09-15-2022 02:03 AM
HI All,
I am having issues connecting to cisco anyconnect in lab environment getting TLS failures my config, license and error logs are given below. I have confgured one of the interface as outside and enabled webvpn there. Tried using both web browser as well as anyconnect client getting same error message. Hardware used is FPR2110 with ASA image 9.16.
webvpn
anyconnect image flash:/anyconnect-win-4.10.05095-webdeploy-k9.pkg
enable outside
anyconnect enable
sysopt connection permit-vpn
http redirect OUTSIDE 80
ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 8.8.8.8
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
anyconnect dpd-interval client 30
exit
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit
tunnel-group MY_TUNNEL webvpn-attributes
group-alias SSL_USERS enable
webvpn
tunnel-group-list enable
==================================================================
Error logs are given below
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.3 State:before SSL initialization
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.3: Received Handshake record from remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2: Sending SSL/TLS Header record to remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2: Sending Alert record to remote client
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3: Received SSL/TLS Header record from remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3 State:before SSL initialization
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.3: Received Handshake record from remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2 State:error
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2: Sending SSL/TLS Header record to remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51236 TLSv1.2 State:error
SSL PKT - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2: Sending Alert record to remote client
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2 State:error
SSL STATE - Srvr:192.168.71.10/443 Clnt:192.168.71.11/51237 TLSv1.2 State:error
===========================================================================
License details are given below
FPR-ASA-1(config)# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 1500 : 1500 : NONE
Other VPN (Available by Default) : ENABLED : 1500 : 1500 : NONE
AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : ENABLED
VPN-3DES-AES : DISABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------
---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
All : Peak : Eff. :
In Use : In Use : Limit : Usage
---------------------------------
AnyConnect Premium : : 0 : 0 : 1500 : 0%
Other VPN : : 0 : 0 : 1500 : 0%
---------------------------------------------------------------------------
09-15-2022 02:11 AM
@abideen.shaikh it looks like you do not have the 3DES/AES license, you will need this to connect using SSL/TLS.
VPN-3DES-AES : DISABLED
You can go to the smart licensing portal and download this 3DES/AES license for free and install on the firewall.
09-15-2022 02:29 AM
Thanks Rob ill give it a try and update.
09-25-2022 10:37 PM
1. Repair the installation
In the Windows Search bar, type Control and open Control Panel.cisco vpn windows 10 not working
Click Uninstall a program in the bottom left corner.cisco vpn windows 10 not working
Click on the Cisco System VPN client and choose Repair.
Follow the instructions until the installation is repaired.
Let’s start by repairing the installation. Lots of third-party applications tend to break after a major update is administered. That’s why it is always recommended to reinstall them after the update is installed.
Even better, if you want to avoid one of the numerous update/upgrade errors, uninstalling is a viable choice.
However, if you’ve not uninstalled Cisco VPN prior to an update, instead of reinstallation, you should try out repairing the present installation first.
If you’re not sure how to repair the Cisco VPN, follow the steps we provided above.
2. Allow VPN to freely communicate through Firewall
In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall.
Click Change settings.
Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall.
If that’s not the case, click Allow another app and add it.cisco vpn windows 10 not working
Check both Private and Publicrong> network boxes.
Confirm changes and open the Cisco VPN.
System updates can, quite frequently, change the system settings and preferences to default values. This misdeed, of course, can affect Windows Defender settings as well.
If that’s the case, chances are that lots of third-party apps that require free traffic through the Firewall won’t work. Including the Cisco VPN client.
That’s why we encourage you to check the settings and confirm that the app is indeed allowed in Windows Firewall settings.
3. Tweak the Registry
Right-click on the Start button and open Device Manager.
Expand Network adapters.network adapters
Right-click on Virtual Adapter and update it.
Restart your PC.
Like many other integrating VPN solutions, Cisco VPN comes with the specific associated Virtual Network Adapter. The failure of this device is another common occurrence, and it’s accompanied by the error code 442.
The first thing you can do if this error occurs is checking the Virtual Adapter driver in the Device Manager.
Now, if that fails to resolve the issue, you can try a Registry tweak which seems to address it fully. This requires administrative permission, in order to make changes to Registry.
Furthermore, we strongly suggest treading carefully since untaught meddling with Registry can result in a system failure.
Follow these steps to tweak Registry and repair Cisco VPN:
Type Regedit in the Windows Search bar and open Registry Editor.
Copy-paste the following path in the address bar:
HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtAcisco vpn windows 10 not working
Right-click on the DisplayName registry entry and choose Modify.
Under the Value Data section, make sure that the only body of text which stands is the Cisco Systems VPN Adapter.
For the 64bit version, the text is the Cisco Systems VPN Adapter for 64-bit Windows.
Save changes and try running Cisco VPN again.
Regards,
Rachel Gomez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide