Hi,

Thanks, here are the sequence of events:

I open the Cisco AnyConnect Secure Mobility Client (anyconnect-win-3.1.05170)

I click on the "Connect" button

I am prompted for a username and password, I enter both

In the AnyConnect Secure Mobility Client VPN Message History dialog window

• Contacting VPNVL2.ddt.org
• Please enter your username and password
• User credentials entered
• Establishing VPN session . . .
• Checking for profile updates . . .
• Downloading AnyConnect VPN Profile - 100%
• Connection attempt has failed

I am then presented with:

AnyConnect Secure Mobility Client Downloader error message:

Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

Thanks again for any help

Frank

This sounds more like a permissions problem with the profile folder than a problem with the VM itself. Try renaming the following folder and creating a new one in its place to see if that clears things up.

%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Hi Jody,

I de-installed and reinstalled, no change.

I noticed the client profile (CP112414_client_profile.xml) was not being copied to the Cisco PROFILES folder on my VM XP client PC so I manually copied it there.

Now when I try to connect, I get this error message that I think might be a VMware error message but wanted your take before moving there.

"The VPN connection was started by a remote desktop user whose remote console has been disconnected.  It is presumed the VPN routing configuration is responsible for the remote console disconnect.  The VPN connection has been disconnected to allow the remote console to connect again.  A remote desktop user must wait 90 seconds after VPN establishment before disconnecting the remote console to avoid this condition"

Thanks once again!

Frank

Sounds like you still have a problem with the profiles folder. Uninstalling and reinstalling doesn't touch the profiles folder, so that wouldn't have done anything.

The profile is copied when AnyConnect establishes a successful connection, so if you manually copied the profile, it's going to assume it's working with an old copy and you're likely to get errors like this one.

Have you compared the permissions between this VM's profiles folder and the one on your working machine? 

Both XP clients (logical and physical) use the same profile. The ASA AnyConnect setup only has a single profile.

Topology:

XP(vm)-----vlan2(10.0.0.0)----ASA----vlan6(192.168.1.0)----vmware_ESXi

As far as permissions, the Cisco folder is read-only on both an cannot be changed; next is the Profile folder which is clear of attributes as-is the actual profile file.

I think there is a communication problem between the VPN tunnel establishment and the VMware communications; When AnyConnect tries to establish a VPN tunnel, communications between the VM XP host is cut which produces the previous error.  I just don't know how to go about fixing it. I guess more research.

Thanks again for your help

Frank

So if you check the permissions as follows on the working one and the non-working one, they're identical?

C:\>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"

C:\ProgramData\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
      NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
      BUILTIN\Administrators:(OI)(CI)(ID)F
      CREATOR OWNER:(OI)(CI)(IO)(ID)F
      BUILTIN\Users:(OI)(CI)(ID)R
      BUILTIN\Users:(CI)(ID)(special access:)
                            FILE_WRITE_DATA
                            FILE_APPEND_DATA
                            FILE_WRITE_EA
                            FILE_WRITE_ATTRIBUTES

Hi Jody,

My vm XP and physical XP attributes are identical BUT do not match yours.

Not sure what this means? :-|

Any ideas?

BTW, my XP clients are operating as standalone; I.E. no Windows domain.

! VM XP

C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
     FILE_WRITE_DATA
     FILE_APPEND_DATA
     FILE_WRITE_EA
     FILE_WRITE_ATTRIBUTES

C:\Documents and Settings\me>

! Physical PC

C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
     FILE_WRITE_DATA
     FILE_APPEND_DATA
     FILE_WRITE_EA
     FILE_WRITE_ATTRIBUTES

C:\Documents and Settings\me>

The important thing was that they matched each other rather than mine, so I wouldn't worry about that. Do you get the same behaviour with 3.1.05187?

Also, just to be sure, your XP VMs are using bridged connections to the LAN, correct?

Yes, bridged.

The internal and external vm hosts are using the same physical VMware ESXi host interface. This interface is trunked to a Cisco switch (SW1). The Internal hosts use 192.168.1.0/24 vlan 2 while the external hosts use 10.0.0.0/24 vlan 6. The ASA inside interface plugs into this same switch (SW1).

Internal vm hosts (192.168.1.0/24):

• DNS on Win 2003 Enterprise
• Root CA on Win 2003 Enterprise
• Win XP

External vm hosts (10.0.0.0/24):

• DNS on Win 2003 Enterprise
• Win XP

I have not upgraded yet but I guess since nothing else is working, I could try.

:)

Thanks again for you help. Despite the learning curve, I am learning!!! And hopefully I (We) will get this thing going!

Thanks

Frank 

GOOD NEWS!!!!!!!!!!!!! IT WORKS!!!!!!!! :)

Using the ESXi vSphere 5.1 Hypervisor client, via a console login, my XP vm can establish an AnyConnect VPN session. I can access the internal LAN and internal servers! All are HAPPY!

I am still using Cisco AnyConnect Secure Mobility Client (anyconnect-win-3.1.05170).

THANKS

Frank

Good to hear! What changed?

Hey Jody,

Nothing changed except the access method.

In all previous attempts I RDPed into the XP vm any then attempted to establish an AnyConnect VPN; which failed.

In this attempt I connected to the physical VM box, via the VMware vSphere Hypervisor client and then open a console window to open XP vm.

I just noticed if the ASA user Connection Profile date is out of sync with the XP vm profile, you receive the:

AnyConnect Secure Mobility Client Downloader error message:

Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

And of course a manual copy of the Connection Profile from the ASA to XP vm fixes this issue. Not optimal but it does resolve most of my issues.

Would be nice to know how to run AnyConnect VPN on XP vm via RDP.

Thanks again for your assistance

Frank

Ah... this was the first I heard about using RDP. Are you RDPing to the machine that was working or using it directly?

Normally, to establish an AnyConnect session from an RDP session, you need to relax the security policy in the profile. Has this been done?