cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
362
Views
30
Helpful
11
Replies
Highlighted
Beginner

Cisco AnyConnect unable to access the inside network

Cisco Anyconnect Secure Mobility Client

Version 4.9.01095

We are able to successfully establish connection and as far as we can see there are no issues on client side.
We are unable to access host on internal network (ping, rdp, ...). We are able to access gateway and DNS server.
There is 0.0.0.0 route in route table on client.
We have checked Cisco Anyconnect event log and resolved couple of issues including certificate access but that had no effect. Only remaining issue is lack of proxy but we only need internal ip access.

We do not have access to Cisco ASA.

Support is limited to password and account reset so we have to tell them exactly what to do. 

This would be straight forward if not for a fact that vpn works on user laptop but we seem to be unable to establish working connection anywhere else (ie. on a another computer).
We are not trying to establish connection in parallel (ie. on multiple computers).
We have tried disabling Windows defender and firewall (does not have outbound rules by default).

We are aware that access can be locked to specific machine but there is usually notification if that is the case...

Long story short we are stumped, can anybody help?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Zoran you need to get in touch with your network team (Firewall team) and work with them. as you guys are using anyconnect client and its all going to connecting to your firewall. best to look is your firewall administrator and he can advise you. as you have no access to your firewall configuration.

please do not forget to rate.

View solution in original post

11 REPLIES 11
Highlighted
VIP Advocate

Is this a new deployment. The reason i asked was this working before with anyconnect you have access to your internal resources. morelikely the issues seems to be that you need to implement a nat rules on your ASA to let it connect to your anyconnect ip pool to you internal network.

please do not forget to rate.
Highlighted

We do not have access to ASA. They did change their config recently and issue appeared. 
Confusing part is that everything works on user laptop right now.
We are unable to get it to work anywhere else (move user vpn connection to a new machine).

Highlighted

Just to be clear what i understand everything was working just recently ASA (network team) do some change and since than you have no access to your internal network? right.

if this is the case than they must have change some thing.

 

 

Confusing part is that everything works on user laptop right now.

 - what you mean by this?

please do not forget to rate.
Highlighted

Confusing part is that everything works on user laptop right now.

 - what you mean by this?
I mean that we can access internal ip from user laptop.
If we install anyconnect and setup vpn on different computer (tried on multiple computers) internal ip is no longer accessible.

Highlighted

I see. it could be the network team (Firewall team) is only allowing the coporate laptops only to connect to the firewall. as you are trying to connect from the non-coporate laptops and if this not working this is some thing you need to escalte to network (firewall team). 

 

In order to get this fix we need to look on the firewall site of the configuration.

please do not forget to rate.
Highlighted

User laptop is also non-corporate (non-domain, Windows 10 Home).

I do not see what could possibly cause this on client side so I will accept your answer as solution if nothing else comes up.  



Highlighted

1. you mentioned you see 0.0.0.0 route in route table on client.

 -- you mean on anyconnect tab at lef corner there is a still gear icon. Route Details you see 0.0.0.0/0. if you see this this means you (firewall) is setup as a full tunnel.

2. We have checked Cisco Anyconnect event log and resolved couple of issues including certificate access but that had no effect. Only remaining issue is lack of proxy but we only need internal ip access.

--Am i right your work laptop are issued certifiacte from you coporate CA. it could be once the certificate either its machine or user certificate is authenticate Firewall allow the access to user. however, you also mentioned on non coporate laptop anyconnect does work but you do not have access to internal resources.

 

3. We do not have access to Cisco ASA.

 --can you not escalted this to your network team and explain this issue. might they could advise you.

 

4. Support is limited to password and account reset so we have to tell them exactly what to do.

--Is this a first line support. might you need to esclate this to third line support team.

 

5. This would be straight forward if not for a fact that vpn works on user laptop but we seem to be unable to establish working connection anywhere else (ie. on a another computer). We are not trying to establish connection in parallel (ie. on multiple computers).
We have tried disabling Windows defender and firewall (does not have outbound rules by default).

-- ofcouse you can connect the anyconnect from the other laptops with limited access to internet only hence full connectivity including internal resources if using the coporate labtops.

6. We are aware that access can be locked to specific machine but there is usually notification if that is the case

 -- This is interesting one.

7.We do not have access to ASA. They did change their config recently and issue appeared. Confusing part is that everything works on user laptop right now. We are unable to get it to work anywhere else (move user vpn connection to a new machine).

- when you say user laptop and testing on a different laptop. Am i right to understand user laptop is a coporate issued laptop and different laptop is non-coporate laptop?

 

 

 

please do not forget to rate.
Highlighted

1. you mentioned you see 0.0.0.0 route in route table on client.

 -- you mean on AnyConnect tab at left corner there is a still gear icon. Route Details you see 0.0.0.0/0. if you see this this means you (firewall) is setup as a full tunnel.

I meant in actual Windows routing table but yes, there is also 0.0.0.0/0 in AnyConnect routing details.

2. We have checked Cisco AnyConnect event log and resolved couple of issues including certificate access but that had no effect. Only remaining issue is lack of proxy but we only need internal ip access.

--Am I right your work laptop are issued certificate from you corporate CA. it could be once the certificate either its machine or user certificate is authenticate Firewall allow the access to user. however, you also mentioned on non corporate laptop AnyConnect does work but you do not have access to internal resources.


There is no significant difference between laptop that works and one that does not...
You might be right about certificate, I have checked and errors are again in event log:
Function: CCertificateInfoTlv::Assign
File: c:\temp\build\thehoff\orion_mr10.989354729559\orion_mr1\vpn\common\tlv\certificateinfotlv.cpp
Line: 87
Invoked Function: CCertificateInfoTlv::Serialize
Return Code: -21889013 (0xFEB2000B)
Description: CERTIFICATEINFO_ERROR_NO_DATA:No certificate data was found


3. We do not have access to Cisco ASA.

 --can you not escalate this to your network team and explain this issue. might they could advise you.

Basically we have to prove it is not on our end for them to escalate to a higher level of support.

 

4. Support is limited to password and account reset so we have to tell them exactly what to do.

--Is this a first line support. might you need to escalate this to third line support team.

 

5. This would be straight forward if not for a fact that vpn works on user laptop but we seem to be unable to establish working connection anywhere else (i.e. on a another computer). We are not trying to establish connection in parallel (i.e.. on multiple computers).
We have tried disabling Windows defender and firewall (does not have outbound rules by default).

-- of Couse you can connect the AnyConnect from the other laptops with limited access to internet only hence full connectivity including internal resources if using the corporate laptops.

There is no significant difference between laptop that works and one that does not...
Neither is corporate issued.
We do not need access to internet, just access to internal ip address
Laptop that works has access to internal ip only.
Laptop that does not work does not have access to internal ip.

6. We are aware that access can be locked to specific machine but there is usually notification if that is the case

 -- This is interesting one.

7.We do not have access to ASA. They did change their config recently and issue appeared. Confusing part is that everything works on user laptop right now. We are unable to get it to work anywhere else (move user vpn connection to a new machine).

- when you say user laptop and testing on a different laptop. Am i right to understand user laptop is a corporate issued laptop and different laptop is non-corporate laptop?

 

No. Only difference is Home versus Pro Windows 10 license.

Highlighted

This is an interesting one you posted earlier.

 

nvoked Function: CCertificateInfoTlv::Serialize
Return Code: -21889013 (0xFEB2000B)
Description: CERTIFICATEINFO_ERROR_NO_DATA:No certificate data was found

 

This seem to be an issue with certificate.

please do not forget to rate.
Highlighted

Any pointers on how to solve/troubleshoot this error?
We are going trough Google search results but no luck so far...

Highlighted

Zoran you need to get in touch with your network team (Firewall team) and work with them. as you guys are using anyconnect client and its all going to connecting to your firewall. best to look is your firewall administrator and he can advise you. as you have no access to your firewall configuration.

please do not forget to rate.

View solution in original post

Content for Community-Ad