01-13-2022 01:46 AM - edited 01-13-2022 01:48 AM
Hi,
Cisco AnyConnect throws the error "The client agent has encountered an error." while having a YubiKey inserted. Evaluating this behaviour I found out the following issues.
1) Scenario: 1 YubiKey is connected, no other smartcard is connected
AnyConnect eventlog reports the following.
a) SCARD_E_UNEXPECTED:
Invoked Function: CryptAcquireContextW
Return Code: 0x8010001F
b) CERTSTORE_ERROR_PROVIDER_ERROR:
Invoked Function: CSmartcardContext::acquireCryptProvForSmartcard
Return Code: 0xFE20000B
while processing smart card Yubico YubiKey OTP+FIDO+CCID 0
2) Scenario: 2 YubiKey are connected
AnyConnect eventlog reports the following.
a) CERTSTORE_ERROR_NO_KEY:
Invoked Function: CSMartcardContext::acquireCryptProvForSMartcard
Return Code: 0xFE200019
while processing smart card Yubico YubiKey OTP+FIDO+CCID 0 and also the same
while processing smart card Yubico YubiKey OTP+FIDO+CCID 1
3) Scenario: 1 YubiKey is connected, 1 other smartcard is connected
AnyConnect eventlog reports the following
a) CERTSTORE_ERROR_CERT_NOT_FOUND:
Invoked Function: CSmartcardContextUtilsBase::populateSmartcardInfo
Return Code: 0xFE20000E
one step earlier: SCardListCards - Empty card name returned from reader: OMNIKEY CardMan 3x21 0
B) CERTSTORE_ERROR_NO_KEY:
Invoked Function: CSMartcardContext::acquireCryptProvForSMartcard
Return Code: 0xFE200019
while processing smart card Yubico YubiKey OTP+FIDO+CCID 0
The scenarios 2 and 3 are working properly. Although, there are errors reported in the eventlog the VPN connection will be established properly and remain connected.
In Scenario 1 the VPN connection will be established completely (following the AnyConnect eventlog entries). But at the end there is another access to the smartcard as described above. But now this error seems to lead to the termination of the VPN connection. So at the beginning SMARTCARD_E_UNEXPECTED seems to have no effect but at the end it prevents the connection from keeping alive. Even if the other scenarios work properly, connecting another smart card to make AnyConnect work is not a solution. Above all the YubiKey is not required for the VPN connection.
The type of card being connected to the external smartcard reader does not matter. Even inserting a card the wrong way round bypasses the problem. A connected SIM card is a workaround, too.
Deactivating the CCID functionality of the YubiKey (and so the PIV functionality) solves the problem with AnyConnect (as described at https://gist.github.com/markwoon/b8e0e78c9f7c9a9229226145ea1c1c36). But the YubiKey's smartcard functionality is required for another application running next to AnyConnect. Therefor CCID is required and can not be deactivated.
So I am searching for a solution to get AnyConnect to work even if there is one YubiKey connected with the CCID functionality being activated. Please let me know if there is anything I can do to solve the problem on my side. I will provide any additional information which helps solving this problem.
AnyConnect version: 4.9.03049
YubiKey: 5Ci (firmware version 5.2.6)
YubiKey: 5C (firmware version 5.4.3)
YubiKey: NEO (firmware version 3.3.4)
Any help would be really appreciated.
Kind regards
Mõbius
Solved! Go to Solution.
04-05-2022 07:40 AM
After installing the YubiKey smartcard mini driver it works for me. Having this driver installed the behaviour changes to the following.
I did not analyze the AnyConnect event log entries. But my customer committed installing this driver to be "the solution".
All workarounds or possible solutions I found in this case had a comment like "... worked for my customer ...". But there is no bugfix from Cisco.
Thanks to all joining this post.
Mõbius
01-13-2022 02:36 AM
Additionally:
This problem seems not be related to YubiKey only. Using another smartcard with PIV functionality the problem is the same: smartcard error reported in eventlog. But having two smartcards connected with PIV functionality enabled the problem is not existing.
02-10-2022 03:03 AM
Do you already have a TAC Case opened for that? If yes, maybe you can share outcome / Bug ID or Case ID for reference
02-10-2022 04:16 AM - edited 04-05-2022 07:26 AM
Unfortunately, I can not create such a TAC case because this problem is related to one of our customers and he has to open such a case. I have no contract with Cisco and may not open a TAC case on my own. My customer is instructed to do so but at the moment there are some difficulties so I guess there is no TAC case at the moment.
If somebody being able to open a TAC case would do that in this matter, I would really appreciate that.
And of course, as soon as I have any solution for this I will post it here.
Kind regards
Mõbius
02-10-2022 04:49 AM
Have you tried certificate matching criteria in the AC VPN Profile? This would allow AnyConnect to always use/select the correct certificate from whatever physical medium you are intending to use. In the VPN profile placed here on windows clients: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile you can open the xml file in wordpad to view the current settings. The section I am referencing is the <CertificateMatch> xml section. You may have to have the VPN admin modify to then push the profile. In the VPN Profile editor this is what I am referencing:
02-10-2022 06:03 AM
Unfortunately, this does not help in all situations.
We had a customer case today where all of the following was true:
Result:
Currently, this was a rare case for this customer, so TAC case will only be created, if more users are complaining. Sorry.
04-05-2022 07:40 AM
After installing the YubiKey smartcard mini driver it works for me. Having this driver installed the behaviour changes to the following.
I did not analyze the AnyConnect event log entries. But my customer committed installing this driver to be "the solution".
All workarounds or possible solutions I found in this case had a comment like "... worked for my customer ...". But there is no bugfix from Cisco.
Thanks to all joining this post.
Mõbius
05-27-2022 07:37 AM - edited 05-27-2022 07:55 AM
Unfortunately the minidriver solution doesn't work. Using AnyConnect 4.10.05085, if a YubiKey is connected the user will receive two error messages: 1) "The client agent has encountered an error.", and 2) "AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again." Unplug the device, and the connection succeeds. I have the minidriver, YubiKey Manager, and YubiKey PIV Tool installed. PIV is the only applet enabled on the YubiKey.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide