Re: Cannot establish VPN to DevNet Environment

tall27 · ‎06-11-2024

Hi,

I've successfully set up the Identity Services Engine sandbox and attempted to connect to the VPN.

Once I've downloaded Cisco AnyConnect and tried to establish a connection, it fails with the following error: "VPN establishment capability for a remote user is disabled. A VPN connection will not be established."

URL: devnetsandbox-usw1-reservation.cisco.com:20285
user: tall27

Should should I check,
Thank you!

bigevilbeard · ‎06-12-2024

You can test this by getting another sandbox and seeing if this a sandbox issue or your network. The error "VPN establishment capability for a remote user is disabled. A VPN connection will not be established" can also be caused by blocked ports on your network. Cisco AnyConnect uses specific ports to establish a VPN connection. If these ports are blocked by your network firewall or router, the connection will fail.

Here are the default ports used by Cisco AnyConnect:

TCP port 443 (HTTPS)
UDP port 443 (DTLS)
TCP port 1194 (SSL)

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

tall27 · ‎06-12-2024

I thought "...VPN establishment capability for a remote user is disabled..." describe the problem (isn't it?)
Is there anyone on Cisco Labs who can check it ?

thanks,
Tal

P.S. I already established a new sandbox environment, and have tried from different windows boxes.

bigevilbeard · ‎06-12-2024

By chance are you trying this from a VM within your machine?

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

tall27 · ‎06-12-2024

One time it was win 2022 running in AWS, the other environment runs Win 10 in my VMWare workstation on Windows 11.
for the second option I use:

vpn_address: devnetsandbox-usw1-reservation.cisco.com:20283

vpn_username: gluliche

vpn_password: 86gw_Hlqu-q4DY

I do not care for the password as it ill go away in 1 day
thank you,
Tal

bigevilbeard · ‎06-12-2024

Got it. I’ve seen this a few times from folks, but never seen a real fix. Some people have said to adjust the xml on the WindowsVPNEstablishment setting but I've never got this to work. Check this page as it says you can modify the on the client side. https://www.petenetlive.com/KB/Article/0000546 - but I’ve not seen this work so far with the sandbox.

Otherwise this is not supported on the sandbox environment.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

tall27 · ‎06-12-2024

Ha Ha,
you show how to update a connection profile on Cisco termination device I have no access to.... it is Cisco devnetsandbox environment.

Is there a way to get attention anyone from Cisco DevNetSandbox team to see if the script that adds user to the correct group still runs as expected ?

Tal

jokearns1 · ‎06-12-2024

Hi,

I have just tested your VPN and it works fine from my MAC. I am not in an office. Just tested it from my home connection.

Do you know of any restrictions on your network?

Joe

bigevilbeard · ‎06-13-2024

Correct you need to either try and modify your local xml file for your anyconect client, as the only way to allow this is to change/update the firewall side, which is own by Cisco.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io