Solved: Cisco AnyConnect Secure Mobility Client

a.alekseev · ‎04-28-2017

Hello,

I have Cisco AnyConnect Secure Mobility Client v.4.4.02034 on my notebook and

Cisco AnyConnect Secure Mobility Client v4.0.05066 on my iphone.

I'm trying to do remote access flexvpn with local authentication (anyconnect-eap) on CSR1000v in my lab.

I used the following doc:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html#anc6

It works only for Cisco AnyConnect on my IPhone

If I use Cisco AnyConnect 4.4 on my notebook I'm getting "The VPN client failed to establish a connection". I tried older versions without success.

According this doc
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/user/messages/ac31-vpn-user-msgs.html

here are the possible causes

"The VPN client failed to establish a connection."
Description The AnyConnect service failed to establish a secured connection to the secure gateway. Possible causes include the following:
–Proxy authentication failure
–Protocol handshake failure
–Bad client or server certificate
–Layer 2 communication failures
Recommended User Response Remove the local proxy if one is configured. Retry the VPN connection. Run DART. (See Using DART to Gather Troubleshooting Information.) Report the error to your organization's technical support and include the DART bundle.

I attached Cisco AnyConnect enentlog and config, CSR100v config and "debug crypto ikev2"

Could somebody help me to get it working?

Thanks,

Alexey

Marvin Rhoads · ‎04-28-2017

Ah - sorry I missed that at first.

I'm not sure how relevant they are, but I see a couple of discrepancies between your profile and what's recommended in the guide.

One other thing is that they recommend a local policy in addition to the VPN profile that contains:

   <BypassDownloader>true</BypassDownloader>

Do you have that?

I've highlighted in BOLD to reference document fields that may also be issues:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
 <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
 <ShowPreConnectMessage>false</ShowPreConnectMessage>
 <CertificateStore>All</CertificateStore>
 <CertificateStoreOverride>false</CertificateStoreOverride>
 <ProxySettings>Native</ProxySettings>
 <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
 <AuthenticationTimeout>12</AuthenticationTimeout>
 <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
 <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
 <LocalLanAccess UserControllable="true">false</LocalLanAccess>
 <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
 <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
 <AutoReconnect UserControllable="false">true
 <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
 </AutoReconnect>
 <AutoUpdate UserControllable="false">false</AutoUpdate>
 <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
 <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
 <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
 <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
 <PPPExclusion UserControllable="false">Automatic
 <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
 </PPPExclusion>
 <EnableScripting UserControllable="false">false</EnableScripting>
 <EnableAutomaticServerSelection UserControllable="true">false
 <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
 <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
 </EnableAutomaticServerSelection>
 <RetainVpnOnLogoff>false
 </RetainVpnOnLogoff>
 <AllowManualHostInput>true</AllowManualHostInput>
 </ClientInitialization>
 <ServerList>
 <HostEntry>
 <HostName>vpn.example.com</HostName>
 <HostAddress>vpn.example.com</HostAddress>
 <PrimaryProtocol>IPsec</PrimaryProtocol>
 </HostEntry>
 </ServerList>
</AnyConnectProfile>

View solution in original post

Marvin Rhoads · ‎04-28-2017

Can you share your AnyConnect client profile?

a.alekseev · ‎04-28-2017

the client profile in the archive csr1000v.zip

Marvin Rhoads · ‎04-28-2017

Ah - sorry I missed that at first.

I'm not sure how relevant they are, but I see a couple of discrepancies between your profile and what's recommended in the guide.

One other thing is that they recommend a local policy in addition to the VPN profile that contains:

   <BypassDownloader>true</BypassDownloader>

Do you have that?

I've highlighted in BOLD to reference document fields that may also be issues:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
 <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
 <ShowPreConnectMessage>false</ShowPreConnectMessage>
 <CertificateStore>All</CertificateStore>
 <CertificateStoreOverride>false</CertificateStoreOverride>
 <ProxySettings>Native</ProxySettings>
 <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
 <AuthenticationTimeout>12</AuthenticationTimeout>
 <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
 <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
 <LocalLanAccess UserControllable="true">false</LocalLanAccess>
 <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
 <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
 <AutoReconnect UserControllable="false">true
 <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
 </AutoReconnect>
 <AutoUpdate UserControllable="false">false</AutoUpdate>
 <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
 <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
 <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
 <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
 <PPPExclusion UserControllable="false">Automatic
 <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
 </PPPExclusion>
 <EnableScripting UserControllable="false">false</EnableScripting>
 <EnableAutomaticServerSelection UserControllable="true">false
 <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
 <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
 </EnableAutomaticServerSelection>
 <RetainVpnOnLogoff>false
 </RetainVpnOnLogoff>
 <AllowManualHostInput>true</AllowManualHostInput>
 </ClientInitialization>
 <ServerList>
 <HostEntry>
 <HostName>vpn.example.com</HostName>
 <HostAddress>vpn.example.com</HostAddress>
 <PrimaryProtocol>IPsec</PrimaryProtocol>
 </HostEntry>
 </ServerList>
</AnyConnectProfile>

a.alekseev · ‎05-02-2017

I tried the suggested profile but got the same error.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
 <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
 <ShowPreConnectMessage>false</ShowPreConnectMessage>
 <CertificateStore>All</CertificateStore>
 <CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
 <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
 <AuthenticationTimeout>12</AuthenticationTimeout>
 <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
 <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
 <LocalLanAccess UserControllable="true">false</LocalLanAccess>
 <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
 <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
 <AutoReconnect UserControllable="false">true
 <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
 </AutoReconnect>
 <AutoUpdate UserControllable="false">false</AutoUpdate>
 <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
 <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
 <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
 <PPPExclusion UserControllable="false">Automatic
 <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
 </PPPExclusion>
 <EnableScripting UserControllable="false">false</EnableScripting>
 <EnableAutomaticServerSelection UserControllable="true">false
 <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
 <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
 </EnableAutomaticServerSelection>
 <RetainVpnOnLogoff>false
 </RetainVpnOnLogoff>
 <AllowManualHostInput>true</AllowManualHostInput>
 </ClientInitialization>
 <ServerList>
 <HostEntry>
 <HostName>CSR1000v-new</HostName>
 <HostAddress>10.0.49.165</HostAddress>
 <UserGroup>qwerty</UserGroup>
 <PrimaryProtocol>IPsec
 <StandardAuthenticationOnly>true
 <AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
 </StandardAuthenticationOnly>
 </PrimaryProtocol>
 </HostEntry>
 </ServerList>
</AnyConnectProfile>

a.alekseev · ‎05-08-2017

Up

I'm still interested in resolving the issue.

a.alekseev · ‎06-30-2017

Up

a.alekseev · ‎07-12-2017

You must enable BypassDownloader

set it in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

Marvin Rhoads · ‎07-12-2017

Correct - that's what I suggest 3 months ago.