08-13-2020 02:12 AM
We are running Cisco ASA ver 9.10(1) with AnyConnect 4.7.00136. I wanted to upgrade the AnyConnect-client from 4.7 to 9.1. I changed the disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg with 4.9.01095.pkg using the ASDM. After replacing the .pkg-files I am unable to connect to VPN with the 4.7.x-client. I expected that the client would upgrade automatically using the 4.9-pkg-file from the ASA. I get the Anyconnect login box, enter my username/password and receive the OTP. After typing the OTP the client says "Anyconnect was not able to establish connection to the specified secure gateway".
I tried switching networks, making sure ICS was turned off. Still no luck. No error-messages in the debugger on ASDM. I did a roll-back to 4.7 and it worked immediately.
Solved! Go to Solution.
08-17-2020 02:55 AM - edited 08-17-2020 05:14 AM
I tried to connect, and used the DART (debugger) to collect logs after failed connection attemt to find out exactly what's going on. According to Cisco doc (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/deploy-anyconnect.html) there's no need for administrator privileges to install the upgrade;
To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges.
The problem turned out to be a group policy on our side;
Time : 11:02:29
Type : Error
Source : acvpnui
Description : Function: CProcessApi::Launch
File: IPC\ProcessAPI.cpp
Line: 489
Invoked Function: CreateProcess
Return Code: 1260 (0x000004EC)
Description: This program is blocked by a group policy. Contact administrator for details.
Unable to spawn Application: "C:\Users\xxx~1\AppData\Local\Temp\385.tmp\vpndownloader.exe" "-ipc gc".
Further investigation pointed us to Applocker, who blocked a .bat-file that's being run during the upgrade of the client;
%OSDRIVE%\USERS\***\APPDATA\LOCAL\TEMP\{70DE1FAF-6E38-48D7-844C-7638807A6DDC}.BAT was prevented from running.
I am enclosing the relevant part of the debug-log for those interested, plus the config I had to use on the ASA to make it work. By having to images in the ASA the client won't upgrade as long as the client is using one of the available images. I'll talk to the windows admin to fix the group policy.
08-13-2020 02:22 AM
i know you tried some option, check some other information may help you ( also check on the debug logs on client side).
08-13-2020 02:26 AM
08-17-2020 02:55 AM - edited 08-17-2020 05:14 AM
I tried to connect, and used the DART (debugger) to collect logs after failed connection attemt to find out exactly what's going on. According to Cisco doc (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/deploy-anyconnect.html) there's no need for administrator privileges to install the upgrade;
To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges.
The problem turned out to be a group policy on our side;
Time : 11:02:29
Type : Error
Source : acvpnui
Description : Function: CProcessApi::Launch
File: IPC\ProcessAPI.cpp
Line: 489
Invoked Function: CreateProcess
Return Code: 1260 (0x000004EC)
Description: This program is blocked by a group policy. Contact administrator for details.
Unable to spawn Application: "C:\Users\xxx~1\AppData\Local\Temp\385.tmp\vpndownloader.exe" "-ipc gc".
Further investigation pointed us to Applocker, who blocked a .bat-file that's being run during the upgrade of the client;
%OSDRIVE%\USERS\***\APPDATA\LOCAL\TEMP\{70DE1FAF-6E38-48D7-844C-7638807A6DDC}.BAT was prevented from running.
I am enclosing the relevant part of the debug-log for those interested, plus the config I had to use on the ASA to make it work. By having to images in the ASA the client won't upgrade as long as the client is using one of the available images. I'll talk to the windows admin to fix the group policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide