Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5183
Views
5
Helpful
3
Replies

Unable to connect w AnyConnect after upgrading from 4.7 to 4.9

Go to solution
bvj197222
Level 1
Level 1

‎08-13-2020 02:12 AM

We are running Cisco ASA ver 9.10(1) with AnyConnect 4.7.00136. I wanted to upgrade the AnyConnect-client from 4.7 to 9.1. I changed the disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg with 4.9.01095.pkg using the ASDM. After replacing the .pkg-files I am unable to connect to VPN with the 4.7.x-client. I expected that the client would upgrade automatically using the 4.9-pkg-file from the ASA. I get the Anyconnect login box, enter my username/password and receive the OTP. After typing the OTP the client says "Anyconnect was not able to establish connection to the specified secure gateway".

 

I tried switching networks, making sure ICS was turned off. Still no luck. No error-messages in the debugger on ASDM. I did a roll-back to 4.7 and it worked immediately.

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bvj197222
Level 1
Level 1
In response to Mohammed al Baqari

‎08-17-2020 02:55 AM - edited ‎08-17-2020 05:14 AM

I tried to connect, and used the DART (debugger) to collect logs after failed connection attemt to find out exactly what's going on. According to Cisco doc (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/deploy-anyconnect.html) there's no need for administrator privileges to install the upgrade;

 

To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges.

 

The problem turned out to be a group policy on our side;

 

Time : 11:02:29
Type : Error
Source : acvpnui

Description : Function: CProcessApi::Launch
File: IPC\ProcessAPI.cpp
Line: 489
Invoked Function: CreateProcess
Return Code: 1260 (0x000004EC)
Description: This program is blocked by a group policy. Contact administrator for details.

Unable to spawn Application: "C:\Users\xxx~1\AppData\Local\Temp\385.tmp\vpndownloader.exe" "-ipc gc". 

 

Further investigation pointed us to Applocker, who blocked a .bat-file that's being run during the upgrade of the client;

 

%OSDRIVE%\USERS\***\APPDATA\LOCAL\TEMP\{70DE1FAF-6E38-48D7-844C-7638807A6DDC}.BAT was prevented from running.

 

I am enclosing the relevant part of the debug-log for those interested, plus the config I had to use on the ASA to make it work. By having to images in the ASA the client won't upgrade as long as the client is using one of the available images. I'll talk to the windows admin to fix the group policy.

 

View solution in original post

Preview file
63 KB
Preview file
2 KB
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2020 02:22 AM

i know you tried some option, check some other information may help you ( also check on the debug logs on client side).

 

https://appuals.com/fix-anyconnect-was-not-able-to-establish-a-connection-to-the-specified-secure-gateway/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-13-2020 02:26 AM

It should auto-upgrade. Can you confirm that you see the 4.9 file in disk0.
Also, confirm that the asa config under webvpn changed the image to make
4.9 as the top of the list.

If you have access to asa, try the command debug webvpn anyconnect 127 to
see why its failing.

**** please remember to rate useful posts
0 Helpful

Go to solution
bvj197222
Level 1
Level 1
In response to Mohammed al Baqari

‎08-17-2020 02:55 AM - edited ‎08-17-2020 05:14 AM

I tried to connect, and used the DART (debugger) to collect logs after failed connection attemt to find out exactly what's going on. According to Cisco doc (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/deploy-anyconnect.html) there's no need for administrator privileges to install the upgrade;

 

To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges.

 

The problem turned out to be a group policy on our side;

 

Time : 11:02:29
Type : Error
Source : acvpnui

Description : Function: CProcessApi::Launch
File: IPC\ProcessAPI.cpp
Line: 489
Invoked Function: CreateProcess
Return Code: 1260 (0x000004EC)
Description: This program is blocked by a group policy. Contact administrator for details.

Unable to spawn Application: "C:\Users\xxx~1\AppData\Local\Temp\385.tmp\vpndownloader.exe" "-ipc gc". 

 

Further investigation pointed us to Applocker, who blocked a .bat-file that's being run during the upgrade of the client;

 

%OSDRIVE%\USERS\***\APPDATA\LOCAL\TEMP\{70DE1FAF-6E38-48D7-844C-7638807A6DDC}.BAT was prevented from running.

 

I am enclosing the relevant part of the debug-log for those interested, plus the config I had to use on the ASA to make it work. By having to images in the ASA the client won't upgrade as long as the client is using one of the available images. I'll talk to the windows admin to fix the group policy.

 

Preview file
63 KB
Preview file
2 KB
Customers Also Viewed These Support Documents