Cisco anyconnect secure gateway internal error

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

• Installation and Virtual Adapter Issues
• Disconnection or Inability to Establish Initial Connection
• Problems with Passing Traffic
• AnyConnect Crash Issues
• Fragmentation / Passing Traffic Issues

Installation and Virtual Adapter Issues

Complete these steps:

1. Obtain the device log file:
   • Windows XP / Windows 2000:

     Windowssetupapi.log

   • Windows Vista:

     Note: Hidden folders must be made visible in order to see these files.

     WindowsInfsetupapi.app.log
     
         WindowsInfsetupapi.dev.log
     

   If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

2. Obtain the MSI installer log file:

   If this is an initial web deploy install, this log is located in the per-user temp directory.

   • Windows XP / Windows 2000:

     Documents and Settings<username>Local SettingsTemp
     

   • Windows Vista:

     Users<username>AppDataLocalTemp
     

   If this is an automatic upgrade, this log is in the temp directory of the system:

   WindowsTemp
   

   The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

3. Obtain the PC system information file:
   1. From a Command Prompt/DOS box, type this:
      • Windows XP / Windows 2000:

        winmsd /nfo c:msinfo.nfo
        

      • Windows Vista:

        msinfo32 /nfo c:msinfo.nfo
        

      Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

   2. Obtain a systeminfo file dump from a Command Prompt:

      Windows XP and Windows Vista:

      systeminfo c:sysinfo.txt
      

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

• The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

  From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

  OR

  From the console of the ASA, type show running-config. Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

• The ASA event logs:
  1. In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

     config terminal
     logging enable
     logging timestamp
     logging class auth console debugging
     logging class webvpn console debugging
     logging class ssl console debugging
     logging class svc console debugging

  2. Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.
  3. In order to disable logging, issue no logging enable.
• The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
  1. Choose Start > Run.
  2. Enter:

     eventvwr.msc /s

  3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File as AnyConnect.evt.

     Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available.

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator.

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

webvpn
   svc keepalive 30
   svc dpd-interval client 80
   svc dpd-interval gateway 80

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 5

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

1. Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX, then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
2. Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
3. Check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:

   access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
   ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
   nat (inside) 0 access-list in_nat0_out

4. Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.

   Example:

   
   !--- Route outside 0 0 is an incorrect statement.
   
   route outside 0 0 10.145.50.1
   route inside 0 0 10.0.4.2 tunneled

   For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.

   ASA(config)# policy-map global_policy
   ASA(config-pmap)#  class inspection_default
   ASA(config-pmap-c)# no inspect skinny

AnyConnect Crash Issues

Complete these data-gathering steps:

1. Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

   Number of Instructions      : 25
   Number of Errors To Save    : 25
   Crash Dump Type             :  Mini
   Dump Symbol Table           : Checked
   Dump All Thread Contexts    : Checked
   Append To Existing Log File : Checked
   Visual Notification         : Checked
   Create Crash Dump File      : Checked

   When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

2. Obtain the Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
   1. Choose Start > Run.
   2. Enter:

      eventvwr.msc /s

   3. Right-click the Cisco AnyConnect VPN Client log, and select Save Log File As AnyConnect.evt.

      Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

 ASA(config)#group-policy <name> attributes
                          webvpn
                              svc mtu 1200

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

1. Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.
2. Create an XML file with the AnyConnect Profile Editor.
   1. Go to the server list tab.
   2. Click Add.
   3. Type the main server on the Hostname field.
   4. Add the backup server below the backup server list on the Host address field. Then, click Add.
3. Once you have the XML file, you need to assign it to the connection you use on the ASA.
   1. In ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.
   2. Select your profile and click Edit.
   3. Click Manage from the Default Group Policy section.
   4. Select your group-policy and click Edit.
   5. Select Advanced and then click SSL VPN Client.
   6. Click New. Then, you need to type a name for the Profile and assign the XML file.
4. Connect the client to the session in order to download the XML file.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list "C:WINDOWSINFcertclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue.

You can receive this log on the client: "The VPN client driver has encountered an error".

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc.
3. Run:

   esentutl /p%systemroot%System32catroot2
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb

4. When prompted, choose OK in order to attempt the repair.
5. Exit the command prompt.
6. Reboot.

Failed Repair

If the repair fails, complete these steps:

1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
2. Run net stop CryptSvc.
3. Rename the %WINDIR%system32catroot2 to catroot2_old directory.
4. Exit the command prompt.
5. Reboot.

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

1. Open a command prompt as an Admimistrator on the PC.
2. Run:

   esentutl /g%systemroot%System32catroot2
   {F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb

   Refer to System Catalog Database Integrity for more information.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory.

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

"Module C:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed
to register..."

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

• The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer. 
• Remove the VMware applications. Once AnyConnect is installed, VMware applications can be added back to the PC.
• Add the ASA to their trusted sites. 
• Copy these files from the ProgramFilesCiscoCiscoAnyconnect folder to a new folder and run the regsvr32 vpnapi.dll command prompt:
  • vpnapi.dll
  • vpncommon.dll
  • vpncommoncrypt.dll
• Reimage the operating system on the laptop/PC.

The log message related to this error on the AnyConnect client looks similar to this:

DEBUG: Error 2911:  Could not remove the folderC:Program FilesCiscoCisco AnyConnect
VPN Client.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:Program FilesCiscoCisco AnyConnect VPN Client, ,
DEBUG: Error 2911:  Could not remove the folder C:Program FilesCiscoCisco AnyConnect
VPN Client.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:Program FilesCiscoCisco AnyConnect VPN Client, ,
Info 1721. There is a problem with this Windows Installer package. A program required for
this install to complete could not be run. Contact your support personnel or package
vendor. Action: InstallHelper.exe, location: C:Program FilesCiscoCisco AnyConnect VPN
ClientInstallHelper.exe, command: -acl "C:Documents and SettingsAll UsersApplication
DataCiscoCisco AnyConnect VPN Client\" -r

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached. I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address".

This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0".

This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License".

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

Router#show run | in pool

ip local pool SSLPOOL 192.168.30.2 192.168.30.254
   svc address-pool SSLPOO

The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: "Unable to update the session management database".

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

1. Disable the threat-detection.
2. Disable SVC compression.
3. Reload the ASA.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

1. Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
2. Right-click Properties, then log on, and select Allow service to interact with the desktop.

   This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

   Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

   When Routing and Remote Access Service (RRAS) is enabled on the Windows PC, AnyConnect fails with the The VPN client driver has encountered an error. error message. In order to resolve this issue, make sure that Routing and RRAS is disabled before starting AnyConnect. Refer to Cisco bug ID CSCsm54689 for more information.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Unable to process response from xxx.xxx.xxx.xxx".

Solution

In order to resolve this error, try these workarounds:

• Remove WebVPN from the ASA and reenable it.<
• Change the port number to 444 from the existing 443 and reenable it on 443.

For more information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: «Login Denied , unauthorized connection mechanism , contact your administrator»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is "Login Denied , unauthorized connection mechanism , contact your administrator".

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

<

Error: «Anyconnect package unavailable or corrupted. Contact your system administrator»

This error occurs when you try to launch the AnyConnect software from a Macintosh client in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

1. Upload the Macintosh AnyConnect package to the flash of the ASA.
2. Modify the WebVPN configuration in order to specify the AnyConnect package that is used.

   webvpn
    svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2
    svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3

   The svc image command is replaced by the anyconnect image command in ASA Version 8.4(1) and later as shown here:

   hostname(config)#webvpn
   hostname(config-webvpn)#anyconnect image disk0:/
   anyconnect-win-3.0.0527-k9.pkg 1
   hostname(config-webvpn)#anyconnect image disk0:/
   anyconnect-macosx-i386-3.0.0414-k9.pkg 2
   
   
   
     
   
   
                          
     
   
   
   
   

Error: «The AnyConnect package on the secure gateway could not be located»

This error is caused on the user’s Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the complete error:

"The AnyConnect package on the secure gateway could not be located. You may
be experiencing network connectivity issues. Please try connecting again."

Solution

In order to resolve this error message, verify whether the Operating System (OS) that is used on the client machine is supported by the AnyConnect client. 

If the OS is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this document for more information.

Error: «Secure VPN via remote desktop is not supported»

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be found at C:ProgramDataCiscoCisco AnyConnect VPN ClientAnyConnectLocalPolicy.xml. If this file is not found in this path, then locate the file at a different directory with a path such as C:Documents and SettingsAll UsersApplication DataCisco AnyConnectVPNClientAnyConnectLocalPolicy.xml. Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

<FipsMode>true</FipsMode>

To:

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

"Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package."

Solution

Complete these steps in order to fix this issue:

1. Remove any anti-virus software.
2. Disable the Windows firewall.
3. If neither Step 1 or 2 helps, then format the machine and then install.
4. If the problem still persists, open a TAC Case.

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

"Contact your system administrator. The installer failed with the following error:
Error applying transforms. Verify that the specified transform paths are valid."

This is the error message received when connecting with AnyConnect for MacOS:

"The AnyConnect package on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again."

Solution

Complete one of these workarounds in order to resolve this issue:

1. The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:
   1. Remove the MST translation table.
   2. Configure the AnyConnect image for MacOS in the ASA.
2. From the ASDM, follow the Network (Client) Access > AnyConnect Custom > Installs path and delete the AnyConnect package file. Make sure the package remains in Network (Client) Access > Advanced > SSL VPN > Client Setting.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

The VPN client driver has encountered an error when connecting through Cisco
AnyConnect Client.

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

"A VPN reconnect resulted in different configuration setting. The VPN network
setting is being re-initialized. Applications utilizing the private network may
need to be restarted."

Solution

In order to resolve this error, use this:

group-policy <Name> attributes
			webvpn
				svc mtu 1200

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

hostname(config)#group-policy <Name> attributes

hostname(config-group-policy)#webvpn
hostname(config-group-webvpn)#anyconnect mtu 500



  


                       
  

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

The VPN connection is not allowed via a local proxy. This can be changed
through AnyConnect profile settings.

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

<ProxySettings>IgnoreProxy</ProxySettings><
AllowLocalProxyConnections>
false</AllowLocalProxyConnections>

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

There are currently 2 clientless SSL VPN sessions in progress. AnyConnect
Essentials can not be enabled until all these sessions are closed.

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

• No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

The certificate you are viewing does not match with the name of the site
you are trying to view.

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

<ServerList>
 <HostEntry>
    <HostName>vpn1.ccsd.net</HostName>
 </HostEntry>



  


                       
  



</ServerList>

Note: If there is an existing entry for the Public IP address of the server such as <HostAddress>, then remove it and retain only the FQDN of the server (for example, <HostName> but not <Host Address>).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Description : Function:
CAdapterNetworkStateIfc::SetConnectedStateToConnected
File: .AdapterNetworkStateIfc.cpp
Line: 147
Invoked Function: InternetSetOption
Return Code: 12010 (0x00002EEA)
Description: The length is incorrect for the option type
Description : Function: CTransportWinHttp::InitTransport
File: .CTransportWinHttp.cpp
Line: 252
Invoked Function: CConnectedStateIfc::SetConnectedStateToConnected
Return Code: -25362420 (0xFE7D000C)
Description: CADAPTERNETWORKSTATEIFC_ERROR_SET_OPTION

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

1. Reduce the number of entries in the split-tunnel list.
2. Use this configuration in order to disable DTLS:

   group-policy groupName attributes
     webvpn
       svc dtls none

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::SendRequest
File: .CTransportWinHttp.cpp
Line: 1170
Invoked Function: HttpSendRequest
Return Code: 12004 (0x00002EE4)
Description: An internal error occurred in the Microsoft 
Windows HTTP Services 
*****************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui



  


                       
  



Description : Function: ConnectIfc::connect
File: .ConnectIfc.cpp
Line: 472
Invoked Function: ConnectIfc::sendRequest
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
******************************************
Date        : 03/25/2014
Time        : 09:52:21
Type        : Error
Source      : acvpnui
Description : Function: ConnectIfc::TranslateStatusCode
File: .ConnectIfc.cpp
Line: 2999
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015443 (0xFE36002D)
Description: CTRANSPORT_ERROR_CONN_UNKNOWN
Connection attempt failed.  Please try again.
******************************************

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Refer to the How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista knowledge base article for more information.

Error: «The SSL transport received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: CTransportWinHttp::handleRequestError
File: .CTransportWinHttp.cpp
Line: 854
The SSL transport received a Secure Channel Failure.  May be a result of a unsupported crypto configuration on the Secure Gateway.
******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui



  


                       
  



Description : Function: CTransportWinHttp::SendRequest
File: .CTransportWinHttp.cpp
Line: 1199
Invoked Function: CTransportWinHttp::handleRequestError
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
******************************************
Date        : 10/27/2014
Time        : 16:29:09
Type        : Error
Source      : acvpnui
Description : Function: ConnectIfc::TranslateStatusCode
File: .ConnectIfc.cpp
Line: 3026
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -30015418 (0xFE360046)
Description: CTRANSPORT_ERROR_SECURE_CHANNEL_FAILURE
Connection attempt failed.  Please try again.
******************************************

Solution

Windows 8.1 does not support RC4 according to the following KB update:

http://support2.microsoft.com/kb/2868725

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below:

https://technet.microsoft.com/en-us/library/dn303404.aspx

Related Information

• Cisco ASA 5500 Series Adaptive Security Appliances
• AnyConnect VPN Client FAQ
• Cisco Secure Desktop (CSD) FAQ
• Cisco AnyConnect VPN Client
• Technical Support & Documentation — Cisco Systems

Обновлено 2023 января: перестаньте получать сообщения об ошибках и замедлите работу вашей системы с помощью нашего инструмента оптимизации. Получить сейчас в эту ссылку

1. Скачайте и установите инструмент для ремонта здесь.
2. Пусть он просканирует ваш компьютер.
3. Затем инструмент почини свой компьютер.

Сообщение об ошибке «AnyConnect не смог установить соединение с указанным безопасным шлюзом» появляется, когда пользователи пытаются подключиться к VPN с помощью клиента AnyConnect. Эта проблема возникает из-за того, что клиент AnyConnect VPN CISCO не может подключиться к удаленному серверу и блокировки происходят. Сегодня мы обсудим приведенное выше сообщение об ошибке, в том числе причины появления сообщения об ошибке и различные решения, которые вы можете применить для его устранения.

Как исправить AnyConnect не смог подключиться к указанной ошибке Secure Gateway:

Проверьте, работает ли ICS (Internet Connection Sharing).

1. Нажмите кнопку Пуск, затем Панель управления.
2. В категории «Сеть и Интернет» выберите «Центр управления сетями и общим доступом».
3. На левой панели выберите «Изменить настройки адаптера».
4. Щелкните правой кнопкой мыши подключение к общей сети (сначала попробуйте использовать проводное подключение / адаптер Ethernet, затем проверьте другие адаптеры) и выберите «Свойства».
5. Выберите вкладку «Общий доступ».
6. Снимите флажок, чтобы разрешить другим пользователям сети подключаться через соединение на этом компьютере.
7. Нажмите кнопку ОК.

Также убедитесь, что служба ICS не работает.

1. Нажмите кнопку «Пуск» и выберите «Выполнить».
2. Введите: services.msc и нажмите клавишу ВВОД на клавиатуре.
3. Выполните поиск общего доступа к подключению к Интернету (ICS), затем остановите службу.
4. Измените тип загрузки на Отключено и перезагрузите компьютер.

Обновить настройки реестра

Другой, как вы говорите, меняет реестр, но это очень медленный процесс. Под Windows 8 Pro откройте regedit с командой execute и:

1) Перейдите в [HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services vpnva].
2) Измените значение в поле DisplayName на «Cisco AnyConnect VPN Virtual Miniport Adapter для Windows x64».
3) Попробуйте установить соединение.

Проверьте проблему в среде чистой загрузки.

Если ваша проблема не возникает, когда компьютер находится в чистой загрузочной среде, вы можете определить, какое загрузочное приложение или служба вызывает проблему, путем систематического включения или выключения и перезагрузки компьютера. Если вы активируете один сервис или загрузочный элемент и перезапускаетесь каждый раз, когда сервис или приложение проблематично, самый эффективный способ сделать это — протестировать половину из них за раз и устранить половину из них как возможную причину каждый раз при перезагрузке компьютера , Затем вы можете повторить этот процесс, пока не изолируете проблему.

https://community.cisco.com/t5/vpn-and-anyconnect/anyconnect-vpn-client-version-2-5-0217-not-able-to-establish/td-p/1529524

Совет экспертов: Этот инструмент восстановления сканирует репозитории и заменяет поврежденные или отсутствующие файлы, если ни один из этих методов не сработал. Это хорошо работает в большинстве случаев, когда проблема связана с повреждением системы. Этот инструмент также оптимизирует вашу систему, чтобы максимизировать производительность. Его можно скачать по Щелчок Здесь

Сообщение Просмотров: 303

Many people encounter the “AnyConnect was not able to establish a connection to the specified secure gateway” error on Windows 11/10/8/7. In this post, MiniTool will explore the possible causes and troubleshooting methods of this error.

AnyConnect is a VPN client launched by Cisco that allows you to use any device to access the corporate network anytime and anywhere. This client can be used for many platforms, including Windows, OS X, Ubuntu, iOS, and Android.

However, many users receive the “AnyConnect was not able to establish a connection to the specified secure gateway” error when trying to connect to a VPN via the software on Windows 10/8/7. Here we will discuss the possible causes and solutions to the error.

AnyConnect was not able to establish a connection to the specified secure gateway. we have upgraded all our Workstations to Windows 8, we used Windows 7 and we could use Cisco VPN without a problem, but now we are having problems with Cisco VPN and Cisco AnyConnect VPN both on Windows 8. Please share with us if you have any solution for this problem.

https://community.spiceworks.com/topic/418025-anyconnect-was-not-able-to-establish-a-connection-to-the-specified-secure-gatewa

Possible Reasons for AnyConnect Was Not Able to Establish a Connection to the Specified Secure

What causes the “Cisco AnyConnect was not able to establish a connection to the specified secure gateway” error? After analyzing extensive user reports from forums and communities, we found the error is often related to the following several factors:

• Outdated client: If the AnyConnect client gets outdated, you may experience some errors or bugs like “AnyConnect can’t connect to the specified secure gateway” when trying to connect to a newly released VPN.
• Firewall or antivirus interference. Sometimes your antivirus and even Windows Firewall can interfere with the connection between your VPN and Cisco AnyConnect.
• Improper client configurations. If the client and VPN connections are configured improperly, you may fail to connect the VPN and face the “AnyConnect was not able to establish a connection to the specified secure gateway Windows 10/8/7” issue.
• Regional restriction. Your ISP providers may block some IP addresses of certain countries and areas from connecting to the VPN.

How to Fix the “AnyConnect Was Not Able to Establish a Connection to the Specified Secure” Error

Here we summarize several proven ways to fix the “AnyConnect failed to connect to the specified secure gateway” error. Let’s start trying.

# 1. Update Cisco AnyConnect to the Latest Version

Lots of users reported that the “AnyConnect can’t connect to the specified secure gateway” issue can be solved by updating the client to the latest version. By doing so, the stability and performance of the client should be improved and patches will be provided for known errors. If the latest version of AnyConnect has been released, make sure you install it.

# 2. Allow the Client Through Your Firewall or Antivirus Software

Sometimes your antivirus software and Firewall can block AnyConnect from connecting to your VPN. To rule out this situation, you can try allowing the client through the firewall or antivirus software or disabling it temporarily.

Step 1. Type firewall in the search box and then select the Windows Defender Firewall from the context menu.

Step 2. Click on Allow an app or feature through Windows Defender Firewall from the left pane.

Step 3. Click on Change Settings, and then tick the checkbox next to Cisco AnyConnect from the list of installed programs, tick the checkbox for both Private and Public networks, and click OK to save the change.

Step 4. Reconnect to the VPN using the software and check if the “Cisco AnyConnect was not able to establish a connection to the specified secure gateway” error disappears. If the error persists, you can try disabling the Firewall or antivirus software temporarily and see if it works.

# 3. Disable Internet Connection Sharing

Internet Connection Sharing (ICS) is a Windows service that can enable the internet-connected computer to share its internet connection with other computers on a local area network. Sometimes this option can conflict with AnyConnect and trigger the error. So, you can try disabling this service.

Step 1. Open your Control Panel and select Network and Sharing Center > Change adapter settings.

Step 2. Right-click on the Shared network connection and select Properties.

Step 3. In the Properties window, navigate to the Sharing tab and untick the checkbox next to Allow other network users to connect through this computer’s Internet connection and click on OK to save the change.

Now, you can restart the program and check if the “AnyConnect failed to connect to the specified secure gateway” error disappears.

# 4. Disable Internet Connection Service

In addition, you can try disabling the Internet Connection Sharing service in Service Manager and check if it works. For that:

Step 1. Press the Win + R key to open the Run dialog box, and then type services.msc in it and hit Enter.

Step 2. In the pop-up window, right-click the Internet Connection Sharing service and select Stop.

Once done, exit the service window and see if the “AnyConnect failed to connect to the specified secure gateway” error gets fixed.

# 5. Connect Only to Current Network in AnyConnect

Some users find that the AnyConnect-connected VPN becomes unstable between different networks. In this case, you can select the “Connect Only to current network” option to fix the AnyConnect error. To do so, launch the AnyConnect client, right-click the connected Network and select Connect only to current Network.

—image from the cisco community

# 6.  Perform a Complete Reinstall of AnyConnect

If none of the above methods work, you may consider performing a complete uninstallation and reinstall of AnyConnect. This solution has been proven by some people to be useful. It’s worth trying.

Step 1. Open Control Panel, change the View by type to Category, and then click on Uninstall a program under the Programs section.

Step 2. Navigate to Cisco AnyConnect from the list of install programs, and then right-click it and select Uninstall. Click on Yes to confirm this uninstallation and follow the on-screen prompts to complete this operation.

Step 4. Press the Win + E keys to open the File Explorer, and then navigate to C: Programs Files (x86) and delete all folders related to AnyConnect. In addition, you can open Registry Editor and clean all leftover folders related to the client.

Step 5. Once you completely clean uninstall the software, visit the official website and download the latest version of AnyConnect and install it on your PC. At this time, the “Cisco AnyConnect was not able to establish a connection to the specified secure gateway” error should be fixed.

Further reading: If you enter some issues like file system corruption and low disk space when installing the software, don’t worry. MiniTool Partition Wizard can help you fix them easily by checking file system errors, extending/resizing partitions, analyzing disk space, upgrading to a larger hard disk, etc.

The error message ‘AnyConnect was not able to establish a connection to the specified secure gateway’ appears when users try to connect to a VPN using the AnyConnect Client. This issue arises because the AnyConnect Client VPN is not able to perform the connection process successfully with the remote server and there are some blockades in its way. Today, we will be covering the said error message including the causes of the error message and various solutions that you can implement to get rid of the error.

It can be due to many reasons. Sometimes, it’s a blockage from antivirus or firewall or sometimes, it can be caused by having a bad internet connection. The following would be the primary causes; to mention in brief —

• Antivirus or firewall issue: Antivirus software can at times interfere with the connection process of the AnyConnect Client VPN and not allow it to connect to external networks or servers because of security reasons. Many times, it will block many incoming and outgoing connections. So, you won’t be able to connect to your favorite VPN using Anyconnect.
• Client configuration is wrong: If you have configured your Anyconnect client wrongly and the VPN configurations that are stored in it are not correct, then you will face issues in establishing successful connections.
• Internet restrictions: At times, IP addresses of some countries might be blocked by your ISP provider and you might not knowingly try to connect to the VPN of the same country that has been blocked by your ISP. Then you will face issues.

To circumvent the error message, you can follow the solutions given down below but make sure to give your computer and the application a restart before moving to the other fixes.

Solution 1: Disabling Antivirus

First things first. Since most of the times, the issue is being caused by antivirus blockage which is a common scenario. Therefore, in such a case, you should try to disable any third-party antivirus that you have installed on your system and then try to connect to the VPN using AnyConnect. Hopefully, it will isolate the issue.

Solution 2: Stop Internet Connection Service

At times the ICS service is running which causes problems for the AnyConnect Client to connect to a VPN. You will have to disable it in order to fix the problem. Here’s how to disable the service:

1. Press Windows + R and type services.msc
2. When the window opens showing the services, search for Internet Connection Sharing service. Right click on it and click on Stop.
3. Then exit the Services windows by closing it.

Solution 3: Disable Internet Connection Sharing (ICS)

There were several cases where if ICS was enabled in Windows, then users faced this issue. In order to disable ICS, follow the instructions down below:

1. Open up the Control Panel
2. Go to Network and Internet Sharing and then click Change adapter settings.
3. Afterward, you will have to right click on the shared network connection, and then click on Properties.
4. In the properties window, click on the Sharing
5. Once there, you need to uncheck the checkbox that says “Allow other network users to connect through this computer’s Internet connection”.
6. After doing that, click OK.

If your issue was being caused by ICS being enabled, then this must have fixed it.

Solution 4: Select the option Connect to current Network in AnyConnect VPN

Sometimes, the Any Connect client VPN fluctuates between different networks, so you have to select the option of connecting to the current network only. This might fix the issue for you. Here’s how to do that:

1. Open the AnyConnect Client, and where you see the Network written, right click on it.
2. Click on “Connect only to current Network”.

Solution 5: Try an Alternate Connection

At times, the internet connection that you are using might have some restrictions or might not be working properly which is causing the issue. In such a scenario, you will have to use an alternate connection such as WiFi or mobile hotspot to see if you are able to connect to the VPN.

The following user messages appear on the AnyConnect client GUI. A description follows each message, along with recommended user and administrator responses if applicable. The recommended administrator responses apply to IT representatives with monitoring and configuration access to the secure gateway configured to provide VPN access.

A new PIN has been generated for you: PIN.

Description    The server generated a new personal identification number (PIN) for use with the SDI authentication token.

Recommended User Response    None.

 A security threat has been detected in the received server certificate. A VPN 
connection will not be established.

Description    A security threat was detected in the received server certificate. The threat is likely the result of a null character prefix attack.

Recommended User Response    Report the issue to your organization’s technical support.

Recommended Administrator Response    Provide instructions to obtain the certificate required for VPN access.

 A user other than the one who started the VPN connection has logged into the 
computer locally. The VPN connection has been disconnected. Close all sensitive 
networked applications.

Description    AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.

Recommended User Response    Ask the unauthenticated user to log off, then try a new VPN connection.

 Account expired.

Description    Message originated from the Cisco ASA. The ASA rejected the VPN access request because your account is locked or expired.

Recommended User Response    Report the issue to your organization’s technical support.

 An internal error occurred while creating the DART bundle. Please try again later.

Description    Creation of the DART bundle failed due to an internal processing error.

Recommended User Response    Restart the computer. Install the latest release of DART and run it to attempt the collection of another DART bundle. (See Using DART to Gather Troubleshooting Information.) If the problem persists, report the error to your organization’s technical support.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC).

 An unknown error has occurred in the VPN client service while trying to reconnect.

Description    The VPN connection was terminated without a reconnect reason code because of a flaw in the client software.

Recommended User Response    Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 An unknown error occurred while creating the DART bundle, possibly due to 
restricted file permissions. Please try again later.

Description    Creation of the DART bundle failed. Common causes may include a failure to write to, read from, or move a file, possibly due to restricted user access to it.

Recommended User Response    Try recreating the DART bundle.

 An unknown reconnect error has occurred in the VPN client service.

Description    The client was attempting to establish a VPN connection, but the connection was terminated without a reason code because of a flaw in the client software. Typically, a reason code is generated, exposing a more detailed message.

Recommended User Response    Restart the computer and device, then try starting a new VPN connection. If the error reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle if you cannot resolve the issue.

 An unknown termination error has occurred in the client service.

Description    The VPN connection or AnyConnect client service was terminated without a termination reason code, due to a flaw in the client software. Typically, a reason code is generated, exposing a more detailed message.

Recommended User Response    Restart the computer and device, then try starting a new VPN connection. If the error reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle if you cannot resolve the issue.

 Another user has logged into your computer locally, and only one local user is 
allowed. The VPN connection has been disconnected. Close all sensitive networked 
applications.

Description    AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.

Recommended User Response    Ask the unauthenticated user to log off, then try a new VPN connection.

 Another user has logged into your computer, and only one user is allowed. The VPN 
connection has been disconnected. Close all sensitive networked applications.

Description    AnyConnect disconnected from the VPN because another user logged into the local console, the AnyConnect client profile Retain VPN on Logoff parameter is enabled, and the associated User Enforcement parameter is set to «Same user only.» Thus, the client is configured to retain the VPN connection following the logoff of the local console user, and to disconnect from the VPN if a different user logs into the local console. The different user was not authenticated by the secure gateway for access to the private network, so the VPN connection has been disconnected to ensure the protection of the private network.

Recommended User Response    Ask the unauthenticated user to log off, then try a new VPN connection.

 AnyConnect cannot confirm it is connected to your secure gateway. The local network 
may not be trustworthy. Please try another network.

Description    AnyConnect cannot validate the secure gateway server certificate. The local network may not be trustworthy or the secure gateway certificate may not be trusted.

–A device between the endpoint and the secure gateway is attempting to intercept the VPN connection data (man-in-the-middle attack).

–The secure gateway was not properly provisioned with a valid server certificate. If strict mode is configured on the secure gateway, all remote access users experience the error.

Recommended User Response    Try moving to a different network, then try a new VPN connection. If the problem persists, report the error to your organization’s technical support.

Recommended Administrator Response    Ensure the secure gateway is provisioned with a valid server certificate from a proper certificate authority (CA).

 AnyConnect is not enabled on the VPN server.

Description    Message originated from the Cisco ASA. Access to the secure gateway through AnyConnect is not allowed.

Recommended User Response    Try connecting to another secure gateway.

Recommended Administrator Response    Make sure that AnyConnect is enabled on the secure gateway and the user is authorized to use AnyConnect.

 AnyConnect profile settings mandate a single local user, but multiple local users 
are currently logged into your computer. A VPN connection will not be established.

Description    AnyConnect is configured to permit access only to the local console user whom the secure gateway authenticated. AnyConnect disconnected from the VPN to protect it from unauthorized use by another user who logged into the local console.

Recommended User Response    Ask the remote users to log off, then retry the VPN connection.

 AnyConnect was not able to establish a connection to the specified secure gateway. 
Please try connecting again.

Description    A network connectivity problem caused a VPN connection attempt to fail after a successful authentication.

Recommended User Response    Retry the VPN connection.

 Authentication failed.

Description    Message originated from the Cisco ASA. The VPN connection could not be established, most likely because of invalid credentials.

Recommended User Response    Confirm your credentials and retry the VPN connection.

 Automatic profile updates are disabled and the local VPN profile does not match 
the secure gateway VPN profile.

Description    The secure gateway is configured to upload an AnyConnect XML profile. AnyConnect is configured to skip profile updates, but cannot update to this version of the profile. Because the profile can specify a security policy, AnyConnect cannot establish a connection. The most common cause of this condition is connecting to a secure gateway with a version of AnyConnect, such as the Palm Pre, that does not support profile updates, or connecting with the BypassDownloader setting configured in the local policy file.

Recommended Administrator Response    Configure a group policy that does not require an AnyConnect profile.

 Cannot verify required local security policy. This device is not supported. Please 
contact your network administrator.

Description    The AnyConnect profile requires the endpoint to be protected by a mobile device policy, but the endpoint OS could not be identified.

Recommended Administrator Response    To ensure maximum device compatibility, ensure that the endpoint is running the latest version of the AnyConnect client, and the ASA is running the latest software release.

 Certificate Enrollment - Certificate import has failed.

Description    AnyConnect failed to import the just-enrolled certificate. This failure can occur if the user declined a certificate store provider prompt, such as one for a password or a permission request.

 Certificate Validation Failure

Description    Message originated from the Cisco ASA. The ASA declined to accept the certificate provided by AnyConnect because it could not be validated. Please verify that the correct certificate is available in the certificate store.

Recommended User Response    Report the error to your organization’s technical support and ask for the proper certificate.

Recommended Administrator Response    Provide instructions to obtain the certificate required for VPN access.

 Certificate enrollment succeeded. Your session will be disconnected. Please login 
again.

Description    Certificate enrollment through SCEP succeeded.

Recommended User Response    To use the new certificate, start a new VPN connection.

 Clientless (browser) SSL VPN access is not allowed.

Description    Message originated from the Cisco ASA. The ASA requires the user of a full tunnel client such as AnyConnect for network access.

Recommended User Response    Report the problem to your organization’s technical support.

 Connect not available. Another AnyConnect application is running or the 
functionality was not requested by this application.

Description    AnyConnect is connected in a diminished mode. This can be the result of a specific request by a custom application or because of another AnyConnect client already running.

Recommended User Response    Try restarting the computer or device, then try a new VPN connection.

 Connecting via a proxy is not supported with Always On.

Description    AnyConnect is configured for Always-on VPN, which does not support connecting through a proxy.

Recommended User Response    Remove the local proxy and try a new VPN connection. To access the proxy settings on Windows, choose the Control Panel > Internet Options > Connections tab, and go to LAN Settings.

 Connection attempt failed. Please try again.

Description    An initialization error caused the VPN connection to fail.

Recommended User Response    Try establishing a new VPN connection.

 Connection attempt has failed (error in response data).

Description    Communication with the secure gateway failed because it detected an error in the HTTP response body it received.

Recommended User Response    Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 Connection attempt has failed (error in response header).

Description    Communication with the secure gateway failed because it detected an error in the HTTP response header it received.

Recommended User Response    Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 Connection attempt has failed due to invalid host entry.

Description    A profile URL or user-entered address does not resolve to a valid secure gateway.

Recommended User Response    Choose another gateway from the VPN list or request the URL from your organization’s technical support.

 Connection attempt has failed due to network or PC issue.

Description    An unexpected error in the HTTP protocol was detected. This error is unlikely and indicates an error state on the endpoint, such as loss of either connectivity to the secure gateway or network connectivity in general.

Recommended User Response    Ensure your computer or device has network access. Restart it if necessary. Then try a new VPN connection.

 Connection attempt has failed due to server communication errors. Please retry the 
connection.

Description    Thee connection attempt was terminated for one of a number of reasons. These can include too many redirects at the secure gateway, a host changed from one connection to the next, etc.

Recommended Administrator Response    Look for additional errors in the log.

 Connection attempt has failed.

Description    The VPN connection could not be established.

Recommended User Response    Look for additional error message that identifies the cause.

 Connection attempt has failed: Gateway/proxy received an invalid response from the 
host or was unable to contact the host. Verify the host is valid.

Description    The failed connection attempt was done through a proxy. Possible causes of this failure are that the proxy could not resolve the selected host, the selected host does not exist, or the host is unavailable and therefore the proxy did not get a response.

 Connection attempt has timed out. Please verify Internet connectivity.

Description    AnyConnect canceled the connection attempt because the wait for a response exceeded an internal time-out value.

Recommended User Response    Try a new VPN connection.

 Connections to this secure gateway are not permitted.

Description    The VPN connection to the selected secure gateway is not allowed because the Always On feature is enabled, which restricts VPN connections to only secure gateways found in the profiles.

Recommended User Response    Choose another gateway from the VPN list or request the URL from your organization’s technical support.

 Cookies must be enabled to log in.

Description    Message originated from the Cisco ASA. In order to log into the secure gateway, cookies must be enabled. The secure gateway detects that it is unable to correctly set a cookie.

Recommended User Response    Add the domain to the browser list of trusted sites.

 Could not connect to server. Please verify Internet connectivity and server 
address.

Description    AnyConnect could not contact the secure gateway. This error indicates a failure to establish a network connection. Possible causes of this failure include:

–Lack of network connectivity to the secure gateway.

–Connection to the wrong server host name or IP address

–Problems with the secure gateway.

Recommended User Response    Verify network connectivity. Check whether other applications, such as a web browser or a ping tool, can contact the secure gateway.

Recommended Administrator Response    Check whether other applications, such as a web browser or a ping tool, can contact the secure gateway.

 Error retrieving username from CSD data.

Description    The username from the certificate feature is configured to use the Cisco Secure Desktop Host Scan data when a certificate is unavailable. The secure gateway failed to get the username from the host scan data in the absence of a certificate.

Recommended User Response    Try starting a new VPN connection. Report the error to your organization’s technical support.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC).

 Error saving preferences. Please retry, or restart AnyConnect.

Description    An unexpected error occurred while saving the user or global preferences file.

Recommended User Response    Restart AnyConnect.

Recommended Administrator Response    Reattempting to store preferences might solve the issue.

 Exiting. Bypassing start before logon.

Description    The start before logon GUI is exiting because of one of the following reasons:

–AnyConnect disconnected from the VPN because it detected a trusted network.

–The user may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet.

Recommended User Response    None necessary if you are in the corporate network. Otherwise, start a web browser and satisfy the conditions of the local Internet service provider, then try to connect to the VPN.

 FIPS compliant algorithms for encryption, hashing, and signing have not been 
enabled on this system.

Description    As part of the AnyConnect FIPS verification process, the Windows operating system FIPS registry key is checked to ensure that the system is in a FIPS compliant mode. The registry key value is not set to enable FIPS.

 FIPS mode requires TLS to be enabled to establish a VPN connection

Description    FIPS mode requires that the TLS protocol be enabled. AnyConnect failed to enable the TLS protocol through the registry key setting.

Recommended User Response    Choose the Control Panel > Internet Options > Advanced tab, and check Use TLS 1.0 under «Security.»

 Failed accessing AnyConnect package. This may be due to IE security settings that 
are set too high.

Description    An error occurred while trying to download contents from the AnyConnect package located on the secure gateway. An Internet Explorer security setting could be blocking HTTP file downloads.

Recommended User Response    Change the Internet Explorer security settings to permit downloads.

 Failed to load preferences.

Description    An unexpected error occurred while reading the profiles or preferences files. The files might be corrupt or an initialization failure may have occurred.

Recommended User Response    Restart AnyConnect and try a new VPN connection.

 Failed to verify FIPS mode.

Description    An unexpected error occurred during the AnyConnect FIPS verification process. The most likely cause is an AnyConnect flaw.

Recommended User Response    Try starting a new VPN connection. If the problem reoccurs, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 Failed to verify required local security policy. Please contact your network 
administrator.

Description    The following table shows the explanations of this message and the recommended actions.

Recommended User Response    Report the issue to your organization’s technical support.

Recommended Administrator Response    See the previous table.

 Firefox certificate libraries could not be loaded. VPN connection cannot be 
established.

Description    AnyConnect could not access the Firefox certificate store and there was no alternative store located. A failure to verify server certificates results in the inability to verify the identity of the secure gateway. Also, AnyConnect cannot respond to certificate requests.

 Hostscan Configuration error.

Description    The Host Scan module could not be configured properly. Possible causes include errors loading the DLL or errors setting up the command line parameters to launch the stub executable for Host Scan.

 Hostscan Initialize error.

Description    Host Scan could not launch. Possible causes include the Host Scan executable stub as well as the Host Scan initialization routines.

Recommended User Response    Report the issue to your organization’s technical support.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC).

 Hostscan Installation error.

Description    Host Scan could not be loaded to perform the system scan. Possible errors occurred when loading the DLL and errors finding the stub executable for Host Scan.

Recommended User Response    Report the issue to your organization’s technical support.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC).

 Hostscan Prelogin error.

Description    During the pre-login check, Host Scan detected the local violation of a rule configured on the secure gateway. Examples of pre-login checks include:

–Host Scan detected a keylogger.

–A dynamic access policy matched an endpoint criterion disqualifies AnyConnect for VPN access.

Recommended User Response    Restart the computer or device and try a new VPN connection.

 Hostscan Run error.

Description    Host Scan experienced an error while scanning the endpoint.

Recommended User Response    Try a new VPN connection.

 Invalid authentication handle.

Description    Message originated from the Cisco ASA. The authentication ticket was removed before the user responded.

Recommended User Action    Try logging on again.

 Invalid host entry. Please re-enter.

Description    The URL requested was not found.

Recommended User Action    Verify that the URL is correct and try again.

Recommended User Action    Verify the URL in the secure gateway configuration.

 Invalid session/bad session parameters while processing Config Request

Description    Message originated from the Cisco ASA. The session cookie is invalid and cannot be used to request parameters needed to establish a VPN tunnel.

Recommended User Action    Try a new VPN connection.

 It may be necessary to connect via a proxy, which is not supported with Always On.

Description    AnyConnect is configured for Always-on VPN, which does not support connecting through a proxy.

Recommended User Response    Remove the local proxy and try a new VPN connection. To access the proxy settings on Windows, choose the Control Panel > Internet Options > Connections tab, and go to LAN Settings.

 Leave both boxes blank to continue using current password

Description    Message originated from the Cisco ASA. The user password will expire soon. The user has the opportunity to change the password immediately.

Recommended User Action    Enter a new password into the text boxes or leave them blank if you want to defer the password change for later.

 Login denied, unauthorized connection mechanism, contact your administrator.

Description    The secure gateway is not permitting AnyConnect or clientless access by the user.

Recommended User Response    Report the issue to your organization’s technical support.

 Login denied. Message 

Description    Message originated from the Cisco ASA. The secure gateway enforced a dynamic access policy that rejects the login credentials.

Recommended User Response    Report the issue to your organization’s technical support.

 Login error.

Description    Message originated from the Cisco ASA. The secure gateway detected an error during login.

Recommended User Response    Try a new VPN connection.

 Login failed.

Description    Message originated from the Cisco ASA. The VPN connection could not be established. The most likely cause of this error is invalid credentials.

Recommended User Response    Verify your login credentials and try a new VPN connection.

 Login failed: Message 

Description    Message originated from the Cisco ASA. The VPN connection could not be established. The message following «Login failed:» indicates the reason.

Recommended User Response    Try using the reason in the message to resolve the issue and try a new VPN connection.

 Network access is restricted due to an administrator configured timer expiration. 
The connection must be retried manually.

Description    AnyConnect is configured with a connect failure policy of «closed» and a captive portal remediation time-out setting expired. You may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. AnyConnect grants full network access for a limited period specified by the remediation time-out so you can attempt to satisfy the Internet service provider requirements. To protect the endpoint, AnyConnect restricts access after the timer expires.

Recommended User Response    Start a web browser and satisfy the conditions of the service provider. The remediation timer restarts. Retry the connection.

 New PIN way too big.

Description    Message originated from the Cisco ASA. The length of the personal identification number (PIN) entered exceeds the maximum length allowed.

Recommended User Response    Consult your corporate guidelines to change your PIN or report the issue to your organization’s technical support.

 New Password Required but user not allowed to change

Description    Message originated from the Cisco ASA. A password change is required to log in. An expired password is most likely the cause. The user does not have permission to change his/her own password.

Recommended User Response    Report the issue to your organization’s technical support.

 New password way too big.

Description    Message originated from the Cisco ASA. The length of the password entered exceeds the maximum length allowed.

Recommended User Response    Consult your corporate guidelines to change your password.

 No certificate store has been found. VPN connection cannot be established.

Description    AnyConnect could not access the certificate store, resulting in the inability to verify the identity of the secure gateway by performing verification of server certificates. Also, AnyConnect cannot respond to certificate requests.

Recommended User Response    Make sure Firefox is installed or the file store is provisioned with certificates.

Recommended Administrator Response    Make sure the Local Policy file does not exclude all potential certificate stores. Ensure the user has Firefox installed or the file store is provisioned with certificates.

 No valid certificates available for authentication.

Description    The secure gateway did not accept any of the certificates AnyConnect provided. No more certificates remain.

 Password change required.

Description    Message originated from the Cisco ASA. A password change is required to log in. An expired password is most likely the cause.

Recommended User Response    Report the issue to your organization’s technical support and request an account for VPN access.

 Please establish an Internet connection. If a browser or other application opened 
a connections dialog window, please respond so that AnyConnect can proceed.

Description    If Internet Explorer is configured to always dial, or dial if no other connection is present, when the browser is launched the user is prompted to select a connection. If the user does not connect, or cancels the dialog and opens AnyConnect, the connection becomes unresponsive while AnyConnect contacts the secure gateway.

Recommended User Response    Dismiss the connection dialog box. AnyConnect displays a new dialog box and proceeds with the connection.

 Posture Assessment: Failed

Description    A Host Scan error occurred. Common causes include failures to download or launch the Host Scan components, and the system scan exceeded 10 minutes to complete.

Recommended User Response    Try a new VPN connection.

 Posture assessment with authenticating proxy is not implemented.

Description    Host Scan could not perform posture assessment of the endpoint because AnyConnect is configured to use an authenticating proxy. Host Scan does not have access to the credentials for the authenticating proxy.

Recommended User Response    Try to bypass or disable the proxy, then try a new VPN connection.

Recommended User Response    Disable authentication completely, or selectively when accessing the ASA.

 Server reboot pending, new logins disabled. Try again later.

Description    The secure gateway is being restarted.

 Session terminated.

Description    Message originated from the Cisco ASA. The authentication ticket was removed before the user responded.

Recommended User Response    Try logging on again.

 System configuration settings could not be applied. A VPN connection will not be 
established.

Description    AnyConnect attempted to apply system configuration settings received from the secure gateway. The error occurred in the System Network Abstraction Kit (SNAK) layer, which could indicate an error with vendor-supplied plug-ins external to AnyConnect.

Recommended User Response    Restart the computer or device, then try starting a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The AnyConnect package on the secure gateway could not be located. You may be 
experiencing network connectivity issues. Please try connecting again.

Description    The AnyConnect package file could not be located on the secure gateway.

Recommended User Response    Make sure you have network connectivity, then try a new VPN connection.

Recommended Administrator Response    Make sure an AnyConnect package file for the user’s operating system is present on the ASA configuration.

 The AnyConnect protection settings must be lowered for you to log on with the 
service provider. Your current enterprise security policy does not allow this.

Description    You may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. Corporate policies do not permit VPN access in this setting.

Recommended User Response    Retry after relocating.

Recommended Administrator Action    Change the AnyConnect client profile Always-on VPN ConnectFailurePolicy setting if you want to permit captive portal access.

 The Connect Failure Policy will not be applied because the Secure Gateway could 
not be found in the profile.

Description    AnyConnect could not apply the Always-on VPN connect failure policy specified by the ConnectFailurePolicy profile setting, despite the connection failure. The target secure gateway is not present in the profile. AnyConnect permits connections only to the hosts specified in the profile because the Always-on VPN policy restricts traffic to other destinations.

 The FIPS verification of the OpenSSL libraries have failed. Reinstalling 
AnyConnect might fix this issue.

Description    AnyConnect failed to configure OpenSSL into FIPS mode. The OpenSSL shared libraries installed with AnyConnect could have been tampered with or might be corrupt.

Recommended User Response    Reinstall AnyConnect and try a new VPN connection.

 The MTU of the physical adapter is too small. An MTU of at least 1374 bytes is 
required for an IPv6 connection. Please contact your network administrator.

Description    The Maximum Transmission Unit (MTU) of the endpoint system physical network interface is too small to support IPv6 data through a VPN connection.

Recommended User Response    Use the SetMTU utility that comes with the legacy Cisco VPN Client to set the MTU to 1374, the minimum MTU for IPv6 on the physical adapter, or set it to a greater value. You will likely need to consult with your organization’s technical support to perform this task.

 The VPN GUI and Agent Process are not both in FIPS Mode.

Description    Both the VPN GUI and VPN Agent are not operating in FIPS mode when configured to do so.

Recommended User Response    Restart the computer or device and AnyConnect to synchronize the operating modes of both processes.

 The VPN client agent SSL engine encountered an error. Please retry, or restart 
AnyConnect.

Description    AnyConnect encountered an unexpected and unrecoverable error in the SSL protocol stack. One possible cause is an AnyConnect flaw.

Recommended User Response    Restart the computer or device, then try starting a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent attempt to signal readiness to the plugin thread failed.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while initializing the main thread of the AnyConnect for Apple iOS VPN plug-in.

Recommended User Response    Try restarting the device and starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent decryption engine encountered an error.

Description    AnyConnect service encountered an unexpected and unrecoverable error in the protocol decryption engine.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent encountered a secure gateway protocol failure.

Description    The AnyConnect service encountered an unexpected and unrecoverable protocol error in an exchange with the secure gateway.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent encryption engine encountered an error.

Description    The AnyConnect service encountered an unexpected and unrecoverable error in the protocol encryption engine.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent experienced a failure initializing a required timer.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while initializing a required internal timer object.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent experienced a failure initializing trusted network detection.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while initializing the trusted network detection subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent experienced an internal failure with the interprocess 
communication depot.

Description    The AnyConnect service experienced an unexpected and unrecoverable error with its inter-process communication subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent experienced an unexpected internal error. The VPN connection 
has been disconnected. Please restart your computer or device, then try again.

Description    The client has experienced an unexpected and unrecoverable error. The error is possibly due to one of the following:

•Unable to access an internal data structure that is expected to always be available.

•Unable to retrieve a profile setting for which a value, at the very least a default, should always be available.

•A Windows Terminal Services operation failed.

Recommended User Response    Please restart your computer or device, then try a new VPN connection. If the problem persists, run DART (See Using DART to Gather Troubleshooting Information) and report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed in receiving a message from an IPC peer requesting the 
creation of a VPN connection.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while processing a request from another client process to initiate a VPN connection.

Recommended User Response    Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed in receiving a message from an IPC peer requesting the 
launch of an application.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while processing a request from another client process to launch a client application.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to create a necessary processing component and cannot 
continue.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its main execution thread.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to create an event necessary for agent service 
notification processing.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event object for internal notification processing.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to create an event necessary for agent termination 
processing.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event object for internal termination processing.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to create an event necessary for network adapter change 
processing.

Description    AnyConnect experienced an unexpected and unrecoverable error while attempting to create a required event object for local network adapter change notifications.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to create an event necessary for system suspend 
processing.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal event objects for local suspend processing.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent failed to launch the client user interface application.

Description    The VPN connection was started via a web browser, requiring the start of the AnyConnect UI, but it failed to start.

Recommended User Response    Restart the computer or device and try again. If the problem reoccurs, report the error to your organization’s technical support.

Recommended Administrator Response    Try using the same OS to initiate a WebLaunch of AnyConnect. If it fails, open a case with the Cisco Technical Assistance Center (TAC).

 The VPN client agent failed to load the SNAK system plugin required by this version 
of AnyConnect.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to initialize its System/Network Abstraction Kit (SNAK) subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable create the plugin loader.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its plug-in loader subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create a necessary timer.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal timer object.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the client VPN configuration manager.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its VPN connection configuration management subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the client host configuration manager.

Description    AnyConnect experienced an unexpected and unrecoverable error while attempting to create its local configuration management subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the client preferences manager.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its preferences management subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the interprocess communication depot.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create a required internal interprocess communication object.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the network environment component.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its network environment monitoring subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to create the trusted network detection component.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to create its trusted network detection subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to enable FIPS Mode.

Description    The AnyConnect service experienced an unexpected and unrecoverable error while attempting to initialize its Federal Information Processing Standards (FIPS) operation mode.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to initialize the system network socket support.

Description    AnyConnect experienced an unexpected and unrecoverable error while attempting to initialize its local network socket subsystem.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to send a failure response to an IPC peer 
requesting the creation of a VPN connection.

Description    The AnyConnect service received a request from another client process to initiate a VPN connection. The service encountered an unexpected and unrecoverable failure while attempting to send an error notification back to the requesting client process.

Recommended User Response    Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to send a failure response to an IPC peer 
requesting the launch of an application.

Description    The AnyConnect service received a request from another client process to launch a client application. The service encountered an unexpected and unrecoverable failure while attempting to send an error notification back to the requesting client process.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to send a success response to an IPC peer 
requesting the creation of a VPN connection.

Description    The AnyConnect service received a request from another client process to initiate a VPN connection. The service encountered an unexpected and unrecoverable failure while attempting to send a success notification back to the requesting client process.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client agent was unable to send a success response to an IPC peer 
requesting the launch of an application.

Description    The AnyConnect service received a request from another client process to launch a client application. The service encountered an unexpected and unrecoverable failure while attempting to send a success notification back to the requesting client process.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client driver has encountered an error. Please restart your computer or 
device, then try again.

Description    The AnyConnect service could not configure or start the virtual adapter driver needed to perform a VPN connection. A likely cause is a problem with the virtual adapter installation or registry settings.

Recommended User Response    Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    See «Microsoft Windows Updates» in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5.

 The VPN client driver has encountered an error. Close all sensitive networked 
applications. Please restart your computer or device, then try again.

Description    AnyConnect received a notification from its virtual adapter indicating it is terminating communication. The likely cause of the error is a virtual adapter driver failure.

Recommended User Response    Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client failed to establish a connection.

Description    The AnyConnect service failed to establish a secured connection to the secure gateway. Possible causes include the following:

–Proxy authentication failure

–Protocol handshake failure

–Bad client or server certificate

–Layer 2 communication failures

Recommended User Response    Retry the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client service has been stopped. The VPN connection has been disconnected. 
Close all sensitive networked applications.

Description    AnyConnect disconnected from the VPN because it received a stop notification from the endpoint.

Recommended User Response    Restart AnyConnect and retry the VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    If the problem persists, open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client was unable to modify the IP forwarding table. A VPN connection will 
not be established. Please restart your computer or device, then try again.

Description    AnyConnect failed to apply all the VPN configuration settings to the endpoint IP forwarding table. A VPN connection is not permitted because this failure could compromise both its security and operation. This error is unrecoverable.

Recommended User Response    Restart your computer or device, then try a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client was unable to setup IP filtering. A VPN connection will not be 
established.

Description    AnyConnect failed to apply the VPN configuration settings to its IP filtering subsystem. A VPN connection is not permitted because this failure could compromise both its security and data integrity. This error is unrecoverable.

Recommended User Response    Restart the computer or device. Restart the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 The VPN client was unable to successfully verify the IP forwarding table 
modifications. A VPN connection will not be established.

Description    AnyConnect could not verify the successful application of all the VPN configuration settings to the local IP forwarding table. A VPN connection is not permitted because settings that are not applied could compromise both its security and operation. Other software running on the endpoint might also be actively altering the IP forwarding table, interfering with the AnyConnect configuration.

Recommended User Response    Restart the computer or device. Exit all applications. Restart the VPN connection. If necessary, report the error to your organization’s technical support.

 The VPN configuration received from the secure gateway has an invalid format. 
Please contact your network administrator.

Description    AnyConnect received a VPN connection configuration from the secure gateway containing an invalid format. The secure gateway could be malfunctioning.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Make sure the AnyConnect profile is an .xml file.

 The VPN configuration received from the secure gateway is invalid. Please contact 
your network administrator.

Description    AnyConnect received a VPN connection configuration from the secure gateway containing invalid or conflicting information.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Examine and correct the VPN configuration settings on the secure gateway. Try using the AnyConnect profile editor to open and validate the AnyConnect profile.

 The VPN connection could not be automatically re-established following a mobile 
device wakeup. A new connection is necessary, which requires re-authentication.

Description    Automatic VPN reconnection attempts failed after a local OS sleep-and-wake-up cycle.

Recommended User Response    Verify the device network connectivity. Try a new VPN connection.

 The VPN connection could not be automatically re-established following a system 
resume from standby or hibernate. A new connection is necessary, which requires 
re-authentication.

Description    Automatic VPN reconnection attempts failed after a local OS suspend-and-resume cycle.

Recommended User Response    Verify the computer or device network connectivity. Then try a new VPN connection.

 The VPN connection could not be re-established when attempting to resume from the 
paused connection state.

Description    Automatic VPN reconnection attempts failed after a local pause-and-continue cycle.

Recommended User Response    Try a new VPN connection.

 The VPN connection has been disconnected due to the mobile device sleeping. The 
reconnect capability is disabled. A new connection is necessary, which requires 
re-authentication.

Description    In accordance with the AnyConnect configuration, AnyConnect disconnected because the endpoint went to sleep.

Recommended User Response    Try a new VPN connection.

Recommended Administrator Response    Because mobile devices sleep more frequently than portable computers, consider configuring a different profile and group for mobile devices with the DisconnectOnSuspend preference set to «Reconnect on resume» if mobile device end-users encounter this message frequently.

 The VPN connection has been disconnected due to the system suspending. The 
reconnect capability is disabled. A new connection is necessary, which requires 
re-authentication.

Description    In accordance with the AnyConnect configuration, AnyConnect disconnected because an endpoint system suspend occurred.

Recommended User Response    Try a new VPN connection.

Recommended Administrator Response    None. Change the AnyConnect client profile Auto Reconnect Behavior value to another value if you want to change the reconnect policy.

 The VPN connection is not allowed via a local proxy. This can be changed through 
AnyConnect profile settings.

Description    In accordance with the AnyConnect configuration, AnyConnect prevented the use of a local proxy to establish a VPN connection.

Recommended User Response    Remove the local proxy and try a new VPN connection.

Recommended Administrator Response    None. Check Allow Local Proxy Connections on the AnyConnect client profile if you want to permit the use of a local proxy.

 The VPN connection to the secure gateway was disrupted and could not be 
automatically re-established. A new connection is necessary, which requires 
re-authentication.

Description    Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because of a connection failure or disruption. Possible causes include a local network failure, internet device failure, or secure gateway failure.

Recommended User Response    Verify network connectivity, then try a new VPN connection.

 The VPN connection was re-established but the secure gateway assigned a new 
configuration that could not be successfully applied. A new connection is 
necessary, which requires re-authentication.

Description    Automatic VPN reconnection attempts failed. A modified VPN connection configuration from the secure gateway requires another automatic reconnection.

Recommended User Response    Verify network connectivity, then try a new VPN connection.

 The VPN connection was started by a remote desktop user whose remote console has 
been disconnected. It is presumed the VPN routing configuration is responsible for 
the remote console disconnect. The VPN connection has been disconnected to allow 
the remote console to connect again. A remote desktop user must wait 90 seconds 
after VPN establishment before disconnecting the remote console to avoid this 
condition.

Description    AnyConnect detected a remote console disconnect within 90 seconds of the establishment of a VPN session. AnyConnect terminated the session because it detected an interruption of the remote console session, indicating the necessity of restoring the local IP forwarding table to permit the re-establishment of the remote console session.

Recommended User Response    Remote console users should wait more than 90 seconds following VPN connection establishment before disconnecting the remote console session to avoid this condition.

 The VPN connection was terminated by the secure gateway and could not be 
automatically re-established. A new connection is necessary, which requires 
re-authentication.

Description    Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because the secure gateway closed the connection.

Recommended User Response    Remote console users should wait more than 90 seconds following VPN connection establishment before disconnecting the remote console session to avoid this condition.

 The VPN connection was terminated due to a Windows connection manager failure. A 
new connection is necessary, which requires re-authentication.

Description    Automatic VPN reconnection attempts failed because of a Windows connection manager failure. The VPN connection requires an automatic reconnection.

Recommended User Response    Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.

 The VPN connection was terminated due to a different client IP address assignment 
by the secure gateway and could not be automatically re-established. A new 
connection is necessary, which requires re-authentication.

Description    Automatic VPN reconnection attempts failed. The VPN connection required an automatic reconnection because the secure gateway returned a different private network IP address in response to an IP address renewal request.

Recommended User Response    Try to start a new VPN connection.

 The VPN connection was terminated due to a rekey failure and could not be 
automatically re-established. A new connection is necessary, which requires 
re-authentication.

Description    Automatic VPN reconnection attempts failed because of a failure to rekey the encryption protocol.

Recommended User Response    Try to start a new VPN connection.

 The VPN connection was terminated due to a system routing table modification and 
could not be automatically re-established. A new connection is necessary, which 
requires re-authentication.

Description    The local host configuration management subsystem could not correct a change in the local IP forwarding table. Automatic VPN reconnection attempts failed.

Recommended User Response    Try to start a new VPN connection.

 The VPN connection was terminated due to an IP address renewal failure and could 
not be automatically re-established. A new connection is necessary, which requires 
re-authentication.

Description    A failure to perform a DHCP renewal of the private network IP address used by AnyConnect requires a new VPN connection. Automatic VPN reconnection attempts failed.

Recommended User Response    Try to start a new VPN connection.

 The VPN connection was terminated due to incorrect tunnel MTU and could not be 
automatically re-established. A new connection is necessary, which requires 
re-authentication.

Description    AnyConnect detected that the tunnel MTU is incorrect. The VPN connection was torn down, but a new connection to enforce the correct tunnel MTU could not be established.

Recommended User Response    Try a new VPN connection. If the problem persists, report the error to your organization’s technical support.

Recommended Administrator Response    Change the secure gateway group-policy svc-mtu setting. To do so using ASDM, go to the MTU parameter on the Configuration > Group Policies > Add or Edit > Advanced > AnyConnect Client panel.

 The VPN connection was terminated due to the loss of the network interface used 
for the VPN connection.

Description    The endpoint network interface used for the VPN connection lost its network connectivity. The interface either disconnected or no longer has a usable IP address. As a result, the VPN connection attempt failed, or the VPN session or idle time-out expired, halting VPN reconnect attempts.

Recommended User Response    Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.

 The VPN connection was terminated due to the loss of the network interface. A new 
connection is necessary, which requires re-authentication.

Description    The VPN connection lost its physical network interface, requiring a new VPN connection.

Recommended User Response    Repair the network connection or restart the device. Verify network connectivity, then establish a new VPN connection.

 The Windows Routing and Remote Access service is not compatible with the VPN 
client. The VPN client cannot operate correctly when this service is running. You 
must disable this service in order to use the VPN client.

Description    The Windows Routing and Remote Access service lets Microsoft Windows Server 2000, 2003 and 2008 function as a router, and as such it actively monitors and modifies the system IP forwarding table. AnyConnect cannot coexist with a running Routing and Remote Access service because it interferes with the AnyConnect configuration of the endpoint IP forwarding table for VPN connections and, if configured, the security of Always-on VPN.

Recommended User Response    Disable Routing and Remote Access. To do so, choose Start > Administrative Tools >Routing and Remote Access, right-click the server icon, choose Disable Routing and Remote Access, and click Yes in the confirmation dialog box. Then establish a VPN connection.

 The certificate on the secure gateway is invalid. A VPN connection will not be 
established.

Description    A rare problem was encountered with the server certificate.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Check the validity of the secure gateway server certificate.

 The client agent has encountered an error.

Description    AnyConnect encountered an unexpected and unrecoverable initialization failure.

Recommended User Response    Try restarting the computer or device, then start a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the problem to Cisco TAC and include the DART bundle.

 The client could not connect because of a secure gateway address resolution 
failure. Please verify Internet connectivity and server address.

Description    The client was unable to connect due to a DNS resolution error. Common causes can include a hostname that does not properly resolve to an IP address, incorrect DNS settings on the client, or unreachable or non-responsive DNS servers on the client.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Work with the user to verify local access to a DNS server.

 The client service has encountered an error and is stopping. Close all sensitive 
networked applications.

Description    AnyConnect encountered an unexpected and unrecoverable failure while interfacing with the local control subsystem.

Recommended User Response    Try restarting the computer or device, then start a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the problem to Cisco TAC and include the DART bundle.

 The configuration of the VPN Server has changed. Please try again.

Description    The secure gateway configuration changed after AnyConnect first contacted the secure gateway.

Recommended User Response    Start a new VPN connection.

Recommended Administrator Response    Try starting a new VPN connection from another location.

 The required license for this type of VPN client is not available on the secure 
gateway. Please contact your network administrator.

Description    AnyConnect attempted to establish a VPN session with a secure gateway that is not activated with an AnyConnect license.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Obtain an AnyConnect Essentials or Premium license from your Cisco Sales Engineer and activate it on the ASA.

 The secure gateway failed to reply to a connection initiation message and may be 
malfunctioning. Please try connecting again. If this problem persists, please 
contact your network administrator.

Description    An extended timer expired while AnyConnect was establishing a VPN connection with the secure gateway. The secure gateway probably failed to respond to a protocol handshake request. A flaw in the secure gateway software could be the cause.

Recommended User Response    Try starting a new VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the problem to Cisco TAC and include the DART bundle.

 The secure gateway has rejected the connection attempt. A new connection attempt 
to the same or another secure gateway is needed, which requires re-authentication.

Description    AnyConnect received an error response (that is, an HTTP error code) from the secure gateway during the negotiation for a VPN session. AnyConnect logged the error code and any error description text provided in the secure gateway error response.

Recommended User Response    Try starting a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.

 The secure gateway has terminated the VPN connection.

Description    The secure gateway terminated the VPN connection. In the case of SSL, the message displayed to the user from the secure gateway indicates the reason for the termination.

Recommended User Response    Try starting a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.

 The secure gateway is responding, but AnyConnect could not establish a VPN session. 
Please retry.

Description    The Always-on VPN connect failure policy specified via the ConnectFailurePolicy profile setting will not be applied, despite the connection failure. While the UI failed to connect, AnyConnect could not contact the target secure gateway. Thus, the connection failure could not be confirmed and any existing network restrictions are maintained.

Recommended User Response    Try starting a new VPN connection.

 The server certificate received or its chain does not comply with FIPS. A VPN 
connection will not be established.

Description    In accordance with the AnyConnect configuration, AnyConnect disconnected from the VPN because the server certificate received from the secure gateway or the certificate in the server certificate chain is not compliant with Federal Information Processing Standards (FIPS).

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Verify the secure gateway server certificate uses both the FIPS-required minimum RSA public key length and a FIPS compliant signature algorithm.

 The service provider in your current location is restricting access to the 
Internet.

Description    The user may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. A VPN connection cannot be established.

Recommended User Response    Look for a second message for actions to correct the situation. Open a web browser and satisfy the conditions of the service provider. Then retry the connection.

 The service provider in your current location is restricting access to the secure 
gateway. 

Description    The user may be located at a coffee shop, airport or hotel, where an Internet service provider is restricting access to the Internet. A VPN connection cannot be established.

Recommended User Response    Look for a second message for actions to correct the problem. Open a web browser and satisfy the conditions of the local Internet service provider. Then retry the connection.

 Unable to complete connection: Cisco Secure Desktop not installed on the client

Description    A login was attempted but no CSD data was sent for the connection. There may have been an error installing or running CSD.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Install CSD or verify that it is installed.

 Unable to contact SecureGateway.

Description    The secure gateway could not be contacted because of a DNS resolution error or an unreachable or non-responsive secure gateway.

Recommended User Response    Check for an additional error message for more detail about the cause.

 Unable to establish connection with newly imported Certificate.

Description    AnyConnect could not locate a certificate recently obtained via enrollment. Common causes include the following:

–Misconfiguration of the secure gateway, such as missing trust points.

–Invalid certificate date.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Verify the secure gateway configuration and certificate date.

 Unable to proceed.

Cannot contact the VPN service.

Description    A user attempted to perform an action such as connect and AnyConnect is not able to communicate with the AnyConnect agent. An alert message informing the user of this condition precedes this one.

Recommended User Response    Restart the computer or device, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Examine the log. If you cannot resolve the problem, report it to Cisco TAC and include the DART bundle.

 Unable to process remote proxy request. Please try again.

Description    An unexpected error occurred while processing the user response to proxy authentication.

Recommended User Response    Remove the local proxy and try a new VPN connection.

 Unable to re-register for IP forwarding table change notifications. The VPN 
connection has been disconnected.

Description    AnyConnect encountered an unrecoverable error when it attempted to re-register for local IP forwarding table change notifications. The VPN was disconnected because the error prevents AnyConnect from ensuring both its security and correct operation.

Recommended User Response    Restart the computer or device, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the error to Cisco TAC and include the DART bundle.

 Unable to retrieve logon information to verify compliance with AnyConnect logon 
enforcement and VPN establishment profile settings. A VPN connection will not be 
established.

Description    AnyConnect cannot enforce the user logon limit settings configured in the client profile because it cannot retrieve the local user login information. To ensure the protection of the private network, the VPN connection is not permitted.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Verify secure gateway access to the AAA server.

 Unable to send authentication message.

Description    There was an error communicating with the authentication server.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Verify secure gateway access to the AAA server.

 Unable to send authorization message.

Description    There was an error communicating with the authorization server.

Recommended User Response    Report the error to your organization’s technical support.

Recommended Administrator Response    Verify secure gateway access to the AAA server.

 Unable to update the session management database

Description    The secure gateway encountered an error when attempting to add the VPN connection to the session database.

Recommended User Response    Try a new VPN connection. If the problem persists, report it to your organization’s technical support.

Recommended Administrator Response    Try a new VPN connection.

 Unable to verify the necessary registry keys for FIPS

Description    The AnyConnect client could not access the local registry keys needed to verify FIPS compliance.

Recommended User Response    Report the problem to your organization’s technical support.

Recommended Administrator Response    Try a new VPN connection.

 Unknown challenge.

Description    The authentication server returned an unrecognized challenge code.

Recommended User Response    Report the problem to your organization’s technical support.

Recommended Administrator Response    Verify secure gateway access to the AAA server.

 Unknown error.

Description    The secure gateway experienced an unknown error.

Recommended User Response    Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 Unknown login status.

Description    The secure gateway did not perform one of the expected actions (accept, reject, or challenge the login, or return an error).

Recommended User Response    Retry the VPN connection. Report the problem to your organization’s technical support.

Recommended Administrator Response    Verify secure gateway access to the AAA server.

 Unwilling to perform password change.

Description    Message originated from the Cisco ASA. A password change is required to log in. An expired password is the likely cause. The server cannot modify the password.

Recommended User Response    Report the problem to your organization’s technical support.

 VPN Server could not parse request.

Description    The secure gateway could not parse the request sent by the VPN client.

Recommended User Response    Try restarting the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) and include the DART bundle.

 VPN Server internal error.

Description    The secure gateway encountered an internal error such as low memory.

Recommended User Response    Try restarting the VPN connection. Report the error to your organization’s technical support.

Recommended Administrator Response    Open a case with the Cisco Technical Assistance Center (TAC) if you cannot resolve the memory issue.

 VPN Service not available.

Description    The AnyConnect agent is not communicating. Likely causes include one of the following:

–The AnyConnect agent did not start.

–AnyConnect is not installed.

Recommended User Response    Ask your organization’s technical support for instructions on how to reinstall AnyConnect, then start a new VPN connection. If the problem persists, run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the problem to Cisco TAC and include the DART bundle.

 VPN Service not available. Exiting.

Description    The AnyConnect agent is not communicating. Likely causes include one of the following:

–The AnyConnect agent did not start. Because AnyConnect is configured to run in Start Before Logon mode, it exited to keep from blocking the user.

–AnyConnect is not installed.

Recommended User Response    Try a new VPN connection. If the problem persists, ask your organization’s technical support for instructions on how to reinstall AnyConnect, then start a new VPN connection. If the problem continues to persist, run DART. (SeeUsing DART to Gather Troubleshooting Information.) Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Report the problem to Cisco TAC and include the DART bundle.

 VPN connection terminated, Smartcard removed from reader.

Description    The smartcard used to authenticate the VPN connection was removed from the Smartcard reader. The VPN was disconnected to ensure the protection of the private network.

Recommended User Response    Re-insert the smartcard and try a new VPN connection.

 VPN established. Continuing with login.

Description    The start before logon components established a VPN connection. The GUI exits to let the user log in to the OS.

Recommended User Response    Log in.

 VPN establishment capability from a remote desktop is disabled. A VPN connection 
will not be established.

Description    AnyConnect is not configured to permit the establishment of a VPN connection from within a remote desktop session on the endpoint.

Recommended User Response    Log in directly, then connect to the VPN.

Recommended Administrator Response    Refer to «Allowing a Windows RDP Session to Launch a VPN Session» in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5 if you want to enable VPN access from an RDP session.

 Warning: The following Certificate received from the Server could not be verified:

Description    The certificate presented by the secure gateway could not be verified. Possible causes include:

–Certificates could not be verified to a trusted Root Certificate.

–Misconfigured certificate names.

–Invalid host names entered by user causing name check failure.

–Expired or revoked certificates.

Recommended User Response    Report the error to your organization’s technical support and include the DART bundle.

Recommended Administrator Response    Validate or replace the certificate.

 When in the Secure Vault, use the "Launch Login Page" button on the desktop to 
relaunch the client.

Description    Cisco Secure Desktop was detected as running on the endpoint.

Recommended User Response    Click Launch Login Page inside the Secure Desktop to launch the client inside the Secure Desktop to continue using the VPN connection.

 You have no dial-in permission.

Description    The user’s account does not have permission to access the network remotely.

Recommended User Response    Report the error to your organization’s technical support.

 You need to log on with the service provider before you can establish a VPN 
session. You can try this by visiting any website with your browser.

Description    The user may be located at a coffee shop, airport, or hotel, where an internet service provider is restricting access to the Internet. A VPN connection cannot be established.

Recommended User Response    Look for a second message for actions to correct the situation. Open a web browser to see if you can satisfy the conditions for Internet access. Then retry the VPN connection.

 Your VPN connection has exceeded the session time limit. A new connection is 
necessary, which requires re-authentication.

Description    The VPN session was terminated because it exceeded the time permitted by the secure gateway for a VPN session. This feature helps protect the private network by requiring the user to re-authenticate with the secure gateway.

Recommended User Response    Start a new VPN session.

 Your account is disabled.

Description    The user’s account is disabled and cannot be used to access the VPN.

Recommended User Response    Report the error to your organization’s technical support.

 Your certificate is invalid for the selected group

Description    The secure gateway validated the certificate provided by AnyConnect, however, the applied connection policy (tunnel group) does not permit the certificate. The certificate might be valid for another connection policy configured on the secure gateway.

Recommended User Response    Report the error to your organization’s technical support and ask for the proper certificate.

Recommended Administrator Response    Provide instructions to obtain the certificate required for VPN access.

 Your client certificate will be used for authentication

Description    Certificate-only authentication is in use. Instead of providing a username and password as credentials, the user’s certificate will be used for authentication.

Recommended User Response    None.

 Your connection to the secure gateway has been suspended longer than the allotted 
time limit. A new connection is necessary, which requires re-authentication.

Description    The VPN session was terminated because it exceeded the VPN session idle timer limit configured on the secure gateway. This feature helps protect the private network by requiring the user to re-authenticate with the secure gateway.

Recommended User Response    Start a new VPN session.

Recommended Administrator Response    None.

Anytime the Anyconnect client can’t successfully perform a connection process between your computer and the VPN server,  you will receive the message ”Anyconnect was not able to establish a connection to the specified secure gateway.” 

Suppose you know a thing or two about networks, security, and protocols. In that case, you’ll be able to get more pieces of helpful information from observing at what stage during the initialization and connection process, Anyconnect ran into problems resulting in the error message above.

Some users periodically start running into this problem without any apparent reason or commonality between their settings, ISP’s or operating systems, often leaving even Cisco’s support without a quick solution.

In essence, most causes for this issue fall into one of three categories:

1. Antivirus or firewall on the computer are not allowing Anyconnect to establish a connection

2. Anyconnect  client is not set up correctly

3. Network or ISP enforced some restrictions to what can go through

Consequently, you can solve the problem by crossing out those categories, one at a time. Let’s start from the top.

Disable Antivirus or/and Firewall

A third-party antivirus program can often block some features and limit connectivity for different programs and clients. Especially after updates, when the program is still learning which activities your programs are performing can be potentially harmful to your system.

Temporarily disable antivirus if you’re using one and try to connect. If you don’t use third-party antivirus software, a windows firewall could cause the problem, but it is less common. To disable Windows firewall go to:

Disable Conflicting Internet Connection Sharing Service

Some users managed to pinpoint the cause of the problem with connectivity to the conflict between the Windows built-in service and Anyconnect’s client. They were able to solve the problem by disabling the service temporarily, then establishing a connection with Anyconnect, and turning the service back on with no further issues.

You can do this by pressing the Win + R keys and typing “services.msc” into the bar. Press Enter. Now scroll down alphabetically until you find the above service. Right-click on it and then choose “Stop.” Close the window and try to connect to see if it worked. 

Change Local Policy

More than a few users reported changing the local policy fixed their problem. They changed the file temporarily, connected to the server, then changed it back without having any issues with Anyconnect not connecting to the server from that point on.

Go to:

C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientAnyConnectLocalPolicy.xml and and change the value to <BypassDownloader>true</BypassDownloader>. After connecting to the server, open the same xml file and change back the value to false. 

Disable ->Connect -> Enable Internet Connection Sharing (ICS)

To disable this sharing, open the Control Panel by typing “cpl” into the search bar on the bottom of the desktop and left-clicking on the app.

Now open Network and Internet Sharing and then select Change adapter settings.

Right-click on the shared network connection, then left-click on Properties.

In the properties window, click on the Sharing.

Uncheck the checkbox next to “Allow other network users to connect through this computer’s Internet connection.”

Click OK.

Stick to the One Network in AnyConnect VPN

One of the known causes of the connectivity issue happens when your computer receives signals from multiple AP’s, switching between them to get the strongest one. To prevent this, you’ll need to tell the Anyconnect client to stick to the one current network.

Open the AnyConnect Client, right-click on Network, then click on.“Connect only to current Network.”

Update Anyconnect Client

If nothing above worked, contact your network administrator and see if your client is up to date or not. Cisco is fixing many known issues in each new version of the software, and it is vital to keep the client version updated. 

Try Using Different Connection

To eliminate the possibility that your network or ISP placed some restrictions on what kind of connections and protocols they will allow through, try switching between different wireless networks or between wireless and mobile data. 

Summary

If your Anyconnect is not able to establish a connection to a specified secure gateway, you can feel cornered and in trouble, especially if you’re using it to work remotely. Luckily, there are a few things you can do to overcome this problem. Start by temporarily disabling a third-party antivirus software that might be blocking your connection.

Recommended reading:

• WAN Connection Down: Why And How to Fix It?
• Gateway Authentication Failure Please Contact Your Service Provider
• Could Not Connect To Steam Network: Try These Fixes

If you’re not using third-party antivirus software, temporarily disable Microsoft defender. In case that doesn’t help, try disabling the internet connection service in charge of providing NAT, DHCP, and other stuff you need to go online.

Since Anyconnect will need to take over those tasks, it would be good to disable this service until you establish a connection, then enable it once again.

Other known fixes include Disabling the internet connection sharing, changing the local policy, fixing the link to a specific wireless network, using a different network or ISP, and updating the Anyconnect client.

We hope one of them will solve your problem as well.

My company recently took over IT operations for another company. We have next to no documentation to go off of.

Users use CiscoAnyconnect for VPN and we need to be able to manage this system for them.

One user is getting «Login Failed» when trying to connect and I cannot find a way to get their password reset. I can confirm that their AD environment is not integrated with Cisco VPN.

Any guidance will be appreciated. where to start especially. We have access to their servers and domain controllers.

Исправление: AnyConnect не смог установить соединение с указанным безопасным шлюзом.

Сообщение об ошибке « AnyConnect не смог установить соединение с указанным безопасным шлюзом » появляется, когда пользователи пытаются подключиться к VPN с помощью клиента AnyConnect. Эта проблема возникает из-за того, что VPN-клиент AnyConnect не может успешно выполнить процесс соединения с удаленным сервером, и на его пути есть некоторые блокировки. Сегодня мы рассмотрим указанное сообщение об ошибке, включая причины появления сообщения об ошибке и различные решения, которые вы можете реализовать, чтобы избавиться от ошибки.

Что вызывает сообщение об ошибке «AnyConnect не смог установить соединение с указанным безопасным шлюзом»?

Это может быть связано с множеством причин. Иногда это блокировка антивируса или брандмауэра, а иногда это может быть вызвано плохим подключением к Интернету. Следующие будут основными причинами; упомянуть вкратце —

• Проблема с антивирусом или брандмауэром: антивирусное программное обеспечение может время от времени мешать процессу подключения AnyConnect Client VPN и не позволять ему подключаться к внешним сетям или серверам из соображений безопасности. Часто он блокирует множество входящих и исходящих соединений. Таким образом, вы не сможете подключиться к своей любимой VPN с помощью Anyconnect.
• Неправильная конфигурация клиента: если вы неправильно настроили свой клиент Anyconnect и хранящиеся в нем конфигурации VPN неверны, то вы столкнетесь с проблемами при установлении успешных соединений.
• Интернет-ограничения: иногда IP-адреса некоторых стран могут быть заблокированы вашим интернет-провайдером, и вы можете сознательно не пытаться подключиться к VPN той же страны, которая была заблокирована вашим интернет-провайдером. Тогда вы столкнетесь с проблемами.

Чтобы обойти сообщение об ошибке, вы можете следовать приведенным ниже решениям, но обязательно перезагрузите компьютер и приложение, прежде чем переходить к другим исправлениям.

Решение 1. Отключение антивируса

Перво-наперво. В большинстве случаев проблема возникает из-за блокировки антивируса, что является распространенным сценарием. Следовательно, в таком случае вы должны попытаться отключить любой сторонний антивирус, который вы установили в своей системе, а затем попытаться подключиться к VPN с помощью AnyConnect. Надеюсь, это решит проблему.

Решение 2. Остановите службу подключения к Интернету

Время от времени служба ICS работает, что вызывает проблемы для клиента AnyConnect при подключении к VPN. Вам нужно будет отключить его, чтобы решить проблему. Вот как отключить службу:

1. Нажмите Windows + R и введите services.msc.
2. Когда откроется окно со службами, найдите службу общего доступа к подключению Интернета . Щелкните его правой кнопкой мыши и выберите « Остановить» .
3. Затем выйдите из окна служб , закрыв его.

Решение 3. Отключите общий доступ к подключению к Интернету (ICS)

Было несколько случаев, когда, если в Windows был включен ICS, пользователи сталкивались с этой проблемой. Чтобы отключить ICS, следуйте приведенным ниже инструкциям:

1. Откройте панель управления
2. Перейдите в раздел «Сеть и общий доступ к Интернету» и нажмите « Изменить настройки адаптера» .
3. После этого вам нужно будет щелкнуть правой кнопкой мыши по общему сетевому подключению , а затем выбрать « Свойства» .
4. В окне свойств нажмите на Совместное использование
5. Оказавшись там, вам нужно снять флажок с надписью « Разрешить другим пользователям сети подключаться через подключение к Интернету этого компьютера ».
6. После этого нажмите ОК.

Если ваша проблема была вызвана включением ICS, это должно было исправить ее.

Решение 4. Выберите параметр Подключиться к текущей сети в AnyConnect VPN.

Иногда клиентский VPN Any Connect колеблется между разными сетями, поэтому вам нужно выбрать вариант подключения только к текущей сети. Это может решить проблему для вас. Вот как это сделать:

1. Откройте клиент AnyConnect и там, где вы видите написанную сеть , щелкните ее правой кнопкой мыши.
2. Щелкните « Подключиться только к текущей сети ».

Решение 5. Попробуйте другое подключение

Иногда используемое вами интернет-соединение может иметь некоторые ограничения или может работать неправильно, что является причиной проблемы. В таком сценарии вам придется использовать альтернативное соединение, такое как Wi-Fi или мобильная точка доступа, чтобы узнать, можете ли вы подключиться к VPN.

AnyConnect VPN Client Troubleshooting Guide — Common Problems

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes a troubleshooting scenario which applies to applications that do not work through the Cisco AnyConnect VPN Client.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Adaptive Security Appliance (ASA) that runs Version 8.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshooting Process

This typical troubleshooting scenario applies to applications that do not work through the Cisco AnyConnect VPN Client for end-users with Microsoft Windows-based computers. These sections address and provide solutions to the problems:

Installation and Virtual Adapter Issues

Complete these steps:

Obtain the device log file:

Windows XP / Windows 2000:

Note: Hidden folders must be made visible in order to see these files.

If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.

If this is an initial web deploy install, this log is located in the per-user temp directory.

Windows XP / Windows 2000:

If this is an automatic upgrade, this log is in the temp directory of the system:

The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.

From a Command Prompt/DOS box, type this:

Windows XP / Windows 2000:

Note: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.

Windows XP and Windows Vista:

Refer to AnyConnect: Corrupt Driver Database Issue in order to debug the driver issue.

Disconnection or Inability to Establish Initial Connection

If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:

The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:

From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.

From the console of the ASA, type show running-config . Let the configuration complete on the screen, then cut-and-paste to a text editor and save.

In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:

Choose Start > Run.

Note: Always save it as the .evt file format.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.

When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available .

In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.

When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.

When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator .

This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.

This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets . This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:

Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX , then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.

For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.

AnyConnect Crash Issues

Complete these data-gathering steps:

Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:

When the crash occurs, gather the .log and .dmp files from C:Documents and SettingsAll UsersApplication DataMicrosoftDr Watson. If these files appear to be in use, then use ntbackup.exe.

Choose Start > Run.

Note: Always save it as the .evt file format.

Fragmentation / Passing Traffic Issues

Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.

This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.

Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.

It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.

Problem

TCP connections hang once connected with AnyConnect.

Solution

In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.

Uninstall Automatically

Problem

The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.

Solution

AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Issue Populating the Cluster FQDN

Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).

When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.

Solution

This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.

Backup Server List Configuration

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.

Go to the server list tab.

In ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.

AnyConnect: Corrupt Driver Database Issue

This entry in the SetupAPI.log file suggests that the catalog system is corrupt:

W239 driver signing class list «C:WINDOWSINFcertclas.inf» was missing or invalid. Error 0xfffffde5: Unknown Error. , assuming all device classes are subject to driver signing policy.

You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue .

You can receive this log on the client: «The VPN client driver has encountered an error» .

Repair

This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Failed Repair

If the repair fails, complete these steps:

Open a command prompt as an Administrator on the PC (elevated prompt on Vista).

Analyze the Database

You can analyze the database at any time in order to determine if it is valid.

Open a command prompt as an Admimistrator on the PC.

Error Messages

Error: Unable to Update the Session Management Database

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory .

Solution 1

This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.

Solution 2

This issue can also be resolved if you disable threat-detection on ASA if threat-detection is used.

Error: «Module c:Program FilesCiscoCisco AnyConnect VPN Clientvpnapi.dll failed to register»

When you use the AnyConnect client on laptops or PCs, an error occurs during the install:

When this error is encountered, the installer cannot move forward and the client is removed.

Solution

These are the possible workarounds to resolve this error:

The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer.

• vpnapi.dll
• vpncommon.dll
• vpncommoncrypt.dll

The log message related to this error on the AnyConnect client looks similar to this:

Error: «An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator»

When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.

This message was received from the secure gateway:

«Illegal address class» or «Host or network is 0» or «Other error»

Solution

The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.

Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.

Error: Session could not be established. Session limit of 2 reached.

When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached . I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.

Solution 1

This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.

Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.

Solution 2

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA

You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.

Solution

This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.

Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)

The %ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?

Solution

This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression none command. This resolves the issue.

Error: The secure gateway has rejected the agent’s vpn connect or reconnect request.

When you connect to the AnyConnect Client, this error is received: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0» .

This error is also received when you connect to the AnyConnect Client: «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» .

Solution

The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.

The «The secure gateway has rejected the agent’s vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License» error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.

Error: «Unable to update the session management database»

When you try to authenticate in WebPortal, this error message is received: «Unable to update the session management database» .

Solution

This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.

As a permanent workaround, upgrade the memory to 512MB.

As a temporary workaround, try to free the memory with these steps:

Disable the threat-detection.

Error: «The VPN client driver has encountered an error»

This is an error message obtained on the client machine when you try to connect to AnyConnect.

Solution

In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:

Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.

This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvpnagent.

Note: If this is to be used, then the preference would be to use the .MST transform in this instance. This is because if you set this manually with these methods, it requires that this be set after every install/upgrade process. This is why there is a need to identify the application that causes this problem.

Error: «Unable to process response from xxx.xxx.xxx.xxx»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Unable to process response from xxx.xxx.xxx.xxx» .

Solution

In order to resolve this error, try these workarounds:

Remove WebVPN from the ASA and reenable it.<

For more information on how to enable WebVPN and change the port for WebVPN, refer to this Solution.

Error: «Login Denied , unauthorized connection mechanism , contact your administrator»

AnyConnect clients fail to connect to a Cisco ASA. The error in the AnyConnect window is «Login Denied , unauthorized connection mechanism , contact your administrator» .

Solution

This error message occurs mostly because of configuration issues that are improper or an incomplete configuration. Check the configuration and make sure it is as required to resolve the issue.

Error: «Anyconnect package unavailable or corrupted. Contact your system administrator»

This error occurs when you try to launch the AnyConnect software from a Macintosh client in order to connect to an ASA.

Solution

In order to resolve this, complete these steps:

Upload the Macintosh AnyConnect package to the flash of the ASA.

The svc image command is replaced by the anyconnect image command in ASA Version 8.4(1) and later as shown here:

Error: «The AnyConnect package on the secure gateway could not be located»

This error is caused on the user’s Linux machine when it tries to connect to the ASA by launching AnyConnect. Here is the complete error:

Solution

In order to resolve this error message, verify whether the Operating System (OS) that is used on the client machine is supported by the AnyConnect client.

If the OS is supported, then verify if the AnyConnect package is specified in the WebVPN configuration or not. See the Anyconnect package unavailable or corrupted section of this document for more information.

Error: «Secure VPN via remote desktop is not supported»

Users are unable to perform a remote desktop access. The Secure VPN via remote desktop is not supported error message appears.

Solution

This issue is due to these Cisco bug IDs: CSCsu22088 and CSCso42825. If you upgrade the AnyConnect VPN Client, it can resolve the issue. Refer to these bugs for more information.

Error: «The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established»

When you attempt to VPN to the ASA 5505, the The server certificate received or its chain does not comply with FIPS. A VPN connection will not be established error message appears.

Solution

In order to resolve this error, you must disable the Federal Information Processing Standards (FIPS) in the AnyConnect Local Policy file. This file can usually be found at C:ProgramDataCiscoCisco AnyConnect VPN ClientAnyConnectLocalPolicy.xml . If this file is not found in this path, then locate the file at a different directory with a path such as C:Documents and SettingsAll UsersApplication DataCisco AnyConnectVPNClientAnyConnectLocalPolicy.xml . Once you locate the xml file, make changes to this file as shown here:

Change the phrase:

<FipsMode>true</FipsMode>

<FipsMode>false</FipsMode>

Then, restart the computer. Users must have administrative permissions in order to modify this file.

Error: «Certificate Validation Failure»

Users are unable to launch AnyConnect and receive the Certificate Validation Failure error.

Solution

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

ssl certificate-authentication interface outside port 443

Error: «VPN Agent Service has encountered a problem and needs to close. We are sorry for the inconvenience»

When AnyConnect Version 2.4.0202 is installed on a Windows XP PC, it stops at updating localization files and an error message shows that the vpnagent.exe fails.

Solution

This behavior is logged in Cisco bug ID CSCsq49102. The suggested workaround is to disable the Citrix client.

Error: «This installation package could not be opened. Verify that the package exists»

When AnyConnect is downloaded, this error message is received:

«Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.»

Solution

Complete these steps in order to fix this issue:

Remove any anti-virus software.

Error: «Error applying transforms. Verify that the specified transform paths are valid.»

This error message is recieved during the auto-download of AnyConnect from the ASA:

This is the error message received when connecting with AnyConnect for MacOS:

Solution

Complete one of these workarounds in order to resolve this issue:

The root cause of this error might be due to a corrupted MST translation file (for example, imported). Perform these steps to fix this:

Remove the MST translation table.

If neither of these workarounds resolve the issue, contact Cisco Technical Support.

Error: «The VPN client driver has encountered an error»

This error is received:

Solution

This issue can be resolved when you uninstall the AnyConnect Client, and then remove the anti-virus software. After this, reinstall the AnyConnect Client. If this resolution does not work, then reformat the PC in order to fix this issue.

Error: «A VPN reconnect resulted in different configuration setting. The VPN network setting is being re-initialized. Applications utilizing the private network may need to be restored.»

This error is received when you try to launch AnyConnect:

Solution

In order to resolve this error, use this:

The svc mtu command is replaced by the anyconnect mtu command in ASA Version 8.4(1) and later as shown here:

AnyConnect Error While Logging In

Problem

The AnyConnect receives this error when it connects to the Client:

Solution

The issue can be resolved if you make these changes to the AnyConnect profile:

Add this line to the AnyConnect profile:

IE Proxy Setting is Not Restored after AnyConnect Disconnect on Windows 7

Problem

In Windows 7, if the IE proxy setting is configured for Automatically detect settings and AnyConnect pushes down a new proxy setting, the IE proxy setting is not restored back to Automatically detect settings after the user ends the AnyConnect session. This causes LAN issues for users who need their proxy setting configured for Automatically detect settings.

Solution

This behavior is logged in Cisco bug ID CSCtj51376. The suggested workaround is to upgrade to AnyConnect 3.0.

Error: AnyConnect Essentials can not be enabled until all these sessions are closed.

This error message is received on Cisco ASDM when you attempt to enable the AnyConnect Essentials license:

Solution

This is the normal behavior of the ASA. AnyConnect Essentials is a separately licensed SSL VPN client. It is entirely configured on the ASA and provides the full AnyConnect capability, with these exceptions:

No Cisco Secure Desktop (CSD) (including HostScan/Vault/Cache Cleaner)

This license cannot be used at the same time as the shared SSL VPN premium license. When you need to use one license, you need to disable the other.

Error: Connection tab on Internet option of Internet Explorer hides after getting connected to the AnyConnect client.

The connection tab on the Internet option of Internet Explorer hides after you are connected to the AnyConnect client.

Solution

This is due to the msie-proxy lockdown feature. If you enable this feature, it hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. If you disable the feature, it leaves the display of the Connections tab unchanged.

Error: Few users getting Login Failed Error message when others are able to connect successfully through AnyConnect VPN

A few users receive the Login Failed Error message when others can connect successfully through the AnyConnect VPN.

Solution

This issue can be resolved if you make sure the do not require pre-authentication checkbox is checked for the users.

Error: The certificate you are viewing does not match with the name of the site you are trying to view.

During the AnyConnect profile update, an error is shown that says the certificate is invalid. This occurs with Windows only and at the profile update phase. The error message is shown here:

Solution

This can be resolved if you modify the server list of the AnyConnect profile in order to use the FQDN of the certificate.

This is a sample of the XML profile:

Note: If there is an existing entry for the Public IP address of the server such as <HostAddress> , then remove it and retain only the FQDN of the server (for example, <HostName> but not <Host Address> ).

Cannot Launch AnyConnect From the CSD Vault From a Windows 7 Machine

When the AnyConnect is launched from the CSD vault, it does not work. This is attempted on Windows 7 machines.

Solution

Currently, this is not possible because it is not supported.

AnyConnect Profile Does Not Get Replicated to the Standby After Failover

The AnyConnect 3.0 VPN client with ASA Version 8.4.1 software works fine. However, after failover, there is no replication for the AnyConnect profile related configuration.

Solution

This problem has been observed and logged under Cisco bug ID CSCtn71662. The temporary workaround is to manually copy the files to the standby unit.

AnyConnect Client Crashes if Internet Explorer Goes Offline

When this occurs, the AnyConnect event log contains entries similar to these:

Solution

This behavior is observed and logged under Cisco bug ID CSCtx28970. In order to resolve this, quit the AnyConnect application and relaunch. The connection entries reappear after relaunch.

Error Message: TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER

The AnyConnect client fails to connect and the Unable to establish a connection error message is received. In the AnyConnect event log, the TLSPROTOCOL_ERROR_INSUFFICIENT_BUFFER error is found.

Solution

This occurs when the headend is configured for split-tunneling with a very large split-tunnel list (approximately 180-200 entries) and one or more other client attributes are configured in the group-policy, such as dns-server.

In order to resolve this issue, complete these steps:

Reduce the number of entries in the split-tunnel list.

For more information, refer to Cisco bug ID CSCtc41770.

Error Message: «Connection attempt has failed due to invalid host entry»

The Connection attempt has failed due to invalid host entry error message is received while AnyConnect is authenticated with the use of a certificate.

Solution

In order to resolve this issue, try either of these possible solutions:

• Upgrade the AnyConnect to Version 3.0.
• Disable Cisco Secure Desktop on your computer.

For more information, refer to Cisco bug ID CSCti73316.

Error: «Ensure your server certificates can pass strict mode if you configure always-on VPN»

When you enable the Always-On feature on AnyConnect, the Ensure your server certificates can pass strict mode if you configure always-on VPN error message is received.

Solution

This error message implies that if you want to use the Always-On feature, you need a valid sever certificate configured on the headend. Without a valid server certificate, this feature does not work. Strict Cert Mode is an option that you set in the AnyConnect local policy file in order to ensure the connections use a valid certificate. If you enable this option in the policy file and connect with a bogus certificate, the connection fails.

Error: «An internal error occurred in the Microsoft Windows HTTP Services»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Also, refer to the event viewer logs on the Windows machine.

Solution

This could be caused due to a corrupted Winsock connection. Reset the connection from the command promt with this command and restart your windows machine:

netsh winsock reset

Error: «The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway.»

This Diagnostic AnyConnect Reporting Tool (DART) shows one failed attempt:

Solution

Windows 8.1 does not support RC4 according to the following KB update:

Either configure DES/3DES ciphers for SSL VPN on the ASA using the command «ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1» OR edit the Windows Registry file on the client machine as mentioned below: