Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5729
Views
10
Helpful
7
Replies

Unable to Connect with AnyConnect Secure Mobility Client

ashokr001
Level 1
Level 1

‎09-20-2013 10:52 AM - edited ‎02-21-2020 07:10 PM

When trying to connect with Cisco AnyConnect Secure Mobility Client on Windows XP SP3 getting the following error:

Function: CTransportWinHttp::SendRequest

File: .\CTransportWinHttp.cpp

Line: 1170

Invoked Function: HttpSendRequest

Return Code: 806 (0x00000326)

Description: WINDOWS_ERROR_CODE

Function: CTransportWinHttp::SendRequest

File: .\CTransportWinHttp.cpp

Line: 1178

Invoked Function: CTransportWinHttp::handleRequestError

Return Code: -30015479 (0xFE360009)

Description: CTRANSPORT_ERROR_UNEXPECTED

and finally I get the following message:

Function: ConnectMgr::processIfcData

File: .\ConnectMgr.cpp

Line: 2763

Invoked Function: ConnectMgr::processIfcData

Return Code: -30015443 (0xFE36002D)

Description: CTRANSPORT_ERROR_CONN_UNKNOWN

Connection attempt failed.  Please try again.

Any ideas, thanks,

Ashok.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-26-2013 11:23 PM

Is it happening with only windows XP machine or with everyone?

If possible please share the full dart logs.

What is the version of the ASA and the Anyconnect?

Thanks

Jeet Kumar

0 Helpful

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-26-2013 11:27 PM

Please send me the output of the following command " sh run all ssl"

0 Helpful

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-26-2013 11:38 PM

OK,

just issue the following command "Sh run all ssl"  and if you see something like this:

"ssl encryption rc4-sha1" change it to "ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1 rc4-md5 des-sha1"

check the anyconnect local policy on you machine and make sure the FIPS is disable. It will ba a file name as             "AnyConnectLocalPolicy.xml" and when you open it you should have FIPS as false. Something like this:

false

Please try it and let me know if it helps. I would still request the complete DART files in case the above doesn't help.

Thanks

Jeet

ashokr001
Level 1
Level 1
In response to Jeet Kumar

‎10-03-2013 08:20 AM

Thanks Jeet, since this is a Windows machine, the command

"sh runl all ssl"

Is there any equivalent command in Windows. We are being told the issue maybe because Windows-XP supports AES-128 and the site is set for AES-256. Please advise.

0 Helpful

npokhriy
Level 1
Level 1
In response to ashokr001

‎10-03-2013 10:47 AM

Hi Ashok,

You need to run "sh runl all ssl" on ASA.if you see output of this command something like this:

"ssl encryption rc4-sha1",  then run this command:-

"ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1"

For checking your FIPS mode enable, go to following location on your client machine:-

c:/ProgramData/Cisco/Cisco Anyconnect Secure Mobility Client. You can open a file named "AnyConnectLocalPolicy.xml".

when you open it you should have FIPS as false. Something like this:

false

Please make these changes and then check the connection.

Regards,

Naresh


ashokr001
Level 1
Level 1
In response to npokhriy

‎10-03-2013 02:51 PM

Hi Jeet and Naresh,

I found the file AnyConnectLocalPolicy.xml on Windows XP: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client

This is given in the following document:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac04localpolicy.html#wp1055381

My current settings are given below, as you can see the FipsMode is set to False

...

false

...

I'm assuming that ASA is Cisco Adaptive Security Appliance (ASA).

So the change being suggested by you would need to be run on the Security Appliance, I suppose.

Please confirm.

Thanks for your help,

Ashok.

0 Helpful

npokhriy
Level 1
Level 1
In response to ashokr001

‎10-03-2013 05:38 PM

Yes, we need to check  the encryption settings on Security appliance.

Regards,

Naresh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents