Installation and Virtual Adapter Issues
Complete these steps:
- Obtain the device log file:
If you see errors in the setupapi log file, you can turn up verbosity to 0x2000FFFF.
2. Obtain the MSI installer log file:
If this is an initial web deploy install, this log is located in the per-user temp directory.
- Windows XP / Windows 2000:
\Documents and Settings\<username>\Local Settings\Temp\
- Windows Vista:
\Users\<username>\AppData\Local\Temp\
If this is an automatic upgrade, this log is in the temp directory of the system:
\Windows\Temp
The filename is in this format: anyconnect-win-x.x.xxxx-k9-install-yyyyyyyyyyyyyy.log. Obtain the most recent file for the version of the client you want to install. The x.xxxx changes based on the version, such as 2.0.0343, and yyyyyyyyyyyyyy is the date and time of the install.
3. Obtain the PC system information file:
1. From a Command Prompt/DOS box, type this:
- Windows XP / Windows 2000:
winmsd /nfo c:\msinfo.nfo
- Windows Vista:
msinfo32 /nfo c:\msinfo.nfo
**Note**: After you type into this prompt, wait. It can take between two to five minutes for the file to complete.
2. Obtain a systeminfo file dump from a Command Prompt:
Windows XP and Windows Vista:
systeminfo c:\sysinfo.txt
Refer to AnyConnect: Driver Issue in order to debug the driver issue.
Disconnection or Inability to Establish Initial Connection
If you experience connection problems with the AnyConnect client, such as disconnections or the inability to establish an initial connection, obtain these files:
- The configuration file from the ASA in order to determine if anything in the configuration causes the connection failure:
From the console of the ASA, type write net x.x.x.x:ASA-Config.txt where x.x.x.x is the IP address of a TFTP server on the network.
OR
From the console of the ASA, type show running-config. Let the configuration be complete on the screen, then cut-and-paste to a text editor and save.
- The ASA event logs:
- In order to enable logging on the ASA for auth, WebVPN, Secure Sockets Layer (SSL), and SSL VPN Client (SVC) events, issue these CLI commands:
config terminal
logging enable
logging timestamp
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
logging class svc console debugging
- Originate an AnyConnect session and ensure that the failure can be reproduced. Capture the logging output from the console to a text editor and save.
- In order to disable logging, issue
no logging enable.
- The Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
- Choose Start > Run.
- Enter:
eventvwr.msc /s
- Right-click the Cisco AnyConnect VPN Client log, and select Save Log File as AnyConnect.evt. Note: Always save it as the .evt file format.
If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon attribute in the client profile, however, currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSC1051X was filed to address this feature.
Note: Make sure that port 443 is not blocked so the AnyConnect client can connect to the ASA.
When a user cannot connect the AnyConnect VPN Client to the ASA, the issue might be caused by an incompatibility between the AnyConnect client version and the ASA software image version. In this case, the user receives this error message: The installer was not able to start the Cisco VPN client, clientless access is not available.
In order to resolve this issue, upgrade the AnyConnect client version to be compatible with the ASA software image.
When you log in the first time to the AnyConnect, the login script does not run. If you disconnect and log in again, then the login script runs fine. This is the expected behavior.
When you connect the AnyConnect VPN Client to the ASA, you might receive this error: User not authorized for AnyConnect Client access, contact your administrator.
This error is seen when the AnyConnect image is missing from the ASA. Once the image is loaded to the ASA, AnyConnect can connect without any issues to the ASA.
This error can be resolved by disabling Datagram Transport Layer Security (DTLS). Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and uncheck the Enable DTLS check box. This disables DTLS.
The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:
webvpn
svc keepalive 30
svc dpd-interval client 80
svc dpd-interval gateway 80
The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:
webvpn
anyconnect ssl keepalive 15
anyconnect dpd-interval client 5
anyconnect dpd-interval gateway 5
Problems with Passing Traffic
When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data-gathering steps:
- Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows
Filter Name: XXXXX, then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
- Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
- Check the ASA configuration file for nat statements. If Network Address Translation (NAT) is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:
access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
nat (inside) 0 access-list in_nat0_out
- Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.
Example:
!--- Route outside 0 0 is an incorrect statement.
route outside 0 0 10.145.50.1
route inside 0 0 10.0.4.2 tunneled
For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.
5. Verify if the AnyConnect traffic is dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client if you implement the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol with these commands.
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect skinny
AnyConnect Crash Issues
Complete these data-gathering steps:
- Ensure that the Microsoft Utility Dr Watson is enabled. In order to do this, choose Start > Run, and run Drwtsn32.exe. Configure this and click OK:
Number of Instructions : 25
Number of Errors To Save : 25
Crash Dump Type : Mini
Dump Symbol Table : Checked
Dump All Thread Contexts : Checked
Append To Existing Log File : Checked
Visual Notification : Checked
Create Crash Dump File : Checked
When the crash occurs, gather the .log and .dmp files from C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson. If these files appear to be in use, then use ntbackup.exe.
2. Obtain the Cisco AnyConnect VPN Client log from the Windows Event Viewer of the client PC:
1. Choose **Start > Run**.
2. Enter:
eventvwr.msc /s
3. Right-click the **Cisco AnyConnect VPN Client** log, and select Save Log File As **AnyConnect.evt**.
**Note**: Always save it as the **.evt file** format.
Fragmentation / Passing Traffic Issues
Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small pings.
This can provide clues as to a fragmentation issue in the network. Consumer routers are particularly poor at packet fragmentation and reassembly.
Try a scaling set of pings in order to determine if it fails at a certain size. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.
It is recommended that you configure a special group for users that experience fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to remediate users who experience this issue, but not impact the broader user base.
Problem
TCP connections hang once connected with AnyConnect.
Solution
In order to verify if your user has a fragmentation issue, adjust the MTU for AnyConnect clients on the ASA.
ASA(config)#group-policy <name> attributes
webvpn
svc mtu 1200
Uninstall Automatically
Problem
The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.
Solution
AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.
Issue Populating the Cluster FQDN
Problem: AnyConnect client is pre-populated with the hostname instead of the cluster Fully Qualified Domain Name (FQDN).
When you have a load-balancing cluster set up for SSL VPN and the client attempts to connect to the cluster, the request is redirected to the node ASA and the client logs in successfully. After some time, when the client tries to connect to the cluster again, the cluster FQDN is not seen in the Connect to entries. Instead, the node ASA entry to which the client has been redirected is seen.
Solution
This occurs because the AnyConnect client retains the host name to which it last connected. This behavior is observed and a bug has been filed. For complete details about the bug, refer to Cisco bug ID CSCsz39019. The suggested workaround is to upgrade the Cisco AnyConnect to Version 2.5.
Backup Server List Configuration
A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:
- Download the AnyConnect Profile Editor (registered customers only) . The file name is AnyConnectProfileEditor2_4_1.jar.
- Create an XML file with the AnyConnect Profile Editor.
- Go to the server list tab.
- Click Add.
- Type the main server on the Hostname field.
- Add the backup server below the backup server list on the Host address field. Then, click Add.
- Once you have the XML file, you need to assign it to the connection you use on the ASA.
- In ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.
- Select your profile and click Edit.
- Click Manage from the Default Group Policy section.
- Select your group-policy and click Edit.
- Select Advanced and then click SSL VPN Client.
- Click New. Then, you need to type a name for the Profile and assign the XML file.
- Connect the client to the session in order to download the XML file.
AnyConnect: Corrupt Driver Database Issue
This entry in the SetupAPI.log file suggests that the catalog system is corrupt:
W239 driver signing class list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 0xfffffde5: Unknown Error., assuming all device classes are subject to driver signing policy.
You can also receive this error message: Error(3/17): Unable to start VA, setup shared queue, or VA gave up shared queue.
You can receive this log on the client: "The VPN client driver has encountered an error".
Repair
This issue is due to Cisco bug ID CSCsm54689. In order to resolve this issue, make sure that Routing and Remote Access Service is disabled before you start AnyConnect. If this does not resolve the issue, complete these steps:
- Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
- Run
net stop CryptSvc.
- Run:
esentutl /p%systemroot%\System32\catroot2\
{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
- When prompted, choose OK in order to attempt the repair.
- Exit the command prompt.
- Reboot.
Failed Repair
If the repair fails, complete these steps:
- Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
- Run
net stop CryptSvc.
- Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
- Exit the command prompt.
- Reboot.
Analyze the Database
You can analyze the database at any time in order to determine if it is valid.
- Open a command prompt as an Admimistrator on the PC.
- Run:
esentutl /g%systemroot%\System32\catroot2\
{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
Refer to System Catalog Database Integrity for more information.
Error MessagesError: Unable to Update the Session Management Database
While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory.
Solution 1
This issue is due to Cisco bug ID CSCsm51093. In order to resolve this issue, reload the ASA or upgrade the ASA software to the interim release mentioned in the bug. Refer to Cisco bug ID CSCsm51093 for more information.
Solution 2
This issue can also be resolved if you disable threat detection on ASA if threat detection is used.
Error: "Module c:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed to register"
When you use the AnyConnect client on laptops or PCs, an error occurs during the install:
"Module C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll failed
to register..."
When this error is encountered, the installer cannot move forward and the client is removed.
Solution
These are the possible workarounds to resolve this error:
- The latest AnyConnect client is no longer officially supported with Microsoft Windows 2000. It is a registry problem with the 2000 computer.
- Remove the VMware applications. Once AnyConnect is installed, VMware applications can be added back to the PC.
- Add the ASA to their trusted sites.
- Copy these files from the \ProgramFiles\Cisco\CiscoAnyconnect folder to a new folder and run the regsvr32 vpnapi.dll command prompt:
- vpnapi.dll
- vpncommon.dll
- vpncommoncrypt.dll
- Reimage the operating system on the laptop/PC.
The log message related to this error on the AnyConnect client looks similar to this:
DEBUG: Error 2911: Could not remove the folderC:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
DEBUG: Error 2911: Could not remove the folder C:\Program Files\Cisco\Cisco AnyConnect
VPN Client\.
The installer has encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 2911. The arguments are:
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\, ,
Info 1721. There is a problem with this Windows Installer package. A program required for
this install to complete could not be run. Contact your support personnel or package
vendor. Action: InstallHelper.exe, location: C:\Program Files\Cisco\Cisco AnyConnect VPN
Client\InstallHelper.exe, command: -acl "C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client\\" -r
Error: "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator"
When clients try to connect to the VPN with the Cisco AnyConnect VPN Client, this error is received.
This message was received from the secure gateway:
"Illegal address class" or "Host or network is 0" or "Other error"
Solution
The issue occurs because of the ASA local IP pool depletion. As the VPN pool resource is exhausted, the IP pool range must be enlarged.
Cisco bug ID is CSCsl82188 is filed for this issue. This error usually occurs when the local pool for address assignment is exhausted, or if a 32-bit subnet mask is used for the address pool. Basically, I am facing this error on developing the best payroll software Kolkata. But it basically operates on 24-bit. The workaround is to expand the address pool and use a 24-bit subnet mask for the pool.
Error: Session could not be established. Session limit of 2 reached.
When you try to connect more than two clients with the AnyConnect VPN Client, you receive the Login Failed error message on the Client and a warning message in the ASA logs that states Session could not be established. Session limit of 2 reached. I have the AnyConnect essential license on the ASA, which runs Version 8.0.4.
Solution 1
This error occurs because the AnyConnect essential license is not supported by ASA version 8.0.4. You need to upgrade the ASA to version 8.2.2. This resolves the error.
Note: Regardless of the license used, if the session limit is reached, the user will receive the login failed error message.
Solution 2
This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.
Error: Anyconnect not enabled on VPN server while trying to connect anyconnect to ASA
You receive the Anyconnect not enabled on VPN server error message when you try to connect AnyConnect to the ASA.
Solution
This error is resolved if you enable AnyConnect on the outside interface of the ASA with ASDM. For more information on how to enable AnyConnect on the outside interface, refer to Configure Clientless SSL VPN (WebVPN) on the ASA.
Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)
The %ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206) error message appears in the logs of the ASA. What does this log mean and how is this resolved?
Solution
This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the svc compression nonecommand. This resolves the issue.
Error: The secure gateway has rejected the agent's vpn connect or reconnect request.
When you connect to the AnyConnect Client, this error is received: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists. The following message was received from the secure gateway: no assigned address".
This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway:Host or network is 0".
This error is also received when you connect to the AnyConnect Client: "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License".
Solution
The router was missing pool configuration after reload. You need to add the concerned configuration back to the router.
Router#show run | in pool
ip local pool SSLPOOL 192.168.30.2 192.168.30.254
svc address-pool SSLPOO
The "The secure gateway has rejected the agent's vpn connect or reconnect request. A new connection requires a re-authentication and must be started manually. Please contact the network administrator if the problem persists. The following message was received from the secure gateway: No License" error occurs when the AnyConnect mobility license is missing. Once the license is installed, the issue is resolved.
Error: "Unable to update the session management database"
When you try to authenticate in WebPortal, this error message is received: "Unable to update the session management database".
Solution
This problem is related to memory allocation on the ASA. This issue is mostly encountered when the ASA Version is 8.2.1. Originally, this requires a 512MB RAM for its complete functionality.
As a permanent workaround, upgrade the memory to 512MB.
As a temporary workaround, try to free the memory with these steps:
Disable the threat-detection.
- Disable SVC compression.
- Reload the ASA.
Error: "The VPN client driver has encountered an error"
This is an error message obtained on the client machine when you try to connect to AnyConnect.
Solution
In order to resolve this error, complete this procedure in order to manually set the AnyConnect VPN agent to Interactive:
- Right-click My Computer > Manage > Services and Applications > Services > and select the Cisco AnyConnect VPN Agent.
- Right-click Properties, then log on, and select Allow service to interact with the desktop.
This sets the registry Type value DWORD to 110 (default is 010) for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent.
Hope this thing will help you properly.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
