Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1806
Views
0
Helpful
2
Replies

Cisco AnyConnect Error

Matthew Frederick
Level 1
Level 1

‎03-05-2015 09:33 AM - edited ‎02-21-2020 08:07 PM

I am receiving the following error from Cisco AnyConnect:

"The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."

This is normally indicative of a captive portal being present, but there isn't one. In fact, it doesn't matter if I am connected to my work, home or mobile hotspot network. 

I can successfully establish a VPN session if I uninstall AnyConnect, browse back to the public IP of my router and download directly from the router again. But after one use I get the error again until I uninstall and install from the router again. So, it works the first time, but never again until I uninstall and re-install. 

The router is a 891. 

 

Config below:

 

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login webssl local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1047369388
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1047369388
 revocation-check none
 rsakeypair TP-self-signed-1047369388
!
!
crypto pki certificate chain TP-self-signed-1047369388
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303437 33363933 3838301E 170D3134 30393233 32303438
  31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343733
  36393338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B9E8 BCA093B2 A132B09A 8895FA51 D0D4A692 1B622038 4A3AB1A3 900C3D7A
  114B4501 CAD8213D 8178FDC5 4B85F876 615F2D2B 78AEAADF 4B4FC547 996A13E5
  6377E555 05F86123 D434CD61 4E65160F CD9AF502 3034D2A7 75404C77 A8BE1E9E
  076CA632 06BCBA01 015678BF 5BAFC2AD 6720B42D 7CEA38CE 2AC113D1 E3070875
  B16B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14A264D4 22D8A247 53874606 96BD897A CD9528F2 58301D06
  03551D0E 04160414 A264D422 D8A24753 87460696 BD897ACD 9528F258 300D0609
  2A864886 F70D0101 05050003 818100A0 FE5563F7 29BE8A88 56B98172 CCC375D2
  87E2F7B4 7FC0726B 4981E841 4532AC03 43150456 3D184AAB 4484E8E3 E5AF3540
  BEB3C56F 36ABA026 F9CD15A2 DCFA577F 3270E0E3 9AFCAAA4 89515C0A 0970D6A2
  F2AB0D96 013C19F8 D16A5A5A BC9069A0 6A51BA76 9F1447CA 6D7CD1B8 EF552515
  47CF46C9 CE35B0F8 588B2058 1CF474
        quit
ip cef
!
!
!
!


!
!
!
!
no ip domain lookup
ip domain name xxxxx
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ183991ZQ
!
!
username xxxxx privilege 15 password 7 xxxxxx
username vpnuser secret 5 xxxxxxx
!
redundancy
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-3.1.06079-k9.pkg sequence 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 137
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 switchport access vlan 137
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address xxxxxx
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan137
 ip address xxxxxx
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool SSLPool xxxxxxxx
ip default-gateway xxxxxx
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 57 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 xxxxxx
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
banner exec ^C
*************************************************************
WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED
THIS DEVICE IS A PRIVATE NETWORK DEVICE. ACCESS TO THIS
DEVICE IS NOT AUTHORIZED. ANY ATTEMPT FOR UNAUTHORIZED
ACCESS WILL BE LOGGED AND APPROPRIATE LEGAL ACTION WILL
BE TAKEN.
*************************************************************
^C
banner login ^C
*************************************************************
WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED
THIS DEVICE IS A PRIVATE NETWORK DEVICE. ACCESS TO THIS
DEVICE IS NOT AUTHORIZED. ANY ATTEMPT FOR UNAUTHORIZED
ACCESS WILL BE LOGGED AND APPROPRIATE LEGAL ACTION WILL
BE TAKEN.
*************************************************************
^C
!
line con 0
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
!
!
webvpn gateway xxxxx
 ip address xxxxxx port 443
 ssl encryption rc4-md5
 ssl trustpoint TP-self-signed-1047369388
 inservice
 !
webvpn context xxxxx
 title "xxxxxx"
 !
 acl "webvpn-acl"
   permit ip xxxxx
 login-message "WebVPN Login"
 aaa authentication list webssl
 gateway xxxxxx
 max-users 10
 !
 ssl authenticate verify all
 !
 url-list "MyPages"
   url-text "xxx" url-value "xxxxx"
 inservice
 !
 policy group sslpolicy
   functions svc-enabled
   filter tunnel webvpn-acl
   svc address-pool "SSLPool" netmask 255.255.255.0
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include xxxx
   url-list "MyPages"
 default-group-policy sslpolicy
!
end

Labels:
0 Helpful
2 Replies 2

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-05-2015 11:22 AM

Hi,

AnyConnect can falsely assume it is in a captive portal in these situations.

  • If AnyConnect attempts to contact an ASA with a certificate that contains an incorrect server name (CN), then the AnyConnect client will think it is in a captive portal environment.

    In order to prevent this issue, make sure that the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
     
  • If there is another device on the network before the ASA that responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a captive portal environment. This situation can occur when a user is on an internal network and connects through a firewall in order to connect to the ASA.

    If you must restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely blocked (also known as black-holed) in order to ensure that HTTP/HTTPS requests sent to the ASA will not return an unexpected response.
  1. AnyConnect tries an HTTPS probe to the Fully Qualified Domain Name (FQDN) defined in the XML profile.
     
  2. If there is a certificate error (not trusted/wrong FQDN), then Anyconnect tries an HTTP probe to the FQDN defined in the XML profile. If there is any other response than a HTTP 302, then it considers itself to be behind a captive portal.

Have a look at this:

CSCud17825    Captive portal incorrectly detected on anyconnect 3.1 IKEV2

Workarounds:

1) Remove http commands on that interface so that ASA will not listen to HTTP connections on the interface.
or
2) Remove SSL trustpoint on the interface
or 
3) Enable IKEV2 client-services
Eg
crypto ikev2 enable <interface> client-services
or
4) Enable webvpn on the interface.

If none of the above works, please collect support DART bundle and open a TAC for further troubleshooting.

For details:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful

Matthew Frederick
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-13-2015 07:57 AM

If it's incorrectly detecting a captive portal, wouldn't it do it every time? Why would uninstalling and downloading it again make it work just once?

I also am doing this on a router and not an ASA. Could you point me to the spots in my config that would be equivalent to:

1) Remove http commands on that interface so that ASA will not listen to HTTP connections on the interface.
or
2) Remove SSL trustpoint on the interface
or 
3) Enable IKEV2 client-services
Eg
crypto ikev2 enable <interface> client-services
or
4) Enable webvpn on the interface.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents