cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1570
Views
0
Helpful
7
Replies

Duo Desktop not recognized

Sh2024
Level 1
Level 1

Hello, 

I am using Cisco Anyconnect to connect to VPN. 

The system is using Duo Desktop for device health. It is already installed, running and all the checks are ok. 

However, I am getting this error message and not able to proceed:

 

Install Duo Desktop
Your organization requires you to install Duo Desktop before logging in.

If I quit the Duo Desktop and start the VPN client, I am asked to download the app or start it. 

If I click Open the app, it starts Duo Desktop, which in turn performs the device health checks and in the end still the same error message. 

I am attaching the error and the Duo Desktop checks.

I doubt there might be something with browsers which it is using in the background but I am not sure. 

 

Environment:

OS: Windows 10 PRO

AnyConnect VPN: 5.0.00556

Duo Desktop: 6.6.0

 

 

 

Any idea how to troubleshoot or solve?

 

Thanks 

 

 

 

7 Replies 7

DuoKristina
Cisco Employee
Cisco Employee

Have you enabled the option to use the system browser on your ASA 9.17+ or FTD 7.1.0+ device? https://help.duo.com/s/article/7471 

Duo, not DUO.

Hello @DuoKristina ,

Thank you for your suggestion. 

Unfortunately that is not the case. 

- This is working on other Clients. (It even worked on this one before).

- The Client is recent and not old one. 

Looking at the info in the link and also what I read around I thought there might be any issue with Internet Explorer (although the default browser is Edge). I even removed Internet Explorer from the PC and the situation is the same. 

I do not know what else to check. 

DuoKristina
Cisco Employee
Cisco Employee

I suggest you collect Duo Desktop debug information from the client with the issue and contact Duo Support.

https://help.duo.com/s/article/5343?language=en_US

Duo, not DUO.

Hello @DuoKristina ,

Thanks a lot for the support. After getting detailed debug info, I see that there are some network (port) issues. 

I am attaching the logs. In the end it is not able to find an unused port (although the ports are not used). 

2024-04-25 12:23:04.3248|ERROR|DuoDeviceHealth.App|Error starting HttpsServer|System.Exception Cannot find an unused port in the specified range

 

I guess there is an issue with this PC network or some service but still not able to find any solution...

 

 

 

 

Sh2024
Level 1
Level 1

Hello @DuoKristina ,

I was looking into this forum post for similar issue. 

https://community.cisco.com/t5/policy-access-control/duo-device-health-port-allocation-fails-silently/m-p/4877344#M49

The issue is that I do not have any issue with the port when I try to bind another service in the port. (Independent of Windows NAT driver).

C:\WINDOWS\system32>netsh int ip show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     50000       50059     *

* - Administered port exclusions.


C:\WINDOWS\system32>python -m http.server 53101
Serving HTTP on :: port 53101 (http://[::]:53101/) ...

Keyboard interrupt received, exiting.

C:\WINDOWS\system32>

As you can see, I can create a service using http.server from python, but Duo is not able to do so. 

Quite puzzled...

 

 

 

 

DuoKristina
Cisco Employee
Cisco Employee

As you observed, Duo Desktop tries to start a local web listener on ports 53100 to 53111 or 63100-63101. On your PC the ports in those ranges appear to be in use. Does that PC have Docker or some other virtualization service that might have reserved those ports? Might the Windows firewall or some other firewall or security software you have running be blocking use of those ports?

A command you can use to see if the ports in those ranges have been reserved by another service is:

netsh int ipv4 show excludedportrange protocol=tcp

A command that will shows you Windows firewall rules is

netsh advfirewall firewall show rule all

If this doesn't help you figure it out please contact Duo Support. https://duo.com/support (I'm not in Support).

Duo, not DUO.

Hello @DuoKristina ,

 

Thank you for your answer.

As I said before, I do not have any service on that port. 

Moreover, I can use the port if I try to (the python command). 

Regaridng the firewall, Duo is allowed in the firewall. That's anything related. 

Yes, I have virtualization and I tried uninsatalling it (Docker, WSL) it still does not work. 

Please find below the command regaridng the reserved port ranges:

C:\Users\user>netsh int ip show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     50000       50059     *

* - Administered port exclusions.

If I try to start something in port 53100, I am able to without any problem. 

C:\Users\user>python -m http.server 53100
Serving HTTP on :: port 53100 (http://[::]:53100/) ...
::1 - - [25/Apr/2024 15:13:48] "GET / HTTP/1.1" 200 -

 

Quick Links