cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
149163
Views
10
Helpful
13
Replies

Cisco AnyConnect kept getting a “ log in denied. Your environment does not meet the access criteria defined by your administrator”

JoseEnriquez
Level 1
Level 1

Cisco AnyConnect kept getting a “ log in denied. Your environment does not meet the access criteria defined by your administrator” Windows 7 32 or 64 bit

I will appreciate your assistance on this. Any info found on google.com doesn't help me. Please assist.

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

That message is usually caused by a Dynamic Access Policy (DAP) check being configured on the ASA that terminates the VPN having a policy whose criteria your client does not meet. Have you checked the ASA configuration (or asked the admin to do so) to see what policies it is enforcing?

It can also in some cases be caused by a bug in DAP, depending on the version of ASA software. In that case it would affect all AnyConnect users.

Hello Marvin,

 

I had similar kind of issue reported. I do not have DAP with Network ACL being blocked for the reported Users, however i still have few users reporting this kind of issue. While the others are working good. Do you still see this as DAP issue ??

 

 

Rajtilak,

We'd have to take a look at your configuration to say for sure. Can you share a sanitized version?

Marvin

Thanks i couldnt reply in time. My issue has been resolved. The problem was host scan image. User was not using the desired version. However i did not find that in that log.

 

Hi, All

I'm currently having a similar problem:

1) Using AnyConnect I connect to my office network from home (ISP=Bell, WIFI router).

2) Using my office laptop (Win 7, McAfee A.V. corporate) all works well.

3) Using my home laptop (Win 10 home, McAfee A.V. from Bell) all worked well until 2 weeks ago.

4) Using my home laptop (no visible changes) no longer working with the message:

Cisco AnyConnect. Login denied. Your VPN is terminated because either your PC does not meet the security requirements, or your Anyconnect profile is not setup correctly.

I understand that something must have changed somewhere - problem is: how do find what changed and then how to fix it?

It's not always practical/possible to carry the office laptop and I often need to be able to work from home.

Any help would be greatly appreciated.

Gene Kouras

Can you check with the admin of your office ASA and see if they have a DAP setup? That's the most likely cause of what you're seeing.

Hi, Marvin. Thanks for looking into it.

The problem is that it's impossible to find out in the office - who actually is the admin - you know with all the outsourcing.

So I was hoping that I can diagnose it from my end and find some log - so I can fix my settings by myself.

Unfortunately if it is DAP that's causing the problem, the client cannot see why on their own.

That's by design - if we exposed exactly what the ASA policy wanted to the end user then they could do an end run around the security policy by spoofing the desired result.

Even with a DART diagnostics log, you only see things like the following:

Line: 7921
Performing CSD prelogin verification.
Line: 7925
CSD prelogin verification finished with return code 0

OK, understood. I'll try to reach out to whoever administers this functionality.

Thanks for you quick response.

Gene

Kudos to Martin ^^ Stung me this week

Pete

Thanks. you nailed the problem i encountered today. the problem was with DAP and was able to fix it little time.

Hello Josue,

 

This is happening because as Marvin says you have a DAP policy applied, and if you don,t any DAP configured, go ahead and check if you have the "DfltAccessPolicy" terminating the connections.

 

Go ahead and attach the following:

-  sh run dynamic-access-policy-record

- debug menu dap 2

- debug dap trace

- debug dap error

- Show version

 

Regards,

 

David Castro,

 

We ran into the same issue. we tried all that is mentioned in the thread but no luck.

 

Below is the logs from the ASDM:

 

4

Oct 31 2018

22:13:15

717037

       

Tunnel group search using certificate maps failed for peer certificate: serial number: 1500000DE24156085FB83864F8000000000DE2, subject name: e=xxxx@yyy.com,cn=xxxx\, xxxx,ou=Users,ou=Accounts,ou=yyyy,dc=yyy,dc=int, issuer_name: cn=yyy-SSCA01A-CA,dc=yyy,dc=int.

 

 

Explanation:

 

%ASA-4-717037: Tunnel group search using certificate maps failed for

peer certificate: certificate_identifier.

The peer certificate identified by the certificate identifier was processed through the configured certificate maps to attempt a possible tunnel group match, but no match can be found.

  • certificate_identifier—Information that identifies the certificate being processed by the certificate map rules

Recommended action:

Make sure that the warning is expected based on the received peer certificate and the configured crypto CA certificate map rules.

 

Solution:

 

The Kaspersky antivirus was blocking the certificate. Antivirus team did some changes and issue is fixed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: