.ii. This resolves the error.

Notation: Regardless of the license used, if the session limit is reached, the user will receive the login failed fault bulletin.

Solution 2

This error tin besides occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is ready as two, then the user cannot establish more than than 2 sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this fault message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more than information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-grouping User xxxx IP ten.x.x.x Transmitting large parcel 1220 (threshold 1206)

The %ASA-6-722036: Grouping < client-group > User < xxxx > IP < x.x.x.x> Transmitting large parcel 1220 (threshold 1206) fault message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the customer. This tin can also be due to compression of not-compressible data. The workaround is to turn off the SVC pinch with the svc pinch none control. This resolves the issue.

Fault: The secure gateway has rejected the agent'south vpn connect or reconnect request.

When you connect to the AnyConnect Customer, this error is received: "The secure gateway has rejected the amanuensis's vpn connect or reconnect request. A new connectedness requires re-hallmark and must be started manually. Please contact your network administrator if this problem persists. The post-obit bulletin was received from the secure gateway: no assigned address" .

This fault is also received when you connect to the AnyConnect Customer: "The secure gateway has rejected the connexion attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-hallmark. The following message was received from the secure gateway:Host or network is 0" .

This fault is also received when yous connect to the AnyConnect Customer: "The secure gateway has rejected the agent's vpn connect or reconnect asking. A new connexion requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License" .

Solution

The router was missing pool configuration later on reload. You need to add the concerned configuration back to the router.

Router#testify run | in puddle
                    
ip local pool SSLPOOL 192.168.30.2 192.168.30.254
          svc address-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following bulletin was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: "Unable to update the session management database"

When you lot endeavour to authenticate in WebPortal, this error message is received: "Unable to update the session direction database" .

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its consummate functionality.

As a permanent workaround, upgrade the memory to 512MB.

Every bit a temporary workaround, try to free the retentivity with these steps:

1. Disable the threat-detection.
2. Disable SVC pinch.
3. Reload the ASA.

Error: "The VPN client commuter has encountered an error"

This is an error bulletin obtained on the customer machine when you try to connect to AnyConnect.

Solution

In club to resolve this error, complete this procedure in lodge to manually set the AnyConnect VPN agent to Interactive:

1. Correct-click My Estimator > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Properties, then log on, and select Permit service to interact with the desktop.

   This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent.

   Notation: If this is to be used, then the preference would be to use the .MST transform in this case. This is because if you prepare this manually with these methods, information technology requires that this exist set after every install/upgrade process. This is why there is a need to place the awarding that causes this problem.

   When Routing and Remote Admission Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an mistake. error message. In order to resolve this outcome, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco problems ID CSCsm54689 for more than information.

Error: "Unable to process response from 30.xxx.xxx.thirty"

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Unable to process response from xxx.xxx.xxx.xxx" .

Solution

In order to resolve this error, endeavor these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Modify the port number to 444 from the existing 443 and reenable it on 443.

For more than information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: "Login Denied , unauthorized connection mechanism , contact your administrator"

AnyConnect clients neglect to connect to a Cisco ASA. The mistake in the AnyConnect window is "Login Denied , unauthorized connexion mechanism , contact your ambassador" .

Solution

This error message occurs more often than not because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure information technology is as required to resolve the issue.

<

Fault: "Anyconnect package unavailable or corrupted. Contact your system administrator"

This mistake occurs when you try to launch the AnyConnect software from a Macintosh customer in club to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect bundle to the flash of the ASA.
2. Modify the WebVPN configuration in order to specify the AnyConnect parcel that is used.

   webvpn
                 svc paradigm disk0:/anyconnect-macosx-i386-2.iii.2016-k9.pkg 2
                 svc image disk0:/anyconnect-macosx-powerpc-two.3.2016-k9.pkg 3

   The svc image command is replaced by the anyconnect image command in ASA Version 8.4(one) and afterwards equally shown here:

   hostname(config)#webvpn              
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-win-3.0.0527-k9.pkg i
                 
   hostname(config-webvpn)#anyconnect image disk0:/                
   anyconnect-macosx-i386-three.0.0414-k9.pkg 2
               

Error: "The AnyConnect parcel on the secure gateway could not be located"

This error is caused on the user's Linux motorcar when information technology tries to connect to the ASA by launching AnyConnect. Hither is the complete mistake:

          "The AnyConnect package on the secure gateway could not exist located. You may
exist experiencing network connectivity problems. Please endeavour connecting again."        

Solution

In society to resolve this mistake message, verify whether the Operating System (Os) that is used on the client motorcar is supported past the AnyConnect client.

If the Bone is supported, then verify if the AnyConnect bundle is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this certificate for more than data.

Mistake: "Secure VPN via remote desktop is not supported"

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported error message appears.

Solution

This outcome is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If yous upgrade the AnyConnect VPN Customer, it tin can resolve the issue. Refer to these bugs for more information.

Fault: "The server certificate received or its chain does not comply with FIPS. A VPN connection will not exist established"

When you lot try to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will non be established error bulletin appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can ordinarily be plant at C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\AnyConnectLocalPolicy.xml . If this file is not found in this path, then locate the file at a different directory with a path such every bit C:\Documents and Settings\All Users\Awarding Data\Cisco AnyConnectVPNClient\AnyConnectLocalPolicy.xml . Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

<FipsMode>truthful</FipsMode>

To:

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have authoritative permissions in order to modify this file.

Fault: "Certificate Validation Failure"

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and modify the connectedness profile in order to use certificate authentication. You lot too demand to enable this command on your ASA in social club to allow SSL customer-certificates to be used on the exterior interface:

ssl certificate-authentication interface outside port 443

Error: "VPN Amanuensis Service has encountered a problem and needs to close. We are sorry for the inconvenience"

When AnyConnect Version 2.iv.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This beliefs is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: "This installation package could non exist opened. Verify that the packet exists"

When AnyConnect is downloaded, this error bulletin is received:

"Contact your system ambassador. The installer failed with the post-obit error: This installation parcel could not be opened. Verify that the package exists and that you can access it, or contact the awarding vendor to verify that this is a valid Windows Installer package."

Solution

Complete these steps in order to fix this issue:

1. Remove whatever anti-virus software.
2. Disable the Windows firewall.
3. If neither Stride 1 or 2 helps, then format the machine and then install.
4. If the problem still persists, open a TAC Case.

Error: "Error applying transforms. Verify that the specified transform paths are valid."

This error message is recieved during the auto-download of AnyConnect from the ASA:

          "Contact your system administrator. The installer failed with the following fault:
Error applying transforms. Verify that the specified transform paths are valid."        

This is the mistake message received when connecting with AnyConnect for MacOS:

          "The AnyConnect package on the secure gateway could not exist located. You may be
experiencing network connectivity issues. Please effort connecting over again."        

Solution

Complete ane of these workarounds in order to resolve this issue:

1. The root cause of this error might exist due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect image for MacOS in the ASA.
2. From the ASDM, follow the Network (Client) Admission > AnyConnect Custom > Installs path and delete the AnyConnect package file. Make certain the package remains in Network (Customer) Access > Advanced > SSL VPN > Client Setting.

If neither of these workarounds resolve the upshot, contact Cisco Technical Support.

Mistake: "The VPN client driver has encountered an mistake"

This error is received:

          The VPN client driver has encountered an fault when connecting through Cisco
AnyConnect Client.        

Solution

This issue can exist resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. Afterward this, reinstall the AnyConnect Client. If this resolution does not work, so reformat the PC in lodge to set up this issue.

Error: "A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may demand to be restored."

This error is received when you try to launch AnyConnect:

          "A VPN reconnect resulted in different configuration setting. The VPN network
setting is beingness re-initialized. Applications utilizing the individual network may
need to be restarted."        

Solution

In lodge to resolve this mistake, use this:

group-policy <Proper noun> attributes
          webvpn
          svc mtu 1200

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(ane) and later on as shown here:

hostname(config)#group-policy <Proper name> attributes
                    
hostname(config-group-policy)#webvpn          
hostname(config-group-webvpn)#anyconnect mtu 500          
        

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

The VPN connection is not allowed via a local proxy. This tin be changed
through AnyConnect contour settings.

Solution

The issue can be resolved if you brand these changes to the AnyConnect profile:

Add this line to the AnyConnect contour:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
false</AllowLocalProxyConnections>

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows seven

Problem

In Windows seven, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes downwards a new proxy setting, the IE proxy setting is not restored back to Automatically discover settings after the user ends the AnyConnect session. This causes LAN problems for users who need their proxy setting configured for Automatically observe settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not exist enabled until all these sessions are airtight.

This error message is received on Cisco ASDM when yous effort to enable the AnyConnect Essentials license:

          There are currently 2 clientless SSL VPN sessions in progress. AnyConnect
Essentials tin not exist enabled until all these sessions are closed.        

Solution

This is the normal beliefs of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. Information technology is entirely configured on the ASA and provides the total AnyConnect adequacy, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to utilise one license, you need to disable the other.

Error: Connectedness tab on Internet option of Cyberspace Explorer hides after getting continued to the AnyConnect client.

The connexion tab on the Internet option of Internet Explorer hides subsequently you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown characteristic. If you enable this characteristic, it hides the Connections tab in Microsoft Net Explorer for the elapsing of an AnyConnect VPN session. If yous disable the feature, it leaves the display of the Connections tab unchanged.

Fault: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This result can be resolved if y'all make sure the do not crave pre-hallmark checkbox is checked for the users.

Error: The document yous are viewing does not friction match with the proper noun of the site you are trying to view.

During the AnyConnect profile update, an mistake is shown that says the certificate is invalid. This occurs with Windows just and at the profile update phase. The error bulletin is shown here:

          The certificate you lot are viewing does not match with the proper noun of the site
you are trying to view.        

Solution

This can be resolved if yous change the server list of the AnyConnect profile in order to employ the FQDN of the certificate.

This is a sample of the XML profile:

<ServerList>
            <HostEntry>
          
            <HostName>vpn1.ccsd.cyberspace</HostName>
          
            </HostEntry>
          
</ServerList>
        

Notation: If in that location is an existing entry for the Public IP accost of the server such as <HostAddress> , and so remove information technology and retain merely the FQDN of the server (for case, <HostName> but not <Host Accost> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible considering it is not supported.

AnyConnect Profile Does Non Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN customer with ASA Version 8.4.ane software works fine. However, later on failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually re-create the files to the standby unit.

AnyConnect Customer Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries like to these:

Description : Function:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .\AdapterNetworkStateIfc.cpp
Line: 147
Invoked Part: InternetSetOption
Return Lawmaking: 12010 (0x00002EEA)
Description: The length is incorrect for the option blazon
Description : Part: CTransportWinHttp::InitTransport
File: .\CTransportWinHttp.cpp
Line: 252
Invoked Function: CConnectedStateIfc::SetConnectedStateToConnected
Return Code: -25362420 (0xFE7D000C)
Description: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION
        

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In society to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Bulletin: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error bulletin is received. In the AnyConnect outcome log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very big split up-tunnel listing (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such equally dns-server.

In lodge to resolve this issue, complete these steps:

1. Reduce the number of entries in the split-tunnel listing.
2. Utilize this configuration in gild to disable DTLS:

   group-policy groupName attributes
                 webvpn
                 svc dtls none

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: "Connectedness try has failed due to invalid host entry"

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this result, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your estimator.

For more information, refer to Cisco bug ID CSCti73316.

Mistake: "Ensure your server certificates can pass strict fashion if you configure always-on VPN"

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error bulletin implies that if you desire to use the Always-On characteristic, yous demand a valid sever certificate configured on the headend. Without a valid server certificate, this feature does non piece of work. Strict Cert Mode is an choice that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If y'all enable this option in the policy file and connect with a bogus certificate, the connection fails.

Fault: "An internal error occurred in the Microsoft Windows HTTP Services"

This Diagnostic AnyConnect Reporting Tool (DART) shows ane failed try:

******************************************
Engagement        : 03/25/2014
Fourth dimension        : 09:52:21
Type        : Error
Source      : acvpnui
Clarification : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1170
            Invoked Role: HttpSendRequest            
Return Code: 12004 (0x00002EE4)
Clarification:            An internal error occurred in the Microsoft              
Windows HTTP Services            
*****************************************
Engagement        : 03/25/2014
Time        : 09:52:21
Type        : Mistake
Source      : acvpnui
          
Description : Function: ConnectIfc::connect
File: .\ConnectIfc.cpp
Line: 472
Invoked Function: ConnectIfc::sendRequest
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Appointment        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
          
Description : Part: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 2999
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015443 (0xFE36002D)
Clarification: CTRANSPORT_ERROR_CONN_UNKNOWN
            Connection attempt failed.  Please effort again.          
          
******************************************
        

Also, refer to the event viewer logs on the Windows machine.

Solution

This could exist caused due to a corrupted Winsock connection. Reset the connection from the control promt with this command and restart your windows machine:

netsh winsock reset

Refer to the How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista knowledge base article for more data.

Error: "The SSL send received a Secure Channel Failure.  May be a event of a unsupported crypto configuration on the Secure Gateway."

This Diagnostic AnyConnect Reporting Tool (Sprint) shows one failed attempt:

******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::handleRequestError
File: .\CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Aqueduct Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway.
          
******************************************
Appointment        : 10/27/2014
Time        : xvi:29:09
Type        : Error
Source      : acvpnui
          
Clarification : Role: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
          
******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Fault
Source      : acvpnui
          
Clarification : Function: ConnectIfc::TranslateStatusCode
File: .\ConnectIfc.cpp
Line: 3026
Invoked Role: ConnectIfc::TranslateStatusCode
Render Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connectedness effort failed.  Please try over again.
******************************************
        

Solution

Windows eight.1 does not support RC4 co-ordinate to the post-obit KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command "ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1" OR edit the Windows Registry file on the client auto as mentioned below:

https://technet.microsoft.com/en-us/library/dn303404.aspx

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Client
• Technical Back up & Documentation - Cisco Systems

riverspritur.blogspot.com

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212972-anyconnect-vpn-client-troubleshooting-gu.html