Cisco AnyConnect on Windows Server 2016

AOertel · ‎05-04-2023

Hello Community,

we are forced by a supplier to start using Cisco AnyConnect for VPN connections.

From our workstations running Windows 10 / 11 it is working fine.

But for specific applications we want to use our terminalserver, since it requires an extra security dongle to log in.
After downloading the provided (by the supplier) Cisco AnyConnect Client and installing it (without error messages) I have tried to get the VPN starting in the same way I did on the workstations.

On the server i however got stuck with this problem:

This is the software version provided:

That is the preferences for this connection:

It would be great someone could tell me what this error message could mean.
After hours of crawling the internet, calling the supplier for technical help and even trying Cisco technical support directly (no service contract, therefore no help by them) this is my last chance on finding some solution for this problem.

If I have missed out some needed informations for troubleshooting please be patient with me and ask me, so i can deliver the needed information as quickly as possible!

Thanks in advance

Kasun Bandara · ‎05-04-2023

@AOertel hi, i did not seen any official document about anyconnect compatibility with windows server OS versions. i guess this can because compatibility issues. can you share the log in anyconnect?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

AOertel · ‎05-04-2023

Hi Kasun,

sadly i have encountered the compatibility list as well, but hoped i still could it get running.
The log is attached.
I have taken it from: C:\Users\<myname>\.cisco\vpn\log

If that is not the correct one or if there is another place where to look, please give me a hint

Kasun Bandara · ‎05-04-2023

@AOertel log is in anyconnect it self. you can see 'message history' tab in any connect.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

AOertel · ‎05-04-2023

Hello Kasun,
here is the requested log:

Salman Mahajan · ‎05-05-2023

@AOertel
As per the error , disconnection is triggered from the Headend Side . We would also need to check from Firewall side .
Can you provide DART Log from client Side and " show log " output from FW .

Marvin Rhoads · ‎05-05-2023

AnyConnect 4.9/4.10 and Secure Client 5.0 work OK on Windows Server 2016, 2019 and 2022. They are not listed in the compatibility guide because Cisco does not test them. I've used them personally though and can confirm based on that.

As noted, the error seen is resulting from something on the headend side. It could be any of several things. For example, a Posture Check to validate your OS version. Only the firewall administrator would be able to find the root cause as it would be indicated in their logs.

MHM Cisco World · ‎05-05-2023

Are you config certificate auth in asa?

AOertel · ‎05-24-2023

Hi all,

sorry for the late reply.

Since I am the Administrator of our IT-Systems i could do a check on my firewall but i would need some assistance from you (if possible)

A quick information on the topology:
I am running Cisco AnyConnect on a TerminalServer (WindowsServer 2016 Datacenter) which is hosted in an Azure-Environment.
The outgoing connections are routed through a virtualized Fortigate Firewall (hosted in Azure as well).

I would like to provide any logs from the firewall if this could help. But I have not heard of "DART Logs" yet.
Maybe someone can enlighten me, so I can provide those asap.

Thanks in advance.

AOertel · ‎06-26-2023

./push

maybe someone who can assist me on this?

Aref Alsouqi · ‎06-26-2023

It seems that your session doesn't get authorized. If you have DART module installed then you can open up AnyConnect main window, click on the cog icon bottom left, you should see a "Diagnostics" botton in AnyConnect VPN tab in the bottom left area. When you click on that "Diagnostics" botton it should start generating the DART bundle compressed file. Once the file is generated you can decompress it and look for the AnyConnect logs.

Another way to troubleshoot this issue would be to enable some debugs on the remote firewall, some useful debugs would be:

debug webvpn 127
debug webvpn anyconnect 127

If those don't return enough output to find out the issue, you can higher the level from 127 to 255 which is the maximum.

AOertel · ‎06-26-2023

Hi Aref,

thanks for your quick answer.

On clicking the small cog I can only see this:

None of the tabs show a "Diagnostics" button, so i assume the Client which was provided (by an external party, which we are working together with) does not have DART?!

I am trying to get a version provided which has DART included.

Sadly we do not have access to the remote firewall.

I will update this as soon as we have some news.