Cisco AnyConnect kept getting a “ log in denied. Your environment does not meet the access criteria defined by your administrator” Windows 7 32 or 64 bit
I will appreciate your assistance on this. Any info found on google.com doesn't help me. Please assist.
That message is usually caused by a Dynamic Access Policy (DAP) check being configured on the ASA that terminates the VPN having a policy whose criteria your client does not meet. Have you checked the ASA configuration (or asked the admin to do so) to see what policies it is enforcing?
It can also in some cases be caused by a bug in DAP, depending on the version of ASA software. In that case it would affect all AnyConnect users.
I had similar kind of issue reported. I do not have DAP with Network ACL being blocked for the reported Users, however i still have few users reporting this kind of issue. While the others are working good. Do you still see this as DAP issue ??
Thanks i couldnt reply in time. My issue has been resolved. The problem was host scan image. User was not using the desired version. However i did not find that in that log.
I'm currently having a similar problem:
1) Using AnyConnect I connect to my office network from home (ISP=Bell, WIFI router).
2) Using my office laptop (Win 7, McAfee A.V. corporate) all works well.
3) Using my home laptop (Win 10 home, McAfee A.V. from Bell) all worked well until 2 weeks ago.
4) Using my home laptop (no visible changes) no longer working with the message:
Cisco AnyConnect. Login denied. Your VPN is terminated because either your PC does not meet the security requirements, or your Anyconnect profile is not setup correctly.
I understand that something must have changed somewhere - problem is: how do find what changed and then how to fix it?
It's not always practical/possible to carry the office laptop and I often need to be able to work from home.
Any help would be greatly appreciated.
Can you check with the admin of your office ASA and see if they have a DAP setup? That's the most likely cause of what you're seeing.
Hi, Marvin. Thanks for looking into it.
The problem is that it's impossible to find out in the office - who actually is the admin - you know with all the outsourcing.
So I was hoping that I can diagnose it from my end and find some log - so I can fix my settings by myself.
Unfortunately if it is DAP that's causing the problem, the client cannot see why on their own.
That's by design - if we exposed exactly what the ASA policy wanted to the end user then they could do an end run around the security policy by spoofing the desired result.
Even with a DART diagnostics log, you only see things like the following:
Performing CSD prelogin verification.
CSD prelogin verification finished with return code 0
This is happening because as Marvin says you have a DAP policy applied, and if you don,t any DAP configured, go ahead and check if you have the "DfltAccessPolicy" terminating the connections.
Go ahead and attach the following:
- sh run dynamic-access-policy-record
- debug menu dap 2
- debug dap trace
- debug dap error
- Show version
We ran into the same issue. we tried all that is mentioned in the thread but no luck.
Below is the logs from the ASDM:
Oct 31 2018
Tunnel group search using certificate maps failed for peer certificate: serial number: 1500000DE24156085FB83864F8000000000DE2, subject name: firstname.lastname@example.org,cn=xxxx\, xxxx,ou=Users,ou=Accounts,ou=yyyy,dc=yyy,dc=int, issuer_name: cn=yyy-SSCA01A-CA,dc=yyy,dc=int.
%ASA-4-717037: Tunnel group search using certificate maps failed for
peer certificate: certificate_identifier.
The peer certificate identified by the certificate identifier was processed through the configured certificate maps to attempt a possible tunnel group match, but no match can be found.
Make sure that the warning is expected based on the received peer certificate and the configured crypto CA certificate map rules.
The Kaspersky antivirus was blocking the certificate. Antivirus team did some changes and issue is fixed.