Solved: Anyconnect SBL fails to connect.

eagles-nest · ‎07-28-2012

Hi

No doubt a well discussed topic but I have tried all sorts to try to get Anyconnect SBL working with no success.

I am running XP Pro SP3.

I can connect to my Anyconnect VPN with no problems via the FQDN once XP is up and running. However, when prompted to connect to the VPN prior to logging in I get the pretty non-descript error below.

Connection attempt failed. Please try again.

I tried removing the Anyconnect client and SBL application. I re-installed Anyconnect then re-connected and it automatically downloaded the SBL part. I then restarted my laptop.

I can see there is an attempt to connect to the ASA because I set up a capture but the attempt fails almost immediately with the error above.

I am using Anyconnect 3.0.08057 and a certificate on the ASA that is issued by a CA in my domain. I have that root certificate installed on my laptop in the Trusted Certificates Authorities store. I don't get any certificate issues during a manual VPN connection so I assume this isn't a certificate issue.

I'd appreciate any assistance anyone may have.

Thanks,

St.

Yosef Gunsburg · ‎07-29-2012

I fixed the issue with SBL by doing the following:

Try installing the certificate into the machine certificate store, not the user store.

Run mmc, add the certificate snap-in.

Choose "Computer" when prompted.

Next, Next, Finish

Trusted Root > Install

View solution in original post

Tarik Admani · ‎07-28-2012

Are you authenticating against a radius server? If so, does the request make it to the radius server and is it rejecting the authentication?

thanks,

Tarik Admani
*Please rate helpful posts*

Javier Portuguez · ‎07-28-2012

Hi,

Where is the certificate installed? On the machine store?

Thanks.

Portu.

Yosef Gunsburg · ‎07-28-2012

I am having the same issue. I am using windows 7. I can connect once logged into windows, but I can not connect using SBL.

Sent from Cisco Technical Support iPhone App

eagles-nest · ‎07-29-2012

I am using local authentication as an initial test.

I have an Identity certificate issues by my CA installed on the ASA and the laptop has the root of that CA installed in its trusted certificates store.

The Failure seems to happen after the initial SSL handshake but I've not found a log or debug yet that supplies more information as to what's happening.

St.

Yosef Gunsburg · ‎07-29-2012

I fixed the issue with SBL by doing the following:

Try installing the certificate into the machine certificate store, not the user store.

Run mmc, add the certificate snap-in.

Choose "Computer" when prompted.

Next, Next, Finish

Trusted Root > Install

eagles-nest · ‎07-30-2012

Many thanks Yosef. That fixed it.

Not sure the Cisco docs explain this clearly or at all.

St.

eagles-nest · ‎08-01-2012

Yosef

I have got the SBL feature to work with Win XP but I am now trying Win 7 and at windows logon I never get offered the option to connect to the VPN.

I just log straight into Win 7 as if SBL is not enabled and then have to manually start Anyconnect which connects successfully.

Is there anything different to deploying Win 7 Anyconnect SBL ? Is there any significance to the account you initially install Anyconnect and SBL under ?

Thanks again, St.

Update

I have managed to get SBL working in what seems a round about way. When I start up the laptop and am presented with my username and asked for the password I click Switch User.

At that point at the bottom right corner I get the SBL icon which I click and can complete the SBL process. Is this how it should work ?

Thanks, St.

Javier Portuguez · ‎08-01-2012

Very good news! Glad to know Yosef helped you out (5 stars).

I actually asked for that in my previous post as well, for SBL all you need is:

1- The Gina module on the ASA (so your clients will be able to download the module and install it).

2- The SBL option enabled on the XML profile (so your clients will be able to download the profile and use it).

.

3- Move the certificates to the machine store.

Thanks much

Please rate any post you found useful during this discussion.

eagles-nest · ‎08-02-2012

Thanks Javier.

To be honest it wasn't immediately obvious from your post that the machine store was a specific location in the PC and not the default location when I import a certificate. I assumed I was putting the cert in the machine store until Yosef detailed the mmc snap in process. That was my misunderstanding in what is done by default with certificates.

Regarding the Win 7 login I described above I've had a re-read of the Anyconnect Administrator guide at

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guid/ac03vpn.html#wp1056595

It shows the same process I described above, click switch user then get the SBL button. So I should have read the notes more clearly as this does seem to be the login process for Win 7.

Thanks again, St.

eagles-nest · ‎08-02-2012

Nothing is ever easy with this.

I seem to have anyconnect working as described above with the Switch user option displaying the SBL button.

However, I decided to reboot the test PC and see what happened on a fresh boot. When the laptop boots to the login screen I click Switch user as before. This time I get an error saying

Anyconnect cannot establish a VPN session because a device in the network, such as a proxy server or captive portal, is blocking internet access.

I've seen this type of thing before when in an internet cafe requiring a portal login before connecting but this is my home network. There are no login requirements prior to internet access and there is no proxy configured on the laptop.

Strangely if I log in without doing SBL then log out and go through the Switch user process again this time the SBL connects immediately. I can't really ask users to log in, log out then do the SBL process to get on the network.

Has anyone seen this particular problem ?

Thanks, St.

Tarik Admani · ‎08-02-2012

Just out of curiosity, are you using the fqdn of the vpn headend or are you using the ip address to connect. At times the captive portal can occur if dns resolutoin fails and most service providers these days will redirect you to their webpage with a google search engine and message that says website unavailable. See if you can reproduce it by going to a webpage that doesnt exist and see if you service provider page pops up.

Steps to overcome this, see if you can change the preferred dns server address to google's 8.8.8.8 and 8.8.8.4 on your home dhcp scope or add a host entry on your workstation to see if you can move past this step.

Thanks,

Tarik Admani
*Please rate helpful posts*

eagles-nest · ‎08-02-2012

Thanks Tarik

I am using my SP DNS which does resolve the FQDN when I log in. I am using the FQDN to get to the ASA rather than IP address. The certificate on the ASA has cn= the FQDN so that's the only way I can get through without a certificate issue.

I'll try a host entry but DNS does not seem to be the issue.

Looking in the event logs one thing that stands out is an error saying HTTP_PROBE_ASYNC_ERROR_BAD_STATUS HTTPS (Host x.x.x.x; status code 403)

It's as if the client is sending a request to the head end to see if it responds on the address. I am not using the standard port 443 for Anyconnect. I am using 442. 443 forwards to an internal webmail server.

In the client profile the hostname and the FQDN look to be defined properly with :442 after the FQDN

Another peculiar thing is I changed the hostname from ABCD to the actual FQDN then defined the Address as the FQDN:442. There is no reference to ABCD in the client profile. I have also deleted the client profile and downloaded a new one. I have checked this and there is no reference to ABCD but when I initially try the SBL connection it shows ABCD as the host. It's as if it is retaining a history of this somewhere outwith the profile and I can't get rid of it.

I think a TAC case beckons.

St.

Tarik Admani · ‎08-02-2012

I have removed this manually on my anyconnect client before. If you go into the xml file settings here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac01intro.html#wpxref46228

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp1101697

You can search through for the ABCD and manually change it using the find and replace. See if that works!

Thanks,

Tarik Admani
*Please rate helpful posts*

eagles-nest · ‎08-04-2012

Getting very strange results in testing now.

I completely de-install Anyconnect client and SBL. I then delete all the C:\Program Data\Cisco folder and all its sub folders which is where my profile gets stored.

I then browse to the live ASA and re-install the client and SBL from there and during that process Anyconnect establishes with no problems. So then I disconnect, log out and log back in again initiating SBL this time and that works. Looks good

Finally I reboot the laptop and get what I described before. The error as if there is something blocking internet access. If I immediately log in without doing SBL and then connect all works fine.

I've set up a lab ASA to test this and prior to connecting to the lab ASA I de-install the client, SBL and the directories I mentioned above so that there is no profile data or any other related files.

When I browse to the lab ASA and re-install then try to do the SBL process again the live ASA URL appears in the connect box. Where is this info coming from if I have deleted the Cisc folder and all the sub folders ?

I'm going to get my laptop onto a switch and span the switchport to see what the laptop is sending out when it tries to do SBL.

I see the following error in the logs too

Function: CNetEnvironment::logProbeFailure File: .\NetEnvironment.cpp Line: 1129 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27000820 (0xFE64000C) Description: HTTP_PROBE_ASYNC_ERROR_BAD_STATUS HTTPS (host: A.B.C.D; status code: 403)

I am using port 442 for Anyconnect. Shouldn't I see an attempt to A.B.C.D:442 above rahter than just A.B.C.D ?

Thanks, St.