anyconnect and CSD issue: Posture Assessment Failed

Przemyslaw Konitz · ‎01-03-2011

hi guys,

I've got a problem with anyconnect when CSD is on.

I've got customized webportal and CSD does posture assessment. Portal then is being loaded and everything works fine. I can access anyconnect from it with no problems.

The problem occures when I want to connect with anyconnect but not through the Portal. Of course after the first connection anyconnect installes itself and I should be able to connect but... when I try to do this I've got "Posture Assessment Failed: missing needed arguments for prelogin".

when I turn CSD off - I can connect through anyconnect without Portal as suspected.

prelogin policy is as below (I test it in various configuration when computer is assigned to Company policy either as trusted and when checks fail, when its assigned to PartiallyTrusted etc)

I've tested it with

1) winXP

2) win7

and there is the same result

Only turning CSD off allows me to use AnyConnect independently otherwise I need to do it through the portal.

Information about software:

csd_3.5.2008-k9.pkg

anyconnect-win-2.5.2014-k9.pkg

ASA - 8.2(3)

Before that I've encountered a problem with vault and cache cleaner on win7 (on XP it works) but it was referenced in release notes.

This time I couldn't find any bugs or other notes.

debug webvpn 200

debug webvpn svc 100 isn't helpful at all.

Is it a problem with CSD or rather a missing configuration?

any suggestions?

regards

Przemek

rahgovin · ‎01-03-2011

Hi,

Could you close down the Anyconect client after the first failure and try connecting again with CSD enabled ? Does it keep failing or random failures only?

Also collecting Anyconnect DART logs should show the failure messages when it occurs .It would be best to collect them for a failure and a successful connection and compare where it goes wrong.

Przemyslaw Konitz · ‎01-05-2011

Hi,

thx for reply.

Could you close down the Anyconect client after the first failure and try connecting again with CSD enabled ? Does it keep failing or random failures only?

I does not work. I turned CSD on and then run Anyconnect from normal desktop but the same message is displayed, from Voult desktop I've got message similar to this:

" When in the Secure Vault, use "the launch login page button on the desktop to relaunch the client"

It does not work randomly. Anyconnect can be run only when I login to the portal and click "Start Anyconnect" from it OR when I disable CSD in Secure Desktop Manager then I can run Anyconnect as suspected from Program Files.

DART seems to give a lot of information but there is a lot of it and Im not sure whats relevant.

I've found there the same message

Date        : 01/04/2011
Time        : 15:12:32
Type        : Information
Source      : vpnui

Description : Function: ConnectIfc::getCSDStub
File: .\ConnectIfc.cpp
Line: 1336
Invoked Function: ConnectIfc::getCSDStub
Return Code: 0 (0x00000000)
Description: CSD Stub located

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Warning
Source      : vpnui

Description : HostScan Error: headend did not provide a token.

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Warning
Source      : vpnui

Description : HostScan Error: error getting token from peer: (https://81.yy.xx.zz)

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Warning
Source      : vpnui

Description : HostScan Error: missing needed arguments for prelogin.

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Error
Source      : vpnui

Description : Function: ConnectMgr::doCsdApiLaunch
File: .\ConnectMgr.cpp
Line: 5741
Invoked Function: csd_prelogin
Return Code: -1 (0xFFFFFFFF)
Description: unknown

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Warning
Source      : vpnui

Description : Function: ConnectMgr::processCSDData
File: .\ConnectMgr.cpp
Line: 2276
Invoked Function: launchCSDStub
Return Code: 0 (0x00000000)
Description: returned 0 and response 9

******************************************

Date        : 01/04/2011
Time        : 15:12:32
Type        : Error
Source      : vpnui

Description : Posture assessment failed: missing needed arguments for prelogin..

any other suggestions?

should not Anyconnectd avoid this step? Or Prelogin is done always?

regards

Przemek

Jason Gervia · ‎01-05-2011

Do you have load balancing installed for the ASAs in this scenario?

You're probably going to have to open a TAC case to get Cisco to look more into this

Basically you're not getting a token from the headend which is used to generate a ticket that is attached to the hostscan data sent to the ASA. If the hostscan process doesn't have a token/ticket, it can't even send the data to the ASA to for prelogin assessment.

--Jason

Przemyslaw Konitz · ‎01-07-2011

no, there is no load balancing.

I'm just wondering why Anyconnect can connect from Portal.

nethertheless thx for advice with TAC.

regards

bravotom99 · ‎02-28-2012

Did you get an answer to this issue? I just ran across a user who was getting the error "Posture Assessment Failed: missing needed arguments for prelogin"

Przemyslaw Konitz · ‎02-28-2012

hi,

it was a long time ago but actually - no. I didn't have time for further testing, but I think I must try again especially when new version of anyconnect is available.

regards

Przemek