Содержание
- Cisco anyconnect no valid certificates available for authentication windows 10
- Спрашивающий
- Вопрос
- Cisco anyconnect no valid certificates available for authentication windows 10
- What is Cisco AnyConnect?
- Cisco AnyConnect Review: Features
- What is “Cisco AnyConnect Certificate Validation Failure” Error on Windows?
- [Tips & Tricks] How to fix Cisco AnyConnect Certificate Validation Failure Problem?
- Procedure 1: Repair the Installation
- Procedure 2: Allow VPN to freely communicate through Firewall
- Procedure 3: Check Virtual Adapter driver in Device Manger and update it
- Procedure 4: Tweak Registry and Repair Cisco VPN
- Procedure 5: Update the AnyConnect
- Procedure 6: Create Trustpoints for each certificate being installed
- Procedure 7: Perform Clean Reinstallation
- Conclusion
- Руководство по настройке проверки подлинности ASA AnyConnect с проверкой, сопоставлением и предварительным заполнением сертификата
- Параметры загрузки
- Об этом переводе
- Содержание
- Введение
- Предварительные условия
- Требования
- Используемые компоненты
- Настройка
- Сертификат для AnyConnect
- Установка сертификатов на ASA
- Конфигурация ASA для одинарной проверки подлинности и проверки сертификата
- Проверка
- .debug
- Конфигурация ASA для двойной проверки подлинности и проверки сертификата
- Проверка
- .debug
- Конфигурация ASA для двойной проверки подлинности и предварительного заполнения
- Проверка
- .debug
- Конфигурация ASA для сопоставления двойной аутентификации и сертификата
- Проверка
- .debug
- Устранение неполадок
- Подтвержденный сертификат отсутствует
- AnyConnect Secure Mobility Certificate Error
- 15 Replies
Этот форум закрыт. Спасибо за участие!
Спрашивающий
Вопрос
После апгрейда с Windows 7 до Windows 8 я, как и многие другие пользователи, столкнулся с проблемой подключения к офису через Cisco VPN Client. В моём случае под Windows 7 был установлен Cisco AnyConnect 2.5.6005, который работал без нареканий.
После апгрейда система сообщила, что AnyConnect требуется переустановить, но переустановка мне не помогла. Возникала ошибка Failed to enable Virtual Adapter. Симптомы были схожими, как описано в статье
Я всё же не стал ничего ковырять в системе и решил просто скачать последнюю версию Cisco AnyConnect c сайта cisco.com. На данный момент последняя версия 3.1.01065.
Но тут возникли другие проблемы. Cisco AnyConnect не видит SSL сертификат VPN сервера, настроенного на Cisco ASA 5510. Выдаёт следующее сообщение «No valid certificates available for authentication».
Сертификат для Cisco ASA 5510 выдавался нашим корпоративным центром сертификации по шаблону «WebServer». Этот сертификат, а также сертификат самого центра сертификации я импортировал в Доверенные корневые центры сертификации через консоль certmgr.msc. В списке сертификатов я их вижу и оба они действительные.
Есть предположение, что Cisco AnyConnect смотрит сертификаты через свойства обозревателя и, не обнаруживая его там, выдаёт ошибку «No valid certificates available for authentication». Хотя повторюсь, что на Windows 7 никаких проблем с сертификатами не было.
Как заставить Cisco AnyConnect всё таки увидить сертификат?
Тот же самый вопрос, который я задавал сначала там
Источник
Cisco anyconnect no valid certificates available for authentication windows 10
If you are facing “Cisco AnyConnect Certificate Validation Failure” problem while trying to connect on the AnyConnect Client, then you are in right place. Here, we are discussing on “ How to fix AnyConnect Certificate error ” in details and providing some recommended methods to fix this error. Let’s starts the discussion.
What is Cisco AnyConnect?
“Cisco AnyConnect” is proprietary application that lets users connect to VPN service. Many universities use this application as part of service they pay for from Cisco that’s why public institutions unnecessarily rely on this closed-source software for their own students. This doesn’t just amount to handling control to a private corporation, thereby privatizing public money. This software also provide extra security layer to reduce potentially unwanted attacks and privacy vulnerability.
Cisco AnyConnect is unified endpoint agent that delivers multiple security services to protect the enterprise. Its wide range of security services includes functions such as remote access, posture enforcement, web security features, and roaming protection. It gives all the security features for IT department to provide a robust, user-friendly, and highly secure mobile experience as well.
Cisco AnyConnect security mobility client is modular endpoint software product that not only provides VPN access via SSL (Secure Socket Layer) and IPsec IKEv2 but also offers improved security via various built-in modules including compliance through VPN and ASA or through wired /wireless, and VPN with Cisco identity Services Engine (ISE), Off-network roaming protection with Cisco Umbrella.
Since, Cisco has been a long-term target of NSA spying program. It also doesn’t work well on Linux. There is nothing wrong with supporting free and open source solutions like OpenVPN which are used by numerous users worldwide. Linux, iOS, Windows, MacOS and Android OS are some of the popular tools that integrate with Cisco Anyconnect.
Cisco AnyConnect Review: Features
What is “Cisco AnyConnect Certificate Validation Failure” Error on Windows?
“AnyConnect Certificate error” is common error reported by numerous users on Cisco official forum site or other popular platforms and asked for the solution. Users explained on Cisco Community website that the error appears when they run their own CA that gives out the client certificates for our users as well as the identity certificate for ASA, and in order to click on “Connect” on AnyConnect Client, their client receives “No Valid Certificates available for authentication” message.
Furthermore, he also created a DART bundle and in there I can see that the certificate is selected from the “Microsoft Store”, but after that he receive several errors regarding SCHANNEL. Then, he tried another certificate authentication and finds no certificates followed by “Cisco AnyConnect Certificate Validation Failure” Error.
Certificate Validation Failure Error States:
When we talk about “Anyconect Certificate validation Failure error”, it explained that it can’t verify the VPN server which is to be expected since it uses the self-signed certificate, but if they connect anyway, then they receive the certification selection and the login works fine. It means username & password for login is taken from the certificate.
[Tips & Tricks] How to fix Cisco AnyConnect Certificate Validation Failure Problem?
Procedure 1: Repair the Installation
Step 1: Click on “Start” button and type “Control Panel” in Windows search and open “Control Panel”
Step 2: In the opened “Control Panel”, choose “Uninstall a program” and find “Cisco AnyConnect VPN” client and choose “Repair”
Step 3: Follow On-Screen instructions to finish the repairing process. Once done, restart your computer and please check if the problem is resolved.
Procedure 2: Allow VPN to freely communicate through Firewall
Step 1: Click on “Start” button and type “Allow an App” in Windows Search and open “Allow an App through Windows Firewall”
Step 2: Now, click on “Change Settings”
Step 3: Make sure that “Cisco VPN” is on the list and it’s allowed to communicate through Windows Firewall. If not, click “Allow another App” and add it
Step 4: Check both “Private” and “Publicrong” > Network boxes
Step 5: Confirm changes and open Cisco VPN
Procedure 3: Check Virtual Adapter driver in Device Manger and update it
Step 1: Press “Windows + X” key from keyboard and select “Device Manager”
Step 2: In the opened “Device Manager” window, locate and expand “Network Adapters”
Step 3: Right-click on Virtual Adapter and select “Update driver software”
Step 4: Follow On-Screen instructions to finish the updating process.
Step 5: Once done, restart your computer and please check if the problem is resolved.
Procedure 4: Tweak Registry and Repair Cisco VPN
Step 1: Press “Windows + R” keys together from keyboard and type “regedit” in “Run Dialog Box” and then hit “Ok” button
Step 2: In the opened “Registry Editor” window, navigate to “HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtA”
Step 3: Right-click on the “DisplayName” registry entry and choose “Modify”
Step 4: Under “Value Data” section, make sure that the only body of text which stands is Cisco System VPN Adapter
Step 5: Save the changes and try running Cisco AnyConnect VPN again.
Procedure 5: Update the AnyConnect
Step 1: Go to “ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software”
Step 2: You can either replace the existing the image or add a new one.
Step 3: After that, connect to the ASA. The client will be updated automatically.
Procedure 6: Create Trustpoints for each certificate being installed
Step 1: Open the “Cisco ASDM”
Step 2: Under “Remote Access VPN” window pane, click on “Configuration” tab and expand “Certificate Management” and click on “CA Certificates”
Step 3: Click on “Add” button
Step 4: Assign a “TrustPoint Name” to the certificate like “DigiCertCA2” and select “Install from the file” Radio button and browse to “DigiCertCA2.crt”, then click on “Install Certificate”. Repeat this process of adding new trustpoint and installing certificate file for “DigiCertCA.crt”
Step 5: Under “Remote Access VPN”, expand “Certificate Management” to “Identify Certificates”. Select the identity you created for the CSR with “Expiry Data” and click on “Install > Install Certificate”
Step 6: The Certificate now needs to be enabled. To do so, click on “Advanced > SSL Settings > Edit > Primary Enrolled Certificate” and select your certificate and then click on “Ok”
Step 7: ASDM will then show your Certificate details under trustpoint
Procedure 7: Perform Clean Reinstallation
Step 1: Navigate to “Control Panel” and choose “Uninstall a program”
Step 2: Uninstall “Cisco AnyConnect VPN Client”
Step 3: Navigate to System partition and delete everything Cisco-related from programs folder
Step 4: Once uninstalled completely, restart your computer
Step 5: After that, download latest version of “Cisco AnyConnect” from “Cisco official website”
Step 6: Double-click on installer file and follow on-screen instructions to finish the installation.
Step 7: Once installed, restart your computer again and please check if the AnyConnect Certificate error is resolved.
Conclusion
Cisco AnyConnect is VPN service that offers Standard VPN encryption and protection. When we talk about AnyConnect Secure Mobility Client, it is modular endpoint software product. It not only provides Virtual Private Network (VPN) access through Secure Sockets layer (SSL) and Internet Protocol Security (IPsec) Internet Key Exchange version2 (IKEv2), but also offers enhanced security through various built-in modules.
I am sure this article helped you to “Fix Cisco AnyConnect Certificate Validation Failure Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.
If you are unable to fix Cisco AnyConnect Certificate Validation Failure problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.
In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.
Источник
Руководство по настройке проверки подлинности ASA AnyConnect с проверкой, сопоставлением и предварительным заполнением сертификата
Параметры загрузки
Об этом переводе
Этот документ был переведен Cisco с помощью машинного перевода, при ограниченном участии переводчика, чтобы сделать материалы и ресурсы поддержки доступными пользователям на их родном языке. Обратите внимание: даже лучший машинный перевод не может быть настолько точным и правильным, как перевод, выполненный профессиональным переводчиком. Компания Cisco Systems, Inc. не несет ответственности за точность этих переводов и рекомендует обращаться к английской версии документа (ссылка предоставлена) для уточнения.
Содержание
Введение
Этот документ описывает пример конфигурации для доступа к клиенту Cisco AnyConnect Secure Mobility Client на платформе Adaptive Security Appliance, который использует двойную проверку подлинности с проверкой сертификата. Как и все остальные пользователи AnyConnect, вы должны предоставить правильный сертификат и указать учетные данные для основной и дополнительной проверки подлинности, чтобы получить доступ к VPN. В этом документе также приведен пример сопоставления сертификатов с функцией предварительного заполнения.
Предварительные условия
Требования
Компания Cisco рекомендует предварительно ознакомиться со следующими предметами:
Используемые компоненты
Сведения, содержащиеся в этом документе, касаются следующих версий программного обеспечения:
Предполагается, что вы используете внешний Центр сертификации (ЦС) для создания:
Настройка
Примечание.Воспользуйтесь инструментом Command Lookup ( только для зарегистрированных заказчиков), чтобы получить дополнительную информацию о командах, используемых в этом разделе.
Сертификат для AnyConnect
Чтобы установить образец сертификата, дважды щелкните файл anyconnect.pfx и установите сертификат как персональный сертификат.
Используйте диспетчер сертификатов (certmgr.msc), чтобы проверить установку:
По умолчанию AnyConnect пытается найти сертификат в пользовательском магазине Microsoft; изменять профиль AnyConnect не нужно.
Установка сертификатов на ASA
Этот пример демонстрирует импорт сертификата PKCS # 12 в кодировке base64 с платформы ASA:
Выполните команду show crypto ca certificates, чтобы проверить импорт:
Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.
Конфигурация ASA для одинарной проверки подлинности и проверки сертификата
ASA использует как аутентификацию ААА (проверка подлинности, авторизация и обработка учетных записей), так и проверку подлинности сертификата. Проверка достоверности сертификата является обязательной. Для аутентификации AAA (проверка подлинности, авторизация и обработка учетных записей) используется локальная база данных.
В этом примере показана одинарная проверка подлинности с проверкой сертификата.
Помимо этой конфигурации, можно выполнить авторизацию LDAP, используя имя пользователя из конкретного поля сертификата (например, поле имени сертификата (CN)). После этого можно получить и применить дополнительные атрибуты для VPN-сеанса. Дополнительные сведения о проверке подлинности и авторизации сертификата см. в разделе «Авторизация ASA Anyconnect VPN и OpenLDAP с примерами настраиваемой схемы и конфигураций сертификатов.»
Проверка
Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.
Для тестирования этой конфигурации укажите локальные учетные данные (имя пользователя cisco и пароль cisco). Требуется наличие сертификата:
Выполните команду show vpn-sessiondb detail anyconnect на ASA:
.debug
Примечание.Перед использованием команд debug обратитесь к документу Важные сведения о командах отладки.
В этом примере сертификат не кэшируется в базе данных, найден соответствующий ЦС; использован правильный ключ (CLientAuthentication), и сертификат успешно прошел проверку достоверности:
Подробные команды отладки, такие как debug webvpn 255, могут создавать множество журналов в рабочей среде и размещать на ASA интенсивную рабочую нагрузку. Некоторые процедуры отладки WebVPN удалены для ясности:
Это попытка найти подходящую группу туннелей. Конкретные правила сопоставления сертификатов отсутствуют, и используется указанная группа туннелей:
Далее приведены процедуры отладки SSL и общего сеанса:
Конфигурация ASA для двойной проверки подлинности и проверки сертификата
Здесь приводится пример двойной проверки подлинности, где используется сервер основной проверки подлинности LOCAL и сервер дополнительной проверки подлинности LDAP. Проверка достоверности сертификата по-прежнему включена.
В этом примере демонстрируется конфигурация LDAP:
Здесь показано добавление сервера дополнительной проверки подлинности:
В конфигурации не отображается «authentication-server-group LOCAL», так как это параметр по умолчанию.
Для «authentication-server-group» можно использовать все остальные серверы AAA Для «secondary-authentication-server-group» можно использовать все серверы AAA кроме сервера Security Dynamics International (SDI); в этом случае SDI может выступать в роли сервера основной проверки подлинности.
Проверка
Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.
Чтобы протестировать эту конфигурацию, укажите локальные учетные данные (имя пользователя cisco и пароль cisco) и учетные данные LDAP (имя пользователя cisco и пароль из LDAP). Требуется наличие сертификата:
Выполните команду show vpn-sessiondb detail anyconnect на ASA.
.debug
Отладка сеанса WebVPN и проверки подлинности во многом схожи. См. раздел «Конфигурация ASA для одинарной проверки подлинности, проверки достоверности сертификата и отладки» Отображается один дополнительный процесс проверки подлинности:
Процедуры отладки LDAP отображают сведения, которые могут отличаться от конфигурации LDAP:
Конфигурация ASA для двойной проверки подлинности и предварительного заполнения
Можно сопоставить отдельные поля сертификата с именем пользователя, которое используется для основной и дополнительной проверки подлинности:
В этом примере клиент использует сертификат: cn=test1,ou=Безопасность,o=Cisco,l=Krakow,st=PL,c=PL.
Для основной проверки подлинности имя пользователя берется из имени сертификата, и именно по этой причине создан локальный пользователь «test1».
Для дополнительной проверки подлинности имя пользователя взято из организационного подразделения (OU, по этой причине на сервере LDAP создан пользователь «Security»).
Кроме того, возможно принудительно настроить в AnyConnect использование специальных команд для предварительного заполнения основного и дополнительного имени пользователя.
В реальном сценарии в качестве сервера основной проверки подлинности обычно используется сервер AD или LDAP, а в качестве сервера дополнительной проверки подлинности — сервер Rivest, Shamir и Adelman (RSA), который использует пароли токенов. В этом сценарии пользователю необходимо указать учетные данные AD/LDAP (которые известны пользователю), пароль токена RSA (который есть у пользователя) и сертификат (на используемом компьютере).
Проверка
Обратите внимание, что нельзя изменить основное или дополнительное имя пользователя, поскольку оно предварительно заполнено на основе данных из полей CN и OU:
.debug
В этом примере показан предварительно заполненный запрос, который отправляется в AnyConnect:
Здесь показано, что для проверки подлинности используются правильные имена пользователей:
Конфигурация ASA для сопоставления двойной аутентификации и сертификата
Кроме того, можно сопоставить конкретные клиентские сертификаты с отдельными группами туннелей, как показано в этом примере:
Таким образом, все сертификаты пользователей, выданные ЦС Cisco Technical Assistance Center (TAC), сопоставляются с группой туннелей с именем «RA»
Примечание. Сопоставление сертификатов для SSL настраивается иначе, чем сопоставление сертификатов для IPSec. Для IPSec сопоставление настраивается с использованием правил «tunnel-group-map» в режиме глобальной конфигурации. Для SSL сопоставление настраивается с использованием правила «certificate-group-map» в режиме конфигурации webvpn.
Проверка
Обратите внимание, что после включения сопоставления сертификатов выбор группы туннелей больше не требуется:
.debug
В этом примере правило сопоставления сертификатов разрешает поиск группы туннелей:
Устранение неполадок
Этот раздел обеспечивает информацию, которую вы можете использовать для того, чтобы устранить неисправность в вашей конфигурации.
Подтвержденный сертификат отсутствует
После удаления действующего сертификата из Windows 7 AnyConnect не может найти действующие сертификаты:
На ASA похоже, что сеанс завершен клиентом (Сброс-I):
Источник
AnyConnect Secure Mobility Certificate Error
[4/29/2015 3:10:51 PM] Connection attempt has failed.
[4/29/2015 3:10:54 PM] Connection attempt has failed.
[4/29/2015 3:10:54 PM] No valid certificates available for authentication.
[4/29/2015 3:10:57 PM] Connection attempt has failed.
Do you have a certificate installed that was issued by a Certificate Authority?
Do you have a certificate installed that was issued by a Certificate Authority?
The only certificate I have installed on the my edge router is the SSH cert that was generated inside.
Do you have a certificate installed that was issued by a Certificate Authority?
webvpn gateway webvpn_1
ip address 73.52.xx.xx port 443
http-redirect port 80
ssl trustpoint pa-york-2851
webvpn install svc flash:/webvpn/anyconnect-win-3.1.06073-k9.pkg sequence 1
webvpn context Test
ssl authenticate verify all
policy group policy_1
svc address-pool «SDM_POOL_1» netmask 255.255.255.255
svc default-domain «york.local»
svc dns-server primary 192.168.1.29
aaa authentication list ciscocp_vpn_xauth_ml_2
Did you use your public facing address? I have a Cisco ASA firewall so the concepts are similar, but he implementation is fairly different. I wonder if this is because you’re using a self signed cert. I used a cert issued by a CA. You create a cert request on the unit, send it to the CA, then get your externally issued cert from that CA. I might be off track here though.
Did you use your public facing address? I have a Cisco ASA firewall so the concepts are similar, but he implementation is fairly different. I wonder if this is because you’re using a self signed cert. I used a cert issued by a CA. You create a cert request on the unit, send it to the CA, then get your externally issued cert from that CA. I might be off track here though.
webvpn gateway webvpn_1
ip address 73.52.xx.xx port 443
http-redirect port 80
ssl trustpoint pa-york-2851
Can you please provide directions from some website or cisco I’ve not heard of using a CA to issue a cert.
Ideally you would want a CA issued cert that verifies that you’re connecting to what you think you are. We have a domain name that’s used for connections to our ASA. Basically my.domain.org. I have a GoDaddy cert that was issued by them and loaded onto my ASA. So when you try to connect with AnyConnect or via WebVPN/SSLVPN, your computer can see that you are actually connecting to my.domain.org. Just like your secure connection to your bank website. If you have an internally issued cert and are connecting internally then that’s probably why it works that way. You internally issued cert can’t be checked against anything if you’re connecting externally.
Ideally you would want a CA issued cert that verifies that you’re connecting to what you think you are. We have a domain name that’s used for connections to our ASA. Basically my.domain.org. I have a GoDaddy cert that was issued by them and loaded onto my ASA. So when you try to connect with AnyConnect or via WebVPN/SSLVPN, your computer can see that you are actually connecting to my.domain.org. Just like your secure connection to your bank website. If you have an internally issued cert and are connecting internally then that’s probably why it works that way. You internally issued cert can’t be checked against anything if you’re connecting externally.
Well I talked to my provider Hostgator and they sent me to a form for a SSL Cert. It created a private and public key to send to a SSL 3rd party. I’m not really looking at spending money to get this to work being that this is inter company / private outside vpn.
While getting a CA Certificate like everyone else is saying I am not sure that is your issue. While yes it will error you should be able to get around it. So here are 2 suggestions first try running AnyConnect as Administrator (Right click on the file and select run as administrator) If that does not work I’d run AnyConnect and goto the settings the uncheck «block connections to untrusted servers». I do advise though that if you decide to start using this you get yourself a CA certificate and install it on the ASA. At least this will help you out for testing hopefully.
While getting a CA Certificate like everyone else is saying I am not sure that is your issue. While yes it will error you should be able to get around it. So here are 2 suggestions first try running AnyConnect as Administrator (Right click on the file and select run as administrator) If that does not work I’d run AnyConnect and goto the settings the uncheck «block connections to untrusted servers». I do advise though that if you decide to start using this you get yourself a CA certificate and install it on the ASA. At least this will help you out for testing hopefully.
I ran the Cisco AnyConnect as administrator. A «Security Warning: Untrusted VPN Server Certificate» popped up. I clicked Connect Anyway. It states connection failed. No valid certificates available for authentication. I have to unblock «Block connections to untrusted servers» to receive any messages as I get stopped by a big red box to disconnect me as its unsafe.
I’ve found a website called startssl.com but I can’t log into my account. I get a cant establish connection. I don’t know what’s wrong with that but they provide a level 1 SSL for free each year you just have to renew it.
So yeah. I got my anyconnect to work without prompting me for any licenses or anything. I still got all the untrusted server notifications but it connected inside my local intranet. So how do I go about putting it out on the public?
I wouldn’t worry too much about connecting internally because that doesn’t do you a lot of good. There are scenerios where your wireless might be segmented off and you force people to VPN in for security purposes, but that’s a different subject.
I’m not really sure about the setup on those routers since they differ from my ASA firewall. In my case I had to generate a CSR, which makes a text file you upload to your CA. They then issue you your cert which you import into your device. I have no clue if these options exist on the 2851, but this is what it looks like generating a CSR on an ASA firewall using the GUI. https://www.digicert.com/csr-creation-cisco-asa-vpn.htm
On my ASA I had to explicitly tell it that I wanted to enable SSL access for AnyConnect on my external/outside interface.
I wouldn’t worry too much about connecting internally because that doesn’t do you a lot of good. There are scenerios where your wireless might be segmented off and you force people to VPN in for security purposes, but that’s a different subject.
I’m not really sure about the setup on those routers since they differ from my ASA firewall. In my case I had to generate a CSR, which makes a text file you upload to your CA. They then issue you your cert which you import into your device. I have no clue if these options exist on the 2851, but this is what it looks like generating a CSR on an ASA firewall using the GUI. https://www.digicert.com/csr-creation-cisco-asa-vpn.htm
On my ASA I had to explicitly tell it that I wanted to enable SSL access for AnyConnect on my external/outside interface.
Источник
The following user messages appear on the AnyConnect client GUI. A description follows each message, along with recommended user and administrator responses if applicable. The recommended administrator responses apply to IT representatives with monitoring and configuration access to the secure gateway configured to provide VPN access.
A new PIN has been generated for you: PIN.
Description The server generated a new personal identification number (PIN) for use with the SDI authentication token.
Recommended User Response None.
A security threat has been detected in the received server certificate. A VPN
connection will not be established.
Description A security threat was detected in the received server certificate. The threat is likely the result of a null character prefix attack.
Recommended User Response Report the issue to your organization’s technical support.
Recommended Administrator Response Provide instructions to obtain the certificate required for VPN access.
A user other than the one who started the VPN connection has logged into the
computer locally. The VPN connection has been disconnected. Close all sensitive
networked applications.
Description AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.
Recommended User Response Ask the unauthenticated user to log off, then try a new VPN connection.
Account expired.
Description Message originated from the Cisco ASA. The ASA rejected the VPN access request because your account is locked or expired.
Recommended User Response Report the issue to your organization’s technical support.
An internal error occurred while creating the DART bundle. Please try again later.
Description Creation of the DART bundle failed due to an internal processing error.
Recommended User Response Restart the computer. Install the latest release of DART and run it to attempt the collection of another DART bundle. (See Using DART to Gather Troubleshooting Information.) If the problem persists, report the error to your organization’s technical support.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC).
An unknown error has occurred in the VPN client service while trying to reconnect.
Description The VPN connection was terminated without a reconnect reason code because of a flaw in the client software.
Recommended User Response Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
An unknown error occurred while creating the DART bundle, possibly due to
restricted file permissions. Please try again later.
Description Creation of the DART bundle failed. Common causes may include a failure to write to, read from, or move a file, possibly due to restricted user access to it.
Recommended User Response Try recreating the DART bundle.
An unknown reconnect error has occurred in the VPN client service.
Description The client was attempting to establish a VPN connection, but the connection was terminated without a reason code because of a flaw in the client software. Typically, a reason code is generated, exposing a more detailed message.
Recommended User Response Restart the computer and device, then try starting a new VPN connection. If the error reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle if you cannot resolve the issue.
An unknown termination error has occurred in the client service.
Description The VPN connection or AnyConnect client service was terminated without a termination reason code, due to a flaw in the client software. Typically, a reason code is generated, exposing a more detailed message.
Recommended User Response Restart the computer and device, then try starting a new VPN connection. If the error reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle if you cannot resolve the issue.
Another user has logged into your computer locally, and only one local user is
allowed. The VPN connection has been disconnected. Close all sensitive networked
applications.
Description AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.
Recommended User Response Ask the unauthenticated user to log off, then try a new VPN connection.
Another user has logged into your computer, and only one user is allowed. The VPN
connection has been disconnected. Close all sensitive networked applications.
Description AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.
Recommended User Response Ask the unauthenticated user to log off, then try a new VPN connection.
AnyConnect cannot confirm it is connected to your secure gateway. The local network
may not be trustworthy. Please try another network.
Description AnyConnect cannot validate the secure gateway server certificate. The local network may not be trustworthy or the secure gateway certificate may not be trusted.
–
–
Recommended User Response Try moving to a different network, then try a new VPN connection. If the problem persists, report the error to your organization’s technical support.
Recommended Administrator Response Ensure the secure gateway is provisioned with a valid server certificate from a proper certificate authority (CA).
AnyConnect is not enabled on the VPN server.
Description Message originated from the Cisco ASA. Access to the secure gateway through AnyConnect is not allowed.
Recommended User Response Try connecting to another secure gateway.
Recommended Administrator Response Make sure that AnyConnect is enabled on the secure gateway and the user is authorized to use AnyConnect.
AnyConnect profile settings mandate a single local user, but multiple local users
are currently logged into your computer. A VPN connection will not be established.
Description AnyConnect is configured to permit access only to the local console user whom the secure gateway authenticated. AnyConnect disconnected from the VPN to protect it from unauthorized use by another user who logged into the local console.
Recommended User Response Ask the remote users to log off, then retry the VPN connection.
AnyConnect was not able to establish a connection to the specified secure gateway.
Please try connecting again.
Description A network connectivity problem caused a VPN connection attempt to fail after a successful authentication.
Recommended User Response Retry the VPN connection.
Authentication failed.
Description Message originated from the Cisco ASA. The VPN connection could not be established, most likely because of invalid credentials.
Recommended User Response Confirm your credentials and retry the VPN connection.
Automatic profile updates are disabled and the local VPN profile does not match
the secure gateway VPN profile.
Description The secure gateway is configured to upload an AnyConnect XML profile. AnyConnect is configured to skip profile updates, but cannot update to this version of the profile. Because the profile can specify a security policy, AnyConnect cannot establish a connection. The most common cause of this condition is connecting to a secure gateway with a version of AnyConnect, such as the Palm Pre, that does not support profile updates, or connecting with the BypassDownloader setting configured in the local policy file.
Recommended Administrator Response Configure a group policy that does not require an AnyConnect profile.
Cannot verify required local security policy. This device is not supported. Please
contact your network administrator.
Description The AnyConnect profile requires the endpoint to be protected by a mobile device policy, but the endpoint OS could not be identified.
Recommended Administrator Response To ensure maximum device compatibility, ensure that the endpoint is running the latest version of the AnyConnect client, and the ASA is running the latest software release.
Certificate Enrollment - Certificate import has failed.
Description AnyConnect failed to import the just-enrolled certificate. This failure can occur if the user declined a certificate store provider prompt, such as one for a password or a permission request.
Certificate Validation Failure
Description Message originated from the Cisco ASA. The ASA declined to accept the certificate provided by AnyConnect because it could not be validated. Please verify that the correct certificate is available in the certificate store.
Recommended User Response Report the error to your organization’s technical support and ask for the proper certificate.
Recommended Administrator Response Provide instructions to obtain the certificate required for VPN access.
Certificate enrollment succeeded. Your session will be disconnected. Please login
again.
Description Certificate enrollment through SCEP succeeded.
Recommended User Response To use the new certificate, start a new VPN connection.
Clientless (browser) SSL VPN access is not allowed.
Description Message originated from the Cisco ASA. The ASA requires the user of a full tunnel client such as AnyConnect for network access.
Recommended User Response Report the problem to your organization’s technical support.
Connect not available. Another AnyConnect application is running or the
functionality was not requested by this application.
Description AnyConnect is connected in a diminished mode. This can be the result of a specific request by a custom application or because of another AnyConnect client already running.
Recommended User Response Try restarting the computer or device, then try a new VPN connection.
Connecting via a proxy is not supported with Always On.
Description AnyConnect is configured for Always-on VPN, which does not support connecting through a proxy.
Recommended User Response Remove the local proxy and try a new VPN connection. To access the proxy settings on Windows, choose the Control Panel > Internet Options > Connections tab, and go to LAN Settings.
Connection attempt failed. Please try again.
Description An initialization error caused the VPN connection to fail.
Recommended User Response Try establishing a new VPN connection.
Connection attempt has failed (error in response data).
Description Communication with the secure gateway failed because it detected an error in the HTTP response body it received.
Recommended User Response Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
Connection attempt has failed (error in response header).
Description Communication with the secure gateway failed because it detected an error in the HTTP response header it received.
Recommended User Response Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
Connection attempt has failed due to invalid host entry.
Description A profile URL or user-entered address does not resolve to a valid secure gateway.
Recommended User Response Choose another gateway from the VPN list or request the URL from your organization’s technical support.
Connection attempt has failed due to network or PC issue.
Description An unexpected error in the HTTP protocol was detected. This error is unlikely and indicates an error state on the endpoint, such as loss of either connectivity to the secure gateway or network connectivity in general.
Recommended User Response Ensure your computer or device has network access. Restart it if necessary. Then try a new VPN connection.
Connection attempt has failed due to server communication errors. Please retry the
connection.
Description Thee connection attempt was terminated for one of a number of reasons. These can include too many redirects at the secure gateway, a host changed from one connection to the next, etc.
Recommended Administrator Response Look for additional errors in the log.
Connection attempt has failed.
Description The VPN connection could not be established.
Recommended User Response Look for additional error message that identifies the cause.
Connection attempt has failed: Gateway/proxy received an invalid response from the
host or was unable to contact the host. Verify the host is valid.
Description The failed connection attempt was done through a proxy. Possible causes of this failure are that the proxy could not resolve the selected host, the selected host does not exist, or the host is unavailable and therefore the proxy did not get a response.
Connection attempt has timed out. Please verify Internet connectivity.
Description AnyConnect canceled the connection attempt because the wait for a response exceeded an internal time-out value.
Recommended User Response Try a new VPN connection.
Connections to this secure gateway are not permitted.
Description The VPN connection to the selected secure gateway is not allowed because the Always On feature is enabled, which restricts VPN connections to only secure gateways found in the profiles.
Recommended User Response Choose another gateway from the VPN list or request the URL from your organization’s technical support.
Cookies must be enabled to log in.
Description Message originated from the Cisco ASA. In order to log into the secure gateway, cookies must be enabled. The secure gateway detects that it is unable to correctly set a cookie.
Recommended User Response Add the domain to the browser list of trusted sites.
Could not connect to server. Please verify Internet connectivity and server
address.
Description AnyConnect could not contact the secure gateway. This error indicates a failure to establish a network connection. Possible causes of this failure include:
–
–
–
Recommended User Response Verify network connectivity. Check whether other applications, such as a web browser or a ping tool, can contact the secure gateway.
Recommended Administrator Response Check whether other applications, such as a web browser or a ping tool, can contact the secure gateway.
Error retrieving username from CSD data.
Description The username from the certificate feature is configured to use the Cisco Secure Desktop Host Scan data when a certificate is unavailable. The secure gateway failed to get the username from the host scan data in the absence of a certificate.
Recommended User Response Try starting a new VPN connection. Report the error to your organization’s technical support.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC).
Error saving preferences. Please retry, or restart AnyConnect.
Description An unexpected error occurred while saving the user or global preferences file.
Recommended User Response Restart AnyConnect.
Recommended Administrator Response Reattempting to store preferences might solve the issue.
Exiting. Bypassing start before logon.
Description The start before logon GUI is exiting because of one of the following reasons:
–
–
Recommended User Response None necessary if you are in the corporate network. Otherwise, start a web browser and satisfy the conditions of the local Internet service provider, then try to connect to the VPN.
FIPS compliant algorithms for encryption, hashing, and signing have not been
enabled on this system.
Description As part of the AnyConnect FIPS verification process, the Windows operating system FIPS registry key is checked to ensure that the system is in a FIPS compliant mode. The registry key value is not set to enable FIPS.
FIPS mode requires TLS to be enabled to establish a VPN connection
Description FIPS mode requires that the TLS protocol be enabled. AnyConnect failed to enable the TLS protocol through the registry key setting.
Recommended User Response Choose the Control Panel > Internet Options > Advanced tab, and check Use TLS 1.0 under «Security.»
Failed accessing AnyConnect package. This may be due to IE security settings that
are set too high.
Description An error occurred while trying to download contents from the AnyConnect package located on the secure gateway. An Internet Explorer security setting could be blocking HTTP file downloads.
Recommended User Response Change the Internet Explorer security settings to permit downloads.
Failed to load preferences.
Description An unexpected error occurred while reading the profiles or preferences files. The files might be corrupt or an initialization failure may have occurred.
Recommended User Response Restart AnyConnect and try a new VPN connection.
Failed to verify FIPS mode.
Description An unexpected error occurred during the AnyConnect FIPS verification process. The most likely cause is an AnyConnect flaw.
Recommended User Response Try starting a new VPN connection. If the problem reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
Failed to verify required local security policy. Please contact your network
administrator.
Description The following table shows the explanations of this message and the recommended actions.
|
Explanation |
Recommended Administrator Response |
|---|---|
|
A generic error occurred when attempting to verify the mobile device security policy specified by the AnyConnect profile. This error occurs when AnyConnect attempts to monitor the Windows Mobile device registry to ensure it conforms with settings in the AnyConnect profile. |
NA |
|
The AnyConnect profile requires the mobile device to be protected by a device lock such as a personal identification number (PIN), but the device does not conform to the specified policy. |
Make sure the value of the DeviceLockRequired element under MobilePolicy in the AnyConnect profile is correct. |
|
The AnyConnect profile requires the mobile device to be protected by a device lock with a minimum password length, but the device is either not configured with a password, or has a password that is too short. |
Make sure the value of the MinimumPasswordLength attribute of the DeviceLockRequired element under MobilePolicy in the AnyConnect profile is correct. |
|
The AnyConnect profile requires the mobile device to be protected by a device lock with a minimum device lock time-out, and the device is configured with a time-out that is too short. |
Make sure the value of the MaximumTimeoutMinutes attribute of the DeviceLockRequired element under MobilePolicy in the AnyConnect profile is correct. |
|
The policy for the device lock password is usually set only after the device synchronizes with an enterprise exchange server. One of the following is true: • • |
Make sure the value of the PasswordComplexity attribute of the DeviceLockRequired element under MobilePolicy in the AnyConnect profile is correct. |
|
AnyConnect detected that the device is not synchronized with an Exchange server configured with a security policy. The AnyConnect profile requires the mobile device to be protected by a mobile device policy set when the device synchronizes with an enterprise exchange server. |
Make sure the MobilePolicy settings in the AnyConnect profile are correct. |
Recommended User Response Report the issue to your organization’s technical support.
Recommended Administrator Response See the previous table.
Firefox certificate libraries could not be loaded. VPN connection cannot be
established.
Description AnyConnect could not access the Firefox certificate store and there was no alternative store located. A failure to verify server certificates results in the inability to verify the identity of the secure gateway. Also, AnyConnect cannot respond to certificate requests.
Hostscan Configuration error.
Description The Host Scan module could not be configured properly. Possible causes include errors loading the DLL or errors setting up the command line parameters to launch the stub executable for Host Scan.
Hostscan Initialize error.
Description Host Scan could not launch. Possible causes include the Host Scan executable stub as well as the Host Scan initialization routines.
Recommended User Response Report the issue to your organization’s technical support.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC).
Hostscan Installation error.
Description Host Scan could not be loaded to perform the system scan. Possible errors occurred when loading the DLL and errors finding the stub executable for Host Scan.
Recommended User Response Report the issue to your organization’s technical support.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC).
Hostscan Prelogin error.
Description During the pre-login check, Host Scan detected the local violation of a rule configured on the secure gateway. Examples of pre-login checks include:
–
–
Recommended User Response Restart the computer or device and try a new VPN connection.
Hostscan Run error.
Description Host Scan experienced an error while scanning the endpoint.
Recommended User Response Try a new VPN connection.
Invalid authentication handle.
Description Message originated from the Cisco ASA. The authentication ticket was removed before the user responded.
Recommended User Action Try logging on again.
Invalid host entry. Please re-enter.
Description The URL requested was not found.
Recommended User Action Verify that the URL is correct and try again.
Recommended User Action Verify the URL in the secure gateway configuration.
Invalid session/bad session parameters while processing Config Request
Description Message originated from the Cisco ASA. The session cookie is invalid and cannot be used to request parameters needed to establish a VPN tunnel.
Recommended User Action Try a new VPN connection.
It may be necessary to connect via a proxy, which is not supported with Always On.
Description AnyConnect is configured for Always-on VPN, which does not support connecting through a proxy.
Recommended User Response Remove the local proxy and try a new VPN connection. To access the proxy settings on Windows, choose the Control Panel > Internet Options > Connections tab, and go to LAN Settings.
Leave both boxes blank to continue using current password
Description Message originated from the Cisco ASA. The user password will expire soon. The user has the opportunity to change the password immediately.
Recommended User Action Enter a new password into the text boxes or leave them blank if you want to defer the password change for later.
Login denied, unauthorized connection mechanism, contact your administrator.
Description The secure gateway is not permitting AnyConnect or clientless access by the user.
Recommended User Response Report the issue to your organization’s technical support.
Login denied. Message
Description Message originated from the Cisco ASA. The secure gateway enforced a dynamic access policy that rejects the login credentials.
Recommended User Response Report the issue to your organization’s technical support.
Login error.
Description Message originated from the Cisco ASA. The secure gateway detected an error during login.
Recommended User Response Try a new VPN connection.
Login failed.
Description Message originated from the Cisco ASA. The VPN connection could not be established. The most likely cause of this error is invalid credentials.
Recommended User Response Verify your login credentials and try a new VPN connection.
Login failed: Message
Description Message originated from the Cisco ASA. The VPN connection could not be established. The message following «Login failed:» indicates the reason.
Recommended User Response Try using the reason in the message to resolve the issue and try a new VPN connection.
Network access is restricted due to an administrator configured timer expiration.
The connection must be retried manually.
Description AnyConnect is configured with a connect failure policy of «closed» and a captive portal remediation time-out setting expired. You may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. AnyConnect grants full network access for a limited period specified by the remediation time-out so you can attempt to satisfy the Internet service provider requirements. To protect the endpoint, AnyConnect restricts access after the timer expires.
Recommended User Response Start a web browser and satisfy the conditions of the service provider. The remediation timer restarts. Retry the connection.
New PIN way too big.
Description Message originated from the Cisco ASA. The length of the personal identification number (PIN) entered exceeds the maximum length allowed.
Recommended User Response Consult your corporate guidelines to change your PIN or report the issue to your organization’s technical support.
New Password Required but user not allowed to change
Description Message originated from the Cisco ASA. A password change is required to log in. An expired password is most likely the cause. The user does not have permission to change his/her own password.
Recommended User Response Report the issue to your organization’s technical support.
New password way too big.
Description Message originated from the Cisco ASA. The length of the password entered exceeds the maximum length allowed.
Recommended User Response Consult your corporate guidelines to change your password.
No certificate store has been found. VPN connection cannot be established.
Description AnyConnect could not access the certificate store, resulting in the inability to verify the identity of the secure gateway by performing verification of server certificates. Also, AnyConnect cannot respond to certificate requests.
Recommended User Response Make sure Firefox is installed or the file store is provisioned with certificates.
Recommended Administrator Response Make sure the Local Policy file does not exclude all potential certificate stores. Ensure the user has Firefox installed or the file store is provisioned with certificates.
No valid certificates available for authentication.
Description The secure gateway did not accept any of the certificates AnyConnect provided. No more certificates remain.
Password change required.
Description Message originated from the Cisco ASA. A password change is required to log in. An expired password is most likely the cause.
Recommended User Response Report the issue to your organization’s technical support and request an account for VPN access.
Please establish an Internet connection. If a browser or other application opened
a connections dialog window, please respond so that AnyConnect can proceed.
Description If Internet Explorer is configured to always dial, or dial if no other connection is present, when the browser is launched the user is prompted to select a connection. If the user does not connect, or cancels the dialog and opens AnyConnect, the connection becomes unresponsive while AnyConnect contacts the secure gateway.
Recommended User Response Dismiss the connection dialog box. AnyConnect displays a new dialog box and proceeds with the connection.
Posture Assessment: Failed
Description A Host Scan error occurred. Common causes include failures to download or launch the Host Scan components, and the system scan exceeded 10 minutes to complete.
Recommended User Response Try a new VPN connection.
Posture assessment with authenticating proxy is not implemented.
Description Host Scan could not perform posture assessment of the endpoint because AnyConnect is configured to use an authenticating proxy. Host Scan does not have access to the credentials for the authenticating proxy.
Recommended User Response Try to bypass or disable the proxy, then try a new VPN connection.
Recommended User Response Disable authentication completely, or selectively when accessing the ASA.
Server reboot pending, new logins disabled. Try again later.
Description The secure gateway is being restarted.
Session terminated.
Description Message originated from the Cisco ASA. The authentication ticket was removed before the user responded.
Recommended User Response Try logging on again.
System configuration settings could not be applied. A VPN connection will not be
established.
Description AnyConnect attempted to apply system configuration settings received from the secure gateway. The error occurred in the System Network Abstraction Kit (SNAK) layer, which could indicate an error with vendor-supplied plug-ins external to AnyConnect.
Recommended User Response Restart the computer or device, then try starting a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The AnyConnect package on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again.
Description The AnyConnect package file could not be located on the secure gateway.
Recommended User Response Make sure you have network connectivity, then try a new VPN connection.
Recommended Administrator Response Make sure an AnyConnect package file for the user’s operating system is present on the ASA configuration.
The AnyConnect protection settings must be lowered for you to log on with the
service provider. Your current enterprise security policy does not allow this.
Description You may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. Corporate policies do not permit VPN access in this setting.
Recommended User Response Retry after relocating.
Recommended Administrator Action Change the AnyConnect client profile Always-on VPN ConnectFailurePolicy setting if you want to permit captive portal access.
The Connect Failure Policy will not be applied because the Secure Gateway could
not be found in the profile.
Description AnyConnect could not apply the Always-on VPN connect failure policy specified by the ConnectFailurePolicy profile setting, despite the connection failure. The target secure gateway is not present in the profile. AnyConnect permits connections only to the hosts specified in the profile because the Always-on VPN policy restricts traffic to other destinations.
The FIPS verification of the OpenSSL libraries have failed. Reinstalling
AnyConnect might fix this issue.
Description AnyConnect failed to configure OpenSSL into FIPS mode. The OpenSSL shared libraries installed with AnyConnect could have been tampered with or might be corrupt.
Recommended User Response Reinstall AnyConnect and try a new VPN connection.
The MTU of the physical adapter is too small. An MTU of at least 1374 bytes is
required for an IPv6 connection. Please contact your network administrator.
Description The Maximum Transmission Unit (MTU) of the endpoint system physical network interface is too small to support IPv6 data through a VPN connection.
Recommended User Response Use the SetMTU utility that comes with the legacy Cisco VPN Client to set the MTU to 1374, the minimum MTU for IPv6 on the physical adapter, or set it to a greater value. You will likely need to consult with your organization’s technical support to perform this task.
The VPN GUI and Agent Process are not both in FIPS Mode.
Description Both the VPN GUI and VPN Agent are not operating in FIPS mode when configured to do so.
Recommended User Response Restart the computer or device and AnyConnect to synchronize the operating modes of both processes.
The VPN client agent SSL engine encountered an error. Please retry, or restart
AnyConnect.
Description AnyConnect encountered an unexpected and unrecoverable error in the SSL protocol stack. One possible cause is an AnyConnect flaw.
Recommended User Response Restart the computer or device, then try starting a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent attempt to signal readiness to the plugin thread failed.
Description The AnyConnect service experienced an unexpected and unrecoverable error while initializing the main thread of the AnyConnect for Apple iOS VPN plug-in.
Recommended User Response Try restarting the device and starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent decryption engine encountered an error.
Description AnyConnect service encountered an unexpected and unrecoverable error in the protocol decryption engine.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent encountered a secure gateway protocol failure.
Description The AnyConnect service encountered an unexpected and unrecoverable protocol error in an exchange with the secure gateway.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent encryption engine encountered an error.
Description The AnyConnect service encountered an unexpected and unrecoverable error in the protocol encryption engine.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent experienced a failure initializing a required timer.
Description The AnyConnect service experienced an unexpected and unrecoverable error while initializing a required internal timer object.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent experienced a failure initializing trusted network detection.
Description The AnyConnect service experienced an unexpected and unrecoverable error while initializing the trusted network detection subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent experienced an internal failure with the interprocess
communication depot.
Description The AnyConnect service experienced an unexpected and unrecoverable error with its inter-process communication subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent experienced an unexpected internal error. The VPN connection
has been disconnected. Please restart your computer or device, then try again.
Description The client has experienced an unexpected and unrecoverable error. The error is possibly due to one of the following:
•
•
•
Recommended User Response Please restart your computer or device, then try a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed in receiving a message from an IPC peer requesting the
creation of a VPN connection.
Description The AnyConnect service experienced an unexpected and unrecoverable error while processing a request from another client process to initiate a VPN connection.
Recommended User Response Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed in receiving a message from an IPC peer requesting the
launch of an application.
Description The AnyConnect service experienced an unexpected and unrecoverable error while processing a request from another client process to launch a client application.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to create a necessary processing component and cannot
continue.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its main execution thread.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to create an event necessary for agent service
notification processing.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event object for internal notification processing.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to create an event necessary for agent termination
processing.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event object for internal termination processing.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to create an event necessary for network adapter change
processing.
Description AnyConnect experienced an unexpected and unrecoverable error while attempting to create a required event object for local network adapter change notifications.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to create an event necessary for system suspend
processing.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event objects for local suspend processing.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent failed to launch the client user interface application.
Description The VPN connection was started via a web browser, requiring the start of the AnyConnect UI, but it failed to start.
Recommended User Response Restart the computer or device and try again. If the problem reoccurs, report the error to your organization’s technical support.
Recommended Administrator Response Try using the same OS to initiate a WebLaunch of AnyConnect. If it fails, open a case with the Cisco Technical Assistance Center (TAC).
The VPN client agent failed to load the SNAK system plugin required by this version
of AnyConnect.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to initialize its System/Network Abstraction Kit (SNAK) subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable create the plugin loader.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its plug-in loader subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create a necessary timer.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal timer object.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the client VPN configuration manager.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its VPN connection configuration management subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the client host configuration manager.
Description AnyConnect experienced an unexpected and unrecoverable error while attempting to create its local configuration management subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the client preferences manager.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its preferences management subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the interprocess communication depot.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal interprocess communication object.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the network environment component.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its network environment monitoring subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to create the trusted network detection component.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its trusted network detection subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to enable FIPS Mode.
Description The AnyConnect service experienced an unexpected and unrecoverable error while attempting to initialize its Federal Information Processing Standards (FIPS) operation mode.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to initialize the system network socket support.
Description AnyConnect experienced an unexpected and unrecoverable error while attempting to initialize its local network socket subsystem.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to send a failure response to an IPC peer
requesting the creation of a VPN connection.
Description The AnyConnect service received a request from another client process to initiate a VPN connection. The service encountered an unexpected and unrecoverable failure while attempting to send an error notification back to the requesting client process.
Recommended User Response Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to send a failure response to an IPC peer
requesting the launch of an application.
Description The AnyConnect service received a request from another client process to launch a client application. The service encountered an unexpected and unrecoverable failure while attempting to send an error notification back to the requesting client process.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to send a success response to an IPC peer
requesting the creation of a VPN connection.
Description The AnyConnect service received a request from another client process to initiate a VPN connection. The service encountered an unexpected and unrecoverable failure while attempting to send a success notification back to the requesting client process.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client agent was unable to send a success response to an IPC peer
requesting the launch of an application.
Description The AnyConnect service received a request from another client process to launch a client application. The service encountered an unexpected and unrecoverable failure while attempting to send a success notification back to the requesting client process.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client driver has encountered an error. Please restart your computer or
device, then try again.
Description The AnyConnect service could not configure or start the virtual adapter driver needed to perform a VPN connection. A likely cause is a problem with the virtual adapter installation or registry settings.
Recommended User Response Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response See «Microsoft Windows Updates» in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5.
The VPN client driver has encountered an error. Close all sensitive networked
applications. Please restart your computer or device, then try again.
Description AnyConnect received a notification from its virtual adapter indicating it is terminating communication. The likely cause of the error is a virtual adapter driver failure.
Recommended User Response Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client failed to establish a connection.
Description The AnyConnect service failed to establish a secured connection to the secure gateway. Possible causes include the following:
–
–
–
–
Recommended User Response Retry the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client service has been stopped. The VPN connection has been disconnected.
Close all sensitive networked applications.
Description AnyConnect disconnected from the VPN because it received a stop notification from the endpoint.
Recommended User Response Restart AnyConnect and retry the VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client was unable to modify the IP forwarding table. A VPN connection will
not be established. Please restart your computer or device, then try again.
Description AnyConnect failed to apply all the VPN configuration settings to the endpoint IP forwarding table. A VPN connection is not permitted because this failure could compromise both its security and operation. This error is unrecoverable.
Recommended User Response Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client was unable to setup IP filtering. A VPN connection will not be
established.
Description AnyConnect failed to apply the VPN configuration settings to its IP filtering subsystem. A VPN connection is not permitted because this failure could compromise both its security and data integrity. This error is unrecoverable.
Recommended User Response Restart the computer or device. Restart the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
The VPN client was unable to successfully verify the IP forwarding table
modifications. A VPN connection will not be established.
Description AnyConnect could not verify the successful application of all the VPN configuration settings to the local IP forwarding table. A VPN connection is not permitted because settings that are not applied could compromise both its security and operation. Other software running on the endpoint might also be actively altering the IP forwarding table, interfering with the AnyConnect configuration.
Recommended User Response Restart the computer or device. Exit all applications. Restart the VPN connection. If necessary, report the error to your organization’s technical support.
The VPN configuration received from the secure gateway has an invalid format.
Please contact your network administrator.
Description AnyConnect received a VPN connection configuration from the secure gateway containing an invalid format. The secure gateway could be malfunctioning.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Make sure the AnyConnect profile is an .xml file.
The VPN configuration received from the secure gateway is invalid. Please contact
your network administrator.
Description AnyConnect received a VPN connection configuration from the secure gateway containing invalid or conflicting information.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Examine and correct the VPN configuration settings on the secure gateway. Try using the AnyConnect profile editor to open and validate the AnyConnect profile.
The VPN connection could not be automatically re-established following a mobile
device wakeup. A new connection is necessary, which requires re-authentication.
Description Automatic VPN reconnection attempts failed after a local OS sleep-and-wake-up cycle.
Recommended User Response Verify the device network connectivity. Try a new VPN connection.
The VPN connection could not be automatically re-established following a system
resume from standby or hibernate. A new connection is necessary, which requires
re-authentication.
Description Automatic VPN reconnection attempts failed after a local OS suspend-and-resume cycle.
Recommended User Response Verify the computer or device network connectivity. Then try a new VPN connection.
The VPN connection could not be re-established when attempting to resume from the
paused connection state.
Description Automatic VPN reconnection attempts failed after a local pause-and-continue cycle.
Recommended User Response Try a new VPN connection.
The VPN connection has been disconnected due to the mobile device sleeping. The
reconnect capability is disabled. A new connection is necessary, which requires
re-authentication.
Description In accordance with the AnyConnect configuration, AnyConnect disconnected because the endpoint went to sleep.
Recommended User Response Try a new VPN connection.
Recommended Administrator Response Because mobile devices sleep more frequently than portable computers, consider configuring a different profile and group for mobile devices with the DisconnectOnSuspend preference set to «Reconnect on resume» if mobile device end-users encounter this message frequently.
The VPN connection has been disconnected due to the system suspending. The
reconnect capability is disabled. A new connection is necessary, which requires
re-authentication.
Description In accordance with the AnyConnect configuration, AnyConnect disconnected because an endpoint system suspend occurred.
Recommended User Response Try a new VPN connection.
Recommended Administrator Response None. Change the AnyConnect client profile Auto Reconnect Behavior value to another value if you want to change the reconnect policy.
The VPN connection is not allowed via a local proxy. This can be changed through
AnyConnect profile settings.
Description In accordance with the AnyConnect configuration, AnyConnect prevented the use of a local proxy to establish a VPN connection.
Recommended User Response Remove the local proxy and try a new VPN connection.
Recommended Administrator Response None. Check Allow Local Proxy Connections on the AnyConnect client profile if you want to permit the use of a local proxy.
The VPN connection to the secure gateway was disrupted and could not be
automatically re-established. A new connection is necessary, which requires
re-authentication.
Description Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because of a connection failure or disruption. Possible causes include a local network failure, internet device failure, or secure gateway failure.
Recommended User Response Verify network connectivity, then try a new VPN connection.
The VPN connection was re-established but the secure gateway assigned a new
configuration that could not be successfully applied. A new connection is
necessary, which requires re-authentication.
Description Automatic VPN reconnection attempts failed. A modified VPN connection configuration from the secure gateway requires another automatic reconnection.
Recommended User Response Verify network connectivity, then try a new VPN connection.
The VPN connection was started by a remote desktop user whose remote console has
been disconnected. It is presumed the VPN routing configuration is responsible for
the remote console disconnect. The VPN connection has been disconnected to allow
the remote console to connect again. A remote desktop user must wait 90 seconds
after VPN establishment before disconnecting the remote console to avoid this
condition.
Description AnyConnect detected a remote console disconnect within 90 seconds of the establishment of a VPN session. AnyConnect terminated the session because it detected an interruption of the remote console session, indicating the necessity of restoring the local IP forwarding table to permit the re-establishment of the remote console session.
Recommended User Response Remote console users should wait more than 90 seconds following VPN connection establishment before disconnecting the remote console session to avoid this condition.
The VPN connection was terminated by the secure gateway and could not be
automatically re-established. A new connection is necessary, which requires
re-authentication.
Description Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because the secure gateway closed the connection.
Recommended User Response Remote console users should wait more than 90 seconds following VPN connection establishment before disconnecting the remote console session to avoid this condition.
The VPN connection was terminated due to a Windows connection manager failure. A
new connection is necessary, which requires re-authentication.
Description Automatic VPN reconnection attempts failed because of a Windows connection manager failure. The VPN connection requires an automatic reconnection.
Recommended User Response Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.
The VPN connection was terminated due to a different client IP address assignment
by the secure gateway and could not be automatically re-established. A new
connection is necessary, which requires re-authentication.
Description Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because the secure gateway returned a different private network IP address in response to an IP address renewal request.
Recommended User Response Try to start a new VPN connection.
The VPN connection was terminated due to a rekey failure and could not be
automatically re-established. A new connection is necessary, which requires
re-authentication.
Description Automatic VPN reconnection attempts failed because of a failure to rekey the encryption protocol.
Recommended User Response Try to start a new VPN connection.
The VPN connection was terminated due to a system routing table modification and
could not be automatically re-established. A new connection is necessary, which
requires re-authentication.
Description The local host configuration management subsystem could not correct a change in the local IP forwarding table. Automatic VPN reconnection attempts failed.
Recommended User Response Try to start a new VPN connection.
The VPN connection was terminated due to an IP address renewal failure and could
not be automatically re-established. A new connection is necessary, which requires
re-authentication.
Description A failure to perform a DHCP renewal of the private network IP address used by AnyConnect requires a new VPN connection. Automatic VPN reconnection attempts failed.
Recommended User Response Try to start a new VPN connection.
The VPN connection was terminated due to incorrect tunnel MTU and could not be
automatically re-established. A new connection is necessary, which requires
re-authentication.
Description AnyConnect detected that the tunnel MTU is incorrect. The VPN connection was torn down, but a new connection to enforce the correct tunnel MTU could not be established.
Recommended User Response Try a new VPN connection. If the problem persists, report the error to your organization’s technical support.
Recommended Administrator Response Change the secure gateway group-policy svc-mtu setting. To do so using ASDM, go to the MTU parameter on the Configuration > Group Policies > Add or Edit > Advanced > AnyConnect Client panel.
The VPN connection was terminated due to the loss of the network interface used
for the VPN connection.
Description The endpoint network interface used for the VPN connection lost its network connectivity. The interface either disconnected or no longer has a usable IP address. As a result, the VPN connection attempt failed, or the VPN session or idle time-out expired, halting VPN reconnect attempts.
Recommended User Response Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.
The VPN connection was terminated due to the loss of the network interface. A new
connection is necessary, which requires re-authentication.
Description The VPN connection lost its physical network interface, requiring a new VPN connection.
Recommended User Response Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.
The Windows Routing and Remote Access service is not compatible with the VPN
client. The VPN client cannot operate correctly when this service is running. You
must disable this service in order to use the VPN client.
Description The Windows Routing and Remote Access service lets Microsoft Windows Server 2000, 2003 and 2008 function as a router, and as such it actively monitors and modifies the system IP forwarding table. AnyConnect cannot coexist with a running Routing and Remote Access service because it interferes with the AnyConnect configuration of the endpoint IP forwarding table for VPN connections and, if configured, the security of Always-on VPN.
Recommended User Response Disable Routing and Remote Access. To do so, choose Start > Administrative Tools >Routing and Remote Access, right-click the server icon, choose Disable Routing and Remote Access, and click Yes in the confirmation dialog box. Then establish a VPN connection.
The certificate on the secure gateway is invalid. A VPN connection will not be
established.
Description A rare problem was encountered with the server certificate.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Check the validity of the secure gateway server certificate.
The client agent has encountered an error.
Description AnyConnect encountered an unexpected and unrecoverable initialization failure.
Recommended User Response Try restarting the computer or device, then start a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the problem to Cisco TAC and include the DART bundle.
The client could not connect because of a secure gateway address resolution
failure. Please verify Internet connectivity and server address.
Description The client was unable to connect due to a DNS resolution error. Common causes can include a hostname that does not properly resolve to an IP address, incorrect DNS settings on the client, or unreachable or non-responsive DNS servers on the client.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Work with the user to verify local access to a DNS server.
The client service has encountered an error and is stopping. Close all sensitive
networked applications.
Description AnyConnect encountered an unexpected and unrecoverable failure while interfacing with the local control subsystem.
Recommended User Response Try restarting the computer or device, then start a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the problem to Cisco TAC and include the DART bundle.
The configuration of the VPN Server has changed. Please try again.
Description The secure gateway configuration changed after AnyConnect first contacted the secure gateway.
Recommended User Response Start a new VPN connection.
Recommended Administrator Response Try starting a new VPN connection from another location.
The required license for this type of VPN client is not available on the secure
gateway. Please contact your network administrator.
Description AnyConnect attempted to establish a VPN session with a secure gateway that is not activated with an AnyConnect license.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Obtain an AnyConnect Essentials or Premium license from your Cisco Sales Engineer and activate it on the ASA.
The secure gateway failed to reply to a connection initiation message and may be
malfunctioning. Please try connecting again. If this problem persists, please
contact your network administrator.
Description An extended timer expired while AnyConnect was establishing a VPN connection with the secure gateway. The secure gateway probably failed to respond to a protocol handshake request. A flaw in the secure gateway software could be the cause.
Recommended User Response Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the problem to Cisco TAC and include the DART bundle.
The secure gateway has rejected the connection attempt. A new connection attempt
to the same or another secure gateway is needed, which requires re-authentication.
Description AnyConnect received an error response (that is, an HTTP error code) from the secure gateway during the negotiation for a VPN session. AnyConnect logged the error code and any error description text provided in the secure gateway error response.
Recommended User Response Try starting a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.
The secure gateway has terminated the VPN connection.
Description The secure gateway terminated the VPN connection. In the case of SSL, the message displayed to the user from the secure gateway indicates the reason for the termination.
Recommended User Response Try starting a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.
The secure gateway is responding, but AnyConnect could not establish a VPN session.
Please retry.
Description The Always-on VPN connect failure policy specified via the ConnectFailurePolicy profile setting will not be applied, despite the connection failure. While the UI failed to connect, AnyConnect could not contact the target secure gateway. Thus, the connection failure could not be confirmed and any existing network restrictions are maintained.
Recommended User Response Try starting a new VPN connection.
The server certificate received or its chain does not comply with FIPS. A VPN
connection will not be established.
Description In accordance with the AnyConnect configuration, AnyConnect disconnected from the VPN because the server certificate received from the secure gateway or the certificate in the server certificate chain is not compliant with Federal Information Processing Standards (FIPS).
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Verify the secure gateway server certificate uses both the FIPS-required minimum RSA public key length and a FIPS compliant signature algorithm.
The service provider in your current location is restricting access to the
Internet.
Description The user may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. A VPN connection cannot be established.
Recommended User Response Look for a second message for actions to correct the situation. Open a web browser and satisfy the conditions of the service provider. Then retry the connection.
The service provider in your current location is restricting access to the secure
gateway.
Description The user may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. A VPN connection cannot be established.
Recommended User Response Look for a second message for actions to correct the problem. Open a web browser and satisfy the conditions of the local Internet service provider. Then retry the connection.
Unable to complete connection: Cisco Secure Desktop not installed on the client
Description A login was attempted but no CSD data was sent for the connection. There may have been an error installing or running CSD.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Install CSD or verify that it is installed.
Unable to contact SecureGateway.
Description The secure gateway could not be contacted because of a DNS resolution error or an unreachable or non-responsive secure gateway.
Recommended User Response Check for an additional error message for more detail about the cause.
Unable to establish connection with newly imported Certificate.
Description AnyConnect could not locate a certificate recently obtained via enrollment. Common causes include the following:
–
–
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Verify the secure gateway configuration and certificate date.
Unable to proceed.
Cannot contact the VPN service.
Description A user attempted to perform an action such as connect and AnyConnect is not able to communicate with the AnyConnect agent. An alert message informing the user of this condition precedes this one.
Recommended User Response Restart the computer or device, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.
Unable to process remote proxy request. Please try again.
Description An unexpected error occurred while processing the user response to proxy authentication.
Recommended User Response Remove the local proxy and try a new VPN connection.
Unable to re-register for IP forwarding table change notifications. The VPN
connection has been disconnected.
Description AnyConnect encountered an unrecoverable error when it attempted to re-register for local IP forwarding table change notifications. The VPN was disconnected because the error prevents AnyConnect from ensuring both its security and correct operation.
Recommended User Response Restart the computer or device, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the error to Cisco TAC and include the DART bundle.
Unable to retrieve logon information to verify compliance with AnyConnect logon
enforcement and VPN establishment profile settings. A VPN connection will not be
established.
Description AnyConnect cannot enforce the user logon limit settings configured in the client profile because it cannot retrieve the local user login information. To ensure the protection of the private network, the VPN connection is not permitted.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Verify secure gateway access to the AAA server.
Unable to send authentication message.
Description There was an error communicating with the authentication server.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Verify secure gateway access to the AAA server.
Unable to send authorization message.
Description There was an error communicating with the authorization server.
Recommended User Response Report the error to your organization’s technical support.
Recommended Administrator Response Verify secure gateway access to the AAA server.
Unable to update the session management database
Description The secure gateway encountered an error when attempting to add the VPN connection to the session database.
Recommended User Response Try a new VPN connection. If the problem persists, report it to your organization’s technical support.
Recommended Administrator Response Try a new VPN connection.
Unable to verify the necessary registry keys for FIPS
Description The AnyConnect client could not access the local registry keys needed to verify FIPS compliance.
Recommended User Response Report the problem to your organization’s technical support.
Recommended Administrator Response Try a new VPN connection.
Unknown challenge.
Description The authentication server returned an unrecognized challenge code.
Recommended User Response Report the problem to your organization’s technical support.
Recommended Administrator Response Verify secure gateway access to the AAA server.
Unknown error.
Description The secure gateway experienced an unknown error.
Recommended User Response Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
Unknown login status.
Description The secure gateway did not perform one of the expected actions (accept, reject, or challenge the login, or return an error).
Recommended User Response Retry the VPN connection. Report the problem to your organization’s technical support.
Recommended Administrator Response Verify secure gateway access to the AAA server.
Unwilling to perform password change.
Description Message originated from the Cisco ASA. A password change is required to log in. An expired password is the likely cause. The server cannot modify the password.
Recommended User Response Report the problem to your organization’s technical support.
VPN Server could not parse request.
Description The secure gateway could not parse the request sent by the VPN client.
Recommended User Response Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.
VPN Server internal error.
Description The secure gateway encountered an internal error such as low memory.
Recommended User Response Try restarting the VPN connection. Report the error to your organization’s technical support.
Recommended Administrator Response Open a case with the Cisco Technical Assistance Center (TAC) if you cannot resolve the memory issue.
VPN Service not available.
Description The AnyConnect agent is not communicating. Likely causes include one of the following:
–
–
Recommended User Response Ask your organization’s technical support for instructions on how to reinstall AnyConnect, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the problem to Cisco TAC and include the DART bundle.
VPN Service not available. Exiting.
Description The AnyConnect agent is not communicating. Likely causes include one of the following:
–
–
Recommended User Response Try a new VPN connection. If the problem persists, ask your organization’s technical support for instructions on how to reinstall AnyConnect, then start a new VPN connection. If the problem continues to persist, run DART. (SeeUsing DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Report the problem to Cisco TAC and include the DART bundle.
VPN connection terminated, Smartcard removed from reader.
Description The smartcard used to authenticate the VPN connection was removed from the Smartcard reader. The VPN was disconnected to ensure the protection of the private network.
Recommended User Response Re-insert the smartcard and try a new VPN connection.
VPN established. Continuing with login.
Description The start before logon components established a VPN connection. The GUI exits to let the user log in to the OS.
Recommended User Response Log in.
VPN establishment capability from a remote desktop is disabled. A VPN connection
will not be established.
Description AnyConnect is not configured to permit the establishment of a VPN connection from within a remote desktop session on the endpoint.
Recommended User Response Log in directly, then connect to the VPN.
Recommended Administrator Response Refer to «Allowing a Windows RDP Session to Launch a VPN Session» in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5 if you want to enable VPN access from an RDP session.
Warning: The following Certificate received from the Server could not be verified:
Description The certificate presented by the secure gateway could not be verified. Possible causes include:
–
–
–
–
Recommended User Response Report the error to your organization’s technical support and include the DART bundle.
Recommended Administrator Response Validate or replace the certificate.
When in the Secure Vault, use the "Launch Login Page" button on the desktop to
relaunch the client.
Description Cisco Secure Desktop was detected as running on the endpoint.
Recommended User Response Click Launch Login Page inside the Secure Desktop to launch the client inside the Secure Desktop to continue using the VPN connection.
You have no dial-in permission.
Description The user’s account does not have permission to access the network remotely.
Recommended User Response Report the error to your organization’s technical support.
You need to log on with the service provider before you can establish a VPN
session. You can try this by visiting any website with your browser.
Description The user may be located at a coffee shop, airport, or hotel, where an internet service provider is restricting access to the Internet. A VPN connection cannot be established.
Recommended User Response Look for a second message for actions to correct the situation. Open a web browser to see if you can satisfy the conditions for Internet access. Then retry the VPN connection.
Your VPN connection has exceeded the session time limit. A new connection is
necessary, which requires re-authentication.
Description The VPN session was terminated because it exceeded the time permitted by the secure gateway for a VPN session. This feature helps protect the private network by requiring the user to re-authenticate with the secure gateway.
Recommended User Response Start a new VPN session.
Your account is disabled.
Description The user’s account is disabled and cannot be used to access the VPN.
Recommended User Response Report the error to your organization’s technical support.
Your certificate is invalid for the selected group
Description The secure gateway validated the certificate provided by AnyConnect, however, the applied connection policy (tunnel group) does not permit the certificate. The certificate might be valid for another connection policy configured on the secure gateway.
Recommended User Response Report the error to your organization’s technical support and ask for the proper certificate.
Recommended Administrator Response Provide instructions to obtain the certificate required for VPN access.
Your client certificate will be used for authentication
Description Certificate-only authentication is in use. Instead of providing a username and password as credentials, the user’s certificate will be used for authentication.
Recommended User Response None.
Your connection to the secure gateway has been suspended longer than the allotted
time limit. A new connection is necessary, which requires re-authentication.
Description The VPN session was terminated because it exceeded the VPN session idle timer limit configured on the secure gateway. This feature helps protect the private network by requiring the user to re-authenticate with the secure gateway.
Recommended User Response Start a new VPN session.
Recommended Administrator Response None.
Здравствуйте.
После апгрейда с Windows 7 до Windows 8 я, как и многие другие пользователи, столкнулся с проблемой подключения к офису через Cisco VPN Client. В моём случае под Windows 7 был установлен Cisco AnyConnect 2.5.6005, который работал без нареканий.
После апгрейда система сообщила, что AnyConnect требуется переустановить, но переустановка мне не помогла. Возникала ошибка Failed to enable Virtual Adapter. Симптомы были схожими, как описано в
статье
Я всё же не стал ничего ковырять в системе и решил просто скачать последнюю версию Cisco AnyConnect c сайта
cisco.com. На данный момент последняя версия 3.1.01065.
Но тут возникли другие проблемы. Cisco AnyConnect не видит SSL сертификат VPN сервера, настроенного на Cisco ASA 5510. Выдаёт следующее сообщение «No valid certificates available for authentication».
Сертификат для Cisco ASA 5510 выдавался нашим корпоративным центром сертификации по шаблону «WebServer». Этот сертификат, а также сертификат самого центра сертификации я импортировал в Доверенные корневые центры сертификации через консоль certmgr.msc. В
списке сертификатов я их вижу и оба они действительные.
Но есть одно хитрое НО. Дело в том, что, если посмотреть список сертификатов через свойства обозревателя Internet Explorer (в закладке «Содержание» — «Сертификаты»), то почему-то сертификат Cisco ASA не отображается в списке Доверенных корневых центрах сертификации,
как буд-то его нет в системе, а если открыть certmgr.msc, то там он есть! Чудеса. Сертификат от самого центра сертификации присутствует и там и тут.
Есть предположение, что Cisco AnyConnect смотрит сертификаты через свойства обозревателя и, не обнаруживая его там, выдаёт ошибку «No valid certificates available for authentication». Хотя повторюсь, что на Windows 7 никаких проблем с сертификатами не было.
Как заставить Cisco AnyConnect всё таки увидить сертификат?
Тот же самый вопрос, который я задавал сначала
там
-
Изменено
4 ноября 2012 г. 19:36
гиперссылки
Cisco AnyConnect v4.2 — No Valid Certificates Available for Authentication
Pulling my hair out on this one — user with Windows 10 v1607 (build 14393.693) and Cisco AnyConnect v4.2.04039. Originally, worked fine with two remote sites. Now, will not connect at all to either ASA.
-
Error message is consistent for both sites. (Different companies)
-
Both sites do NOT use Certificate Authentication.
-
Attempted to reinstall/update AnyConnect without success.
There seems to be a myriad of «root causes,» for this error online. However, I’ve tried the reinstall, copy over files from a working instance, etc. etc.
The most likely scenario was that it was installed as Administrator and needed those privileges to access the certificate store. Launching as Administrator did not help, and, frankly, I’m not certain WHICH certificate is missing/broken. Also, since these are NOT using Certificate Authentication, I’m not sure where this is breaking down in the process. Why would the client cert failure stop connection, entirely?
Need an AnyConnect expert as this is beginning to drive me crazy. How do I fix this? Can I «reinstall,» a certificate which seems to represent the client in the negotiation? And, since these are different sites, entirely, it isn’t easy to get to the ASA logs themselves for troubleshooting.
Can anyone point me in the right direction?
Topic: VPN issue: No valid certificates available for authentication (Read 32756 times)
Windows users are getting the following error when trying to connect to Remote Access VPN.
No valid certificates available for authentication.
Troubleshooting the Windows side of the house, we found that increasing the timeout value in the registry entry resolves the issue.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyCalaisTransactionTimeoutDelay
changed from 5 to 60.
Problem is that MAC users are having the same/similar issue when connecting to RAVPN,
since MAC’s don’t have a windows registry, well, modifying the registry will not work.
Anyone have seen this before and have a MAC solution?
Logged
My Moral Fibers have been cut.
Get a PC. 
The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.
Failing that, is there a config file on the MAC box that has a timeout setting?
Logged
Take a baseball bat and trash all the routers, shout out «IT’S A NETWORK PROBLEM NOW, SUCKERS!» and then peel out of the parking lot in your Ferrari.
«The world could perish if people only worked on things that were easy to handle.» — Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | «Plan B is Plan A with an element of panic.» — John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Get a PC.
The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.
Failing that, is there a config file on the MAC box that has a timeout setting?
I think is the time from anyconnect starts the vpn connection process to the authentication itself, default is 5 sec.
That’s what I’m asking, if there is a timeout setting for the MAC.
Logged
My Moral Fibers have been cut.
I’d look in the config files for the AnyConnect client, see if there’s a setting there.
Logged
Take a baseball bat and trash all the routers, shout out «IT’S A NETWORK PROBLEM NOW, SUCKERS!» and then peel out of the parking lot in your Ferrari.
«The world could perish if people only worked on things that were easy to handle.» — Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | «Plan B is Plan A with an element of panic.» — John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
I had something like this almost 4 years ago. Trying to go back through my email to work it out.
It’s either that the SSL portal uses something like «domain.com/portal» I have got that error when missing off the /portal accidentally. The SSL server I have is an IOS router.
Or there’s a NAT rule also using the WAN IP that is used for SSL VPN.
What happens when you browse / possibly run wireshark at the same time as trying to connect with a browser?
Also note this: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html
The anyconnect client does some things in the background to detect if the user is on a public wifi hotspot behind a captive portal. For SSL VPN to work properly the anyconnect needs to be able to reach the SSL VPN server on port 80 as well as 443.. apparently.
Logged
For us updating with the latest ActivClient fixed the issue.
Logged
My Moral Fibers have been cut.
Зарегистрирован: 02 мар 2012, 14:08
Сообщения: 15
Проблема с anyconnect
Добрый день!
Настроил привязку групп к OU сертификатов. При переходе на !!!https://asa_outside_FQDN всплывает окошко об авторизации по сертификату (для тестирования у меня 2 сертификата для разных OU). Авторизуюсь сертификатом, далее на радиусе, и вуа-ля запускается клиент anyconnect и получает IP из нужного пула.
Вот кусок лога клиента
[Mon May 14 11:34:56 2012] Ready to connect.
[Mon May 14 12:01:58 2012] Establishing VPN session…
[Mon May 14 12:02:09 2012] Establishing VPN — Initiating connection…
[Mon May 14 12:02:09 2012] Establishing VPN — Examining system…
[Mon May 14 12:02:09 2012] Establishing VPN — Activating VPN adapter…
[Mon May 14 12:02:10 2012] Establishing VPN — Configuring system…
[Mon May 14 12:02:10 2012] Establishing VPN…
[Mon May 14 12:02:10 2012] Establishing VPN session…
[Mon May 14 12:02:10 2012] Connected to asa.xxx.ru.
[Mon May 14 12:02:26 2012] Disconnect in progress, please wait…
[Mon May 14 12:02:26 2012] Disconnect in progress, please wait…
А вот если я запускаю отдельно клиента anyconnect и указываю в качестве сервера asa.xxx.ru, то получаю следующее
[Mon May 14 12:02:27 2012] Ready to connect.
[Mon May 14 12:02:27 2012] Ready to connect.
[Mon May 14 12:02:41 2012] Contacting asa.xxx.ru.
[Mon May 14 12:02:44 2012] No valid certificates available for authentication.
[Mon May 14 12:02:46 2012] Certificate Validation Failure
[Mon May 14 12:02:54 2012] Certificate Validation Failure
[Mon May 14 12:02:57 2012] Ready to connect.
В хранилище сертификаты есть, они выданы тем же ЦС, который выдал сертификат асе.
У меня есть подозрение, что клиент пробует проверить CRL сертификата асы.
Первый CRL point указывает на !!LDAP://….
Второй — на !!http://…
Естественно, первый не доступен с клиентской машины, а вот второй доступен (я скачиваю CRL).
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 2
anyconnect profiles any_connect_client_profile disk0:/any_connect_client_profile.xml
anyconnect enable
tunnel-group-list enable
certificate-group-map VPN 10 admin
certificate-group-map VPN 20 ra
group-policy admin internal
group-policy admin attributes
dns-server value 10.121.0.1 10.121.0.2
vpn-simultaneous-logins 3
vpn-idle-timeout 120
vpn-session-timeout 750
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value admin_splitTunnelAcl
default-domain value gk.ru
address-pools value ra-admin
webvpn
url-list value ssl-admin
customization value SSL_Portal
group-policy ra internal
group-policy ra attributes
dns-server value 10.121.0.1 10.121.0.2
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ra_splitTunnelAcl
default-domain value gk.ru
tunnel-group admin type remote-access
tunnel-group admin general-attributes
authentication-server-group RADIUS LOCAL
default-group-policy admin
tunnel-group admin webvpn-attributes
customization SSL_Portal
authentication aaa certificate
group-alias admin enable
group-url
https://asa.xxx.ru/admin
enable
tunnel-group admin ipsec-attributes
ikev1 trust-point GK_Sub_CA
tunnel-group ra type remote-access
tunnel-group ra general-attributes
address-pool ra
authentication-server-group RADIUS
default-group-policy ra
tunnel-group ra webvpn-attributes
customization SSL_Portal
authentication aaa certificate
group-alias ra enable
tunnel-group ra ipsec-attributes
ikev1 trust-point GK_Sub_CA
Вот здесь
https://supportforums.cisco.com/thread/2084512
описана моя проблема, сайт асы я добавил в доверенные, но результат такой-же.
Как устранить ошибку?
Fedia
Супермодератор
Зарегистрирован: 01 окт 2008, 12:24
Сообщения: 4438
Re: Проблема с anyconnect
ну первым делом просто отключитпе проверку crl и проверьте
похоже, что anyconnect не видит сертификатов, установленных в системе. знаю, что аса может быть сервером сертификатов и тогда клиент цепляется нормально. обычно я делал веб-инициацию anyconnect длясертификатов из системы. а вот почему — уже не помню. надо потестить.
Gagarin86
Зарегистрирован: 02 мар 2012, 14:08
Сообщения: 15
Re: Проблема с anyconnect
Fedia писал(а):
ну первым делом просто отключитпе проверку crl и проверьте
похоже, что anyconnect не видит сертификатов, установленных в системе. знаю, что аса может быть сервером сертификатов и тогда клиент цепляется нормально. обычно я делал веб-инициацию anyconnect длясертификатов из системы. а вот почему — уже не помню. надо потестить.
Отключил CRL, ситуация та же. Может быть необходимо пошаманить с настройками IE (отключить проверку CRL c доверенных узлов и т.п.)? Или anyconnect клиент не использует настройки IE?
andrew13
Зарегистрирован: 16 апр 2012, 08:21
Сообщения: 87
Re: Проблема с anyconnect
Gagarin86 писал(а):
Fedia писал(а):
ну первым делом просто отключитпе проверку crl и проверьте
похоже, что anyconnect не видит сертификатов, установленных в системе. знаю, что аса может быть сервером сертификатов и тогда клиент цепляется нормально. обычно я делал веб-инициацию anyconnect длясертификатов из системы. а вот почему — уже не помню. надо потестить.
Отключил CRL, ситуация та же. Может быть необходимо пошаманить с настройками IE (отключить проверку CRL c доверенных узлов и т.п.)? Или anyconnect клиент не использует настройки IE?
Anyconnect использует настройки прокси IE, и больше ничего. Поэтом там шаманить нечего. А сертификат корневого УЦ добавлен в список доверенных корневых УЦ на компе, с которого осуществляется подключение?
_________________
Everybody’s a jerk. You, Me, This jerk..
Gagarin86
Зарегистрирован: 02 мар 2012, 14:08
Сообщения: 15
Re: Проблема с anyconnect
andrew13 писал(а):
Anyconnect использует настройки прокси IE, и больше ничего. Поэтом там шаманить нечего. А сертификат корневого УЦ добавлен в список доверенных корневых УЦ на компе, с которого осуществляется подключение?
У меня 2 ЦС оффлайновый корневой и подчиненный, сертификаты добавлены в доверенные корневые и промежуточные ЦС соответственно. Кстати, у меня до этого стояли сертификаты выданные другим ЦС и anyconnect их видел и пытался скормить асе, естественно получая отлуп.
Я тестировал Cisco VPN клиент, и он без проблем соединяется с той же асой с теми же сертификатами, которые не видит anyconnect.