cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
55685
Views
10
Helpful
11
Replies

Windows 10 update to build 1709 and anyconnect NAM wireless network no longer works

lilieli
Level 1
Level 1

Here the problems:

 

We have a lot of user connecting to the office remotely. We have some Windows Surface PC with Windows 10 which we which to upgrade to build 1709.

 

We are using CISCO anyconnect VPN for the connection with a profile for wired and Wireless with NAM.

 

Everything is working fine. The test user connects to the network with the client anyconnect, and the update packages is being pushed to the client. Then Windows 10 require the client to reboot the PC in order for the update to take place. Once we reboot, the anyconnect client and NAM comes up.,. but NAM doesn't see any WIFI connection anymore... so it is no longer possible to get the test user connected to the office, unless we deactivate the NAM on the network card ( which  defy the all purpose of using NAM)

 

I am looking on the NET for some solutions... I still can't believe we are the only one expericing this problem.

We have tried three versions of anyconnect and we had the same problems:

4.5.04029, 4.5.2036, 4.4.00243)

 

Anyone has any ideas of what is happening... it feels like Windows 10 is doing something to NAM. Perhaps it is reactivating something and it is not letting NAM deactivate the Windows management of the card.

I thought it was something to do with this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva84287

 

But then again this is an old bug...

 

Any advice suggestions would be apprecitated.

 

1 Accepted Solution

Accepted Solutions

The answer is to unbind the "Cisco Anyconnect Network Access Manager Filter Driver" in the properties of the Cisco Anyconnect Secure Mobilitu Client Connection" network card.

 

Prior the update it is unbind and after the update it is bind. The Windows update is making changed to the NAM.

 

 

Please see our answer from TAC:

 

We were able to test this workaround today with the following.

We noted the Cisco Any connect Network Access Manager filter was binded to the VPN adapter. Microsofts OS code causes the adapter to unbind during initialization as seen in the above logs. To work around this issue we went into the network settings on your machine, opened up the Cisco Anyconnect Secure Mobility Client Connection, and unchecked the “Cisco ANyconnect Network Access Manager Filter Driver”. After we disabled this we were able to successfully test and gain network access.

As I understand this may not be feasible for users to do by an individual basis this can silently be pushed out without user interference.

Manually or programmatically unbind the NAM filter driver from the VPN Virtual Adapter. One way to do this is with the following Powershell command.

"Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd"

e.g.
Before running the command you can see the NAM filter is bound to the interface.

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

Name DisplayName ComponentID Enabled
---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True
Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True
Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True
Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True
Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False
Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True
Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd True
Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True


Run Command:
PS> Disable-NetAdapterBinding -InterfaceDescription Cisco* -ComponentID CSCO_acnamfd
Or
PS>Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd

After:

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

Name DisplayName ComponentID Enabled
---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True
Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True
Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True
Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True
Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False
Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True
Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd False
Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True

View solution in original post

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

I'm not using a Surface but I do have Windows 10 with the 1709 update and am using NAM with VPN modules of AnyConnect (as well as Umbrella, DART and NVM). For me it works OK.

 

I suspect maybe it is an issue specific to either your network driver or a specific piece of Windows 10 on Surface.

 

If you have Cisco support, you can generate a DART package and open a case with it.

Well the problem is that once the surface pro is restarted "outside" the corporate network... it is stuck with the Wireless profile of the corporate network.
If I go to "manage my connection", I can see my home network... but it still doesn't want to connect to anything else then my Wireless corporate network, which is the profile I am pushing through NAM.
It was working fine prior the update.... Anyone has any ideas?

I went throught the Windows logs... and I can see in the event log, that prior the reboot of the surface, the NAM close ungracefully and reload in 2000ms. We tried to repair the connection and it is not working.

I have the exact same issue. After updating to build 1709 of Windows 10, a previously functional AnyConnect 4.4 client (with NAM) stopped connecting. Watching the client while it was connecting the behavior was:

 

1. Prompt for username password

2. Establishing VPN (in IPSec portion of client)

3. Established (in IPSec portion)

4. Immediately after (<1 second) NAM switched from displaying the SSID of my wireless network to "wired"

5. As my "wired" connection is not in place - indeed, not plugged in at all, this results in a loss of connectivity.

6. VPN tears down due to loss of connectivity.

 

Trying to troubleshoot the issue now, but no version of AnyConnect seems to work, and I can't even get 4.4 to reinstall - only DART shows up. 

Hi,

Here is the solution that we have managed to find with CISCO Tac:

 

Navigate to the properties of your network card, the one named: "Cisco AnyConnect Secure Mobility Client Connection"

- Uncheck the "Cisco AnyConnect Netowkr Access Manager Filter Driver"

 

- Try to connect, it should work.

 

Unfortunately this is being change by Windows 10 update. Prior the upgrade this option is "unchecked" and after the upgrade it is then "checked".

 

Please see information from TAC about it here:

As I understand this may not be feasible for users to do by an individual basis this can silently be pushed out without user interference.

 

Manually or programmatically unbind the NAM filter driver from the VPN Virtual Adapter. One way to do this is with the following Powershell command.

"Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd"

 

e.g.

Before running the command you can see the NAM filter is bound to the interface.

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

 

Name DisplayName ComponentID Enabled ---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True

Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True

Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True

Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False

Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True

Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd True

Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True

 

Run Command:

PS> Disable-NetAdapterBinding -InterfaceDescription Cisco* -ComponentID CSCO_acnamfd

Or

PS>Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd

 

After:

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

 

Name DisplayName ComponentID Enabled ---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True

Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True

Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True

Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True

Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False

Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True

Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd False

Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True

 

 

The answer is to unbind the "Cisco Anyconnect Network Access Manager Filter Driver" in the properties of the Cisco Anyconnect Secure Mobilitu Client Connection" network card.

 

Prior the update it is unbind and after the update it is bind. The Windows update is making changed to the NAM.

 

 

Please see our answer from TAC:

 

We were able to test this workaround today with the following.

We noted the Cisco Any connect Network Access Manager filter was binded to the VPN adapter. Microsofts OS code causes the adapter to unbind during initialization as seen in the above logs. To work around this issue we went into the network settings on your machine, opened up the Cisco Anyconnect Secure Mobility Client Connection, and unchecked the “Cisco ANyconnect Network Access Manager Filter Driver”. After we disabled this we were able to successfully test and gain network access.

As I understand this may not be feasible for users to do by an individual basis this can silently be pushed out without user interference.

Manually or programmatically unbind the NAM filter driver from the VPN Virtual Adapter. One way to do this is with the following Powershell command.

"Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd"

e.g.
Before running the command you can see the NAM filter is bound to the interface.

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

Name DisplayName ComponentID Enabled
---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True
Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True
Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True
Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True
Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False
Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True
Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd True
Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True


Run Command:
PS> Disable-NetAdapterBinding -InterfaceDescription Cisco* -ComponentID CSCO_acnamfd
Or
PS>Disable-NetAdapterBinding -InterfaceDescription *AnyConnect* -ComponentID CSCO_acnamfd

After:

PS C:\WINDOWS\system32> Get-NetAdapterBinding -InterfaceDescription Cisco*

Name DisplayName ComponentID Enabled
---- ----------- ----------- -------

Ethernet 2 Microsoft Network Monitor 3 Driver ms_netmon True
Ethernet 2 Internet Protocol Version 4 (TCP/IPv4) ms_tcpip True
Ethernet 2 Microsoft LLDP Protocol Driver ms_lldp True
Ethernet 2 Link-Layer Topology Discovery Mapper I/O Driver ms_lltdio True
Ethernet 2 Hyper-V Extensible Virtual Switch vms_pp False
Ethernet 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 True
Ethernet 2 Cisco AnyConnect Network Access Manager Filter ... CSCO_acnamfd False
Ethernet 2 File and Printer Sharing for Microsoft Networks ms_server True

I did have the problem appear after upgrading Anyconnect to 4.5.04029. The solution TAC provided fixed it for me as well.

 

Thanks for sharing it!

A simple solution for Cisco Anyconnect Secure Mobility Client issue is to click on the menu icon near Network and check "Connect only to Current Network". This will allow the connection to stay in the specified/desired Wifi and will stop from fluctuating to "wired" connection. (Cisco version :4.4.03034 System : Windows 10 version 1709)

PFB the picture for reference :

 

solution.png

We have just started testing Windows 1709 upgrades to our users and are experiencing the same problem.  Does anyone have any idea of a non-hack solution to make this work?  It seems like the provided solution requires a script to be run on the user machine to unbind the interface after the update.  If the update breaks the expected functionality and connectivity, how are we supposed to run the script after the update to apply the fix?  I don't believe it is feasible for us to manually perform this task or have users execute a local script that is staged on their machines before the update.  The majority of our users don't even have local administrative rights to their own machines which I suspect will be a problem if the answer is to have them run the script locally.

 

This issue has resulted in discussions calling for investigation of the Windows Supplicant to be used over NAM for dot1x authentication.

The same is happening in our office, but the solution I provided from the TAC works. I was told that the newest version of NAM did not have the problem. The version 4.6... but I have not yet tested it. This old experience between Windows 10 and NAM put a lot of questions on the table for us.
Have you tried with version 4.6 of Anyconnect????
PS: the problem come from Windows changing the settings to Windows "own" default settings. It is a pain!
Many Thanks

Do you have any solution for this.

 

Regards

Pankaj

As of 4.7.01076 we believe this problem has been resolved.