Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About ccubeman
08-15-2019
Stats
Member since
11-04-2014
23
Posts
15
Helpful
2
Solutions
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
05-06-2019
05:03 AM
05-06-2019
05:03 AM
If possible, I would try lowering the MTU on your wireless interface. It is likely the default of 1500. Trying lowering (requires admin access) to 1460.
... View more
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
04-23-2019
05:44 AM
04-23-2019
05:44 AM
Try the 4.7 clients. See if those show the same error. If so, then a DART log is necessary. If you dont have DART, as root you can run: log show --predicate 'subsystem contains "com.cisco.anyconnect.vpn"' --debug --info --last 2d > log.txt The resulting log.txt will have data on the error.
... View more
04-17-2019
09:30 AM
With the DAP you can place an ACL on their traffic, which would get you the restrictions you're after -- If I'm fully understanding your requirements. The problem is, it requires an on-demand request from the user for access. Something like: "This is Joe, please place me in the 'restrictedaccess_disablealwayson' AD group". Then: "This is Joe, please remove me from the 'restrictedaccess_disablealwayson' AD group". I'd be interested to hear any other ideas. I'm open to alternatives myself.
... View more
04-17-2019
07:48 AM
Ahh... I see. Always-on is simplistic, it's either enabled or disabled. There's no white-listing of networks (I wish there were). The solution we use involves adding the user to an AD group so that the DAP turns off always-on for that user. You would need to add the user when access should be restricted and always-on disabled. And remove them when their work is complete. No extra licensing is required to use DAP. I do believe you need the posture module, but the module can be pushed to the machine when the user logs in. No admin access is required. It may work without the posture module, but you would need to test. In any case, there is no extra cost or license for this solution.
... View more
04-17-2019
06:22 AM
We do this very thing by using DAP. You need a DAP that will look at AD groups (or ldap). The DAP will be selected based on AD group, and within the DAP policy, always-on can be disabled. Then create an ACL for the DAP to restrict access. See screenshots.
... View more
02-23-2019
06:12 PM
Can confirm. No mtu value will resolve the ‘large packet’ message with 9.10.1.7 and client 4.7.00136.
... View more
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
01-08-2019
09:39 AM
01-08-2019
09:39 AM
Alrighty, thanks for the quick reply.
... View more
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
01-08-2019
09:37 AM
01-08-2019
09:37 AM
Is there a TAC case for this. If so, has TAC filed a defect?
... View more
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
12-11-2018
05:48 AM
12-11-2018
05:48 AM
Configuration details start on page 125 at: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7.pdf
Works pretty well. It only uses machine certificates, so no LDAP/radius/local/client cert auth.
... View more
11-05-2018
07:14 AM
A general question for this community as I troubleshoot connection behavior...
I'm observing it takes 15-20 seconds for AnyConnect to resume an IKEv2 connection when there is an interface change. This interval occurs regardless of whether AnyConnect is actively using the interface.
This interval seems unusually long. I see competitor VPN clients reconnecting nearly instantly (measured in ms) despite interface changes.
Has anyone in this community seen this long interval for IKEv2 (no TLS or DTLS in use) connections. And is there a way to speed up the reconnection interval? We are using running a mix of 21XX devices with 9.9.2.25 and client 4.6.02074.
... View more
Labels:
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
07-24-2018
05:39 AM
07-24-2018
05:39 AM
This problem was a direct result of CSCvi49604. Fixed by reverting to hostscan 4.6.00362.
... View more
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
07-06-2018
04:36 AM
07-06-2018
04:36 AM
I'm having a perplexing problem with certificate/AAA authentication on High Sierra. AnyConnect chooses the correct certificate, but appears to have problem accessing the private key. Sometimes. If I delete the ~/.anyconnect file and force quit AnyConnect, I am able to connect with certificate. If I then connect to a non-certificate connection, then reconnect to a certificate connection, I get certificate validation failures. If I debug the connection on the head-end, when the failures occur, I never see the user certificate come into the ASA. The device certificate is presented as normal. When it works, i see the user certificate presented to the ASA. This tells me the AnyConnect/High Sierra combo is not getting past validating the key. I will note, this is not a certificate selection issue. I do have <CertificateMatch> configured in the relevant profile. Dart logs show the correct certificate is chosen, then it all goes downhill. I have a case with Tac, and we'll see how that goes. Here is the relevent snippet from the dart log showing the failure progression: 2018-07-05 08:43:07.371657-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: nextClientCert File: ../../vpn/Api/ConnectMgr.cpp Line: 6469 Subject Name: CN="xxxx, xxxx", emailAddress=xxxx@xxxx.com , OU=MULTI-ALLOWED Issuer Name : O="xxxxx, Inc.", CN="xxxxx. Standard Private CA - G2" Store : Mac Keychain User (this is the correct certificate) 2018-07-05 08:43:07.374003-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: enumCertsFromExternalTokens File: ../../vpn/CommonCrypt/Certificates/MacCertStore.cpp Line: 322 SecItemCopyMatching returned no results (ret = -25300) 2018-07-05 08:43:07.381280-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: GetCertThumbprintFailureResponse File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 1333 Invoked Function: UserAuthenticationTlv::getStatusCode Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE 2018-07-05 08:43:07.381473-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE 2018-07-05 08:43:07.382383-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: SignHash File: ../../vpn/CommonCrypt/Certificates/MacCertificate.cpp Line: 1409 SecKeyCreateSignature failed: Error occurred. Domain: NSOSStatusErrorDomain Code: 0xffffffffffff9d33Description: The operation couldn’t be completed. (OSStatus error -25293 - CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED) 2018-07-05 08:43:07.382387-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/CommonCrypt/Certificates/Certificate.cpp Line: 281 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED 2018-07-05 08:43:07.382390-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/Api/CertObj.cpp Line: 545 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED 2018-07-05 08:43:07.382392-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: handleCertSigningRequest File: ../../vpn/Api/ConnectMgr.cpp Line: 13376 Invoked Function: CertObj::HashAndSignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED 2018-07-05 08:43:07.382564-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: SignDataCB File: ../../vpn/IPsec/EAPMgr.cpp Line: 773 Invoked Function: CCertIKEAdapter::SignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED 2018-07-05 08:43:07.394964-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth) 2018-07-05 08:43:07.395350-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE 2018-07-05 08:43:07.395356-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getAggAuthCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE 2018-07-05 08:43:07.404455-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] The following error message was received from the secure gateway: Certificate Validation Failure
... View more
Labels:
Created by
ccubeman
in VPN and AnyConnect
in VPN and AnyConnect
06-14-2018
07:52 AM
06-14-2018
07:52 AM
Yes it is. ASA runs as a logical device on top of FXOS. It can only be installed or updated within the FXOS layer and not as a standalone application, unlike the 55XX devices. We run ASA on 2140's and 2110's in production, and it runs very well.
... View more
05-06-2019
If possible, I would try lowering the MTU on your wireless interface. It
is likely the default of 15...
04-23-2019
Try the 4.7 clients. See if those show the same error. If so, then a
DART log is necessary.If you do...
04-17-2019
With the DAP you can place an ACL on their traffic, which would get you
the restrictions you're afte...
04-17-2019
Ahh... I see.Always-on is simplistic, it's either enabled or disabled.
There's no white-listing of n...
04-17-2019
We do this very thing by using DAP. You need a DAP that will look at AD
groups (or ldap). The DAP wi...
02-23-2019
Can confirm. No mtu value will resolve the ‘large packet’ message with
9.10.1.7 and client 4.7.00136...
12-11-2018
Configuration details start on page 125 at:
https://www.cisco.com/c/en/us/td/docs/security/vpn_clien...
11-05-2018
A general question for this community as I troubleshoot connection
behavior... I'm observing it take...
Created by
ccubeman
in Collaboration Applications
08-21-2018
08-21-2018
The Cisco Directory Connector (DC) only manages Webex Teams. However, if
your Webex conferencing pie...
08-21-2018
Has anyone here successfully enabled Cisco Directory Connector (DC)
avatar syncing where the avatar ...
07-24-2018
This problem was a direct result of CSCvi49604. Fixed by reverting to
hostscan 4.6.00362.
07-06-2018
I'm having a perplexing problem with certificate/AAA authentication on
High Sierra. AnyConnect choos...
Created by
ccubeman
in VPN and AnyConnect
06-14-2018
06-14-2018
Yes it is. ASA runs as a logical device on top of FXOS. It can only be
installed or updated within t...
Public Statistics
| Date Registered | 11-04-2014 03:43 AM |
| Date Last Visited | 08-15-2019 11:36 PM |
| Total Messages Posted | 23 |
| Total Helpful Votes Received | 15 |
