Re: AnyConnect - Windows 10 failing to connect

theitmedic · ‎07-18-2019

I am using the Cisco AnyConnect client on my Windows 10 PC "anyconnect-win-4.7.03052-predeploy-k9" and it works great connecting to my newly deployed ISR4331. When I install the same software and the same XML profile on my other Windows 10 PC I get the error "The VPN client failed to establish a connection". I'm not sure why it isn't working. I thought I could just install the Anyconnect software and XML profile and run it on any PC using the same username and pw. I installed it on my Chromebook and it works fine. I really need to resolve this. We are cutting over from old Cisco EOL/EOS hardware to new Cisco ISR4431/ISR4321 devices and if I can’t get the Cisco AnyConnect working on each user’s Windows PC then we can cut over to the new Cisco gear.

I ran a debug on the ISR4331 and this is what I'm seeing right when I get the message "The VPN client failed to establish a connection" on the Windows PC. What else can I do to debug this problem? I opened up a Cisco support ticket but still waiting for am engineer to help out.

Initiator SPI : 7A37218C3D321F83 - Responder SPI : DA77FA3C78414594 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
*Jul 16 15:47:04.666 EDT: IKEv2-PAK:(SESSION ID = 153,SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 6, length: 96
Payload contents:
DELETE Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, num of spi: 0
NOTIFY(DELETE_REASON) Next payload: NONE, reserved: 0x0, length: 16
Security protocol id: IKE, spi size: 0, type: DELETE_REASON

*Jul 16 15:47:04.667 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Building packet for encryption.

*Jul 16 15:47:04.668 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Sending Packet [To x.x.x.x:61679/From x.x.x.x:4500/VRF i0:f0]
Initiator SPI : 7A37218C3D321F83 - Responder SPI : DA77FA3C78414594 Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
*Jul 16 15:47:04.669 EDT: IKEv2-PAK:(SESSION ID = 153,SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 6, length: 80
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 52

*Jul 16 15:47:04.669 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Process delete request from peer
*Jul 16 15:47:04.669 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x7A37218C3D321F83 RSPI: 0xDA77FA3C78414594]
*Jul 16 15:47:04.670 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Check for existing active SA
*Jul 16 15:47:04.670 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Delete all IKE SAs
*Jul 16 15:47:04.670 EDT: IKEv2:(SESSION ID = 153,SA ID = 2):Deleting SA
*Jul 16 15:47:04.670 EDT: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007F6BD7F731F8

*Jul 16 15:47:04.671 EDT: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer x.x.x.x Id: ConnectMe
*Jul 16 15:47:04.677 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
corebv#
*Jul 16 15:47:04.678 EDT: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
corebv#

Rob Ingram · ‎07-18-2019

Hi,
On this other Windows 10 computer, does it trust the identity certificate in use by the router?
In the AnyConnectLocalPolicy.XML file are you bypassing the downloader?

theitmedic · ‎07-18-2019

How do I determine if it trust the identity certificate in use by the router? Yes. The XML is set for

Rob Ingram · ‎07-18-2019

On the router run "show crypto pki certificate verb" and check the certificate for the "issuer". On the Windows computer confirm you the certificate in the Trusted Root Certificate store as certificate issued by the same CA.

theitmedic · ‎07-18-2019

Yes. it is fine. This works on my Windows PC and my Chromebook just fine. I'm thinking it's something on the other Windows PC's that is stopping it from working.

GW

theitmedic · ‎07-18-2019

Solved.. I reinstalled and it's working now. Why? no clue