Solved: Re: VPN connection fails having one YubiKey connected

Mõbius · ‎01-13-2022

Hi,

Cisco AnyConnect throws the error "The client agent has encountered an error." while having a YubiKey inserted. Evaluating this behaviour I found out the following issues.

1) Scenario: 1 YubiKey is connected, no other smartcard is connected

AnyConnect eventlog reports the following.

a) SCARD_E_UNEXPECTED:

Invoked Function: CryptAcquireContextW

Return Code: 0x8010001F

b) CERTSTORE_ERROR_PROVIDER_ERROR:

Invoked Function: CSmartcardContext::acquireCryptProvForSmartcard

Return Code: 0xFE20000B

while processing smart card Yubico YubiKey OTP+FIDO+CCID 0

2) Scenario: 2 YubiKey are connected

AnyConnect eventlog reports the following.

a) CERTSTORE_ERROR_NO_KEY:

Invoked Function: CSMartcardContext::acquireCryptProvForSMartcard

Return Code: 0xFE200019

while processing smart card Yubico YubiKey OTP+FIDO+CCID 0 and also the same

while processing smart card Yubico YubiKey OTP+FIDO+CCID 1

3) Scenario: 1 YubiKey is connected, 1 other smartcard is connected

AnyConnect eventlog reports the following

a) CERTSTORE_ERROR_CERT_NOT_FOUND:

Invoked Function: CSmartcardContextUtilsBase::populateSmartcardInfo

Return Code: 0xFE20000E

one step earlier: SCardListCards - Empty card name returned from reader: OMNIKEY CardMan 3x21 0

B) CERTSTORE_ERROR_NO_KEY:

Invoked Function: CSMartcardContext::acquireCryptProvForSMartcard

Return Code: 0xFE200019

while processing smart card Yubico YubiKey OTP+FIDO+CCID 0

The scenarios 2 and 3 are working properly. Although, there are errors reported in the eventlog the VPN connection will be established properly and remain connected.

In Scenario 1 the VPN connection will be established completely (following the AnyConnect eventlog entries). But at the end there is another access to the smartcard as described above. But now this error seems to lead to the termination of the VPN connection. So at the beginning SMARTCARD_E_UNEXPECTED seems to have no effect but at the end it prevents the connection from keeping alive. Even if the other scenarios work properly, connecting another smart card to make AnyConnect work is not a solution. Above all the YubiKey is not required for the VPN connection.

The type of card being connected to the external smartcard reader does not matter. Even inserting a card the wrong way round bypasses the problem. A connected SIM card is a workaround, too.

Deactivating the CCID functionality of the YubiKey (and so the PIV functionality) solves the problem with AnyConnect (as described at https://gist.github.com/markwoon/b8e0e78c9f7c9a9229226145ea1c1c36). But the YubiKey's smartcard functionality is required for another application running next to AnyConnect. Therefor CCID is required and can not be deactivated.

So I am searching for a solution to get AnyConnect to work even if there is one YubiKey connected with the CCID functionality being activated. Please let me know if there is anything I can do to solve the problem on my side. I will provide any additional information which helps solving this problem.

AnyConnect version: 4.9.03049

YubiKey: 5Ci (firmware version 5.2.6)

YubiKey: 5C (firmware version 5.4.3)

YubiKey: NEO (firmware version 3.3.4)

Any help would be really appreciated.

Kind regards

Mõbius

Mõbius · ‎04-05-2022

After installing the YubiKey smartcard mini driver it works for me. Having this driver installed the behaviour changes to the following.

AnyConnect work if no or only one YubiKey is connected.
AnyConnect does not work if more than one YubiKey is connected (tested with three).
AnyConnect does not work if any other PIV-compatible device is connected.

I did not analyze the AnyConnect event log entries. But my customer committed installing this driver to be "the solution".

All workarounds or possible solutions I found in this case had a comment like "... worked for my customer ...". But there is no bugfix from Cisco.

Thanks to all joining this post.

Mõbius

View solution in original post

Mõbius · ‎01-13-2022

Additionally:

This problem seems not be related to YubiKey only. Using another smartcard with PIV functionality the problem is the same: smartcard error reported in eventlog. But having two smartcards connected with PIV functionality enabled the problem is not existing.

Tobias Moritz · ‎02-10-2022

Do you already have a TAC Case opened for that? If yes, maybe you can share outcome / Bug ID or Case ID for reference

Mõbius · ‎02-10-2022

Unfortunately, I can not create such a TAC case because this problem is related to one of our customers and he has to open such a case. I have no contract with Cisco and may not open a TAC case on my own. My customer is instructed to do so but at the moment there are some difficulties so I guess there is no TAC case at the moment.

If somebody being able to open a TAC case would do that in this matter, I would really appreciate that.

And of course, as soon as I have any solution for this I will post it here.

Kind regards

Mõbius

Mike.Cifelli · ‎02-10-2022

Have you tried certificate matching criteria in the AC VPN Profile? This would allow AnyConnect to always use/select the correct certificate from whatever physical medium you are intending to use. In the VPN profile placed here on windows clients: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile you can open the xml file in wordpad to view the current settings. The section I am referencing is the <CertificateMatch> xml section. You may have to have the VPN admin modify to then push the profile. In the VPN Profile editor this is what I am referencing:

Tobias Moritz · ‎02-10-2022

Unfortunately, this does not help in all situations.

We had a customer case today where all of the following was true:

certificate matching is configured in AnyConnect profile with ExtendedKeyUsage and DistinguishedName so it only matches the machine cert which is created by some corporate CA and which is located in operating system keystore.
authentication is done with cert + AAA where certificate is the machine certificate and AAA is user credentials via RADIUS
one Yubico YubiKey OTP+FIDO+CCID is connected (while not in use for AnyConnect)
no SmartCard is connected
AnyConnect 4.10.01075 on Windows 10 21H2

Result:

connection was established successfull (so Auth with cert, Auth with AAA and AuthZ with AAA was successfull), and one second later, AnyConnect disconnects throwing the error message from above. Clearly visible in DART bundle.
when the YubiKey was disconnected, the problem could not be recreated anymore. Plugged it back in and tried to connect again: problem was occuring again.

Currently, this was a rare case for this customer, so TAC case will only be created, if more users are complaining. Sorry.

Mõbius · ‎04-05-2022

After installing the YubiKey smartcard mini driver it works for me. Having this driver installed the behaviour changes to the following.

AnyConnect work if no or only one YubiKey is connected.
AnyConnect does not work if more than one YubiKey is connected (tested with three).
AnyConnect does not work if any other PIV-compatible device is connected.

I did not analyze the AnyConnect event log entries. But my customer committed installing this driver to be "the solution".

All workarounds or possible solutions I found in this case had a comment like "... worked for my customer ...". But there is no bugfix from Cisco.

Thanks to all joining this post.

Mõbius

kjacobs · ‎05-27-2022

Unfortunately the minidriver solution doesn't work. Using AnyConnect 4.10.05085, if a YubiKey is connected the user will receive two error messages: 1) "The client agent has encountered an error.", and 2) "AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again." Unplug the device, and the connection succeeds. I have the minidriver, YubiKey Manager, and YubiKey PIV Tool installed. PIV is the only applet enabled on the YubiKey.