AnyConnect: "Connection attempt has failed due to network or PC issue"

vvanwaveren · ‎12-12-2014

Hi,

I just formatted my PC, Installed Win 7 Ultimate and am now trying to connect to my work PC, using Cisco AnyConnect Secure Mobility Client.

I'm getting the error "Connection attempt has failed due to network or PC issue"

I was connecting fine before the format.

I don't have a anti-virus installed at the moment and have even turned off Windows fire wall.

What should I do?

Thanks.

David Watkins · ‎12-16-2014

Could be lots of potential issue here. I would contact your help desk.

ToddBarats · ‎03-26-2015

We are trying to implement DUO Security (Two-Factor Auth) and am having the same issue too. One thing I've noticed is that when I do a "sh vpn-sessiondb anyconnect", I see the user connected but does not get an ip address assigned from the IP from the ip local pool for the VPN. When he doesn't get the message and is able to connect, he get an IP from the pool. When I run debugs for radius and packet captures for the radius server, I see successful authentication.

For any session that does not get an ip from the pool, I have to kill that session (vpn-sessiondb logoff index ###) because the ASA thinks the session is still active when it's not.

Username     : USERNAME-JOE             Index        : 2384
Public IP    : x.x.x.195
Protocol     : AnyConnect-Parent
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none
Hashing      : AnyConnect-Parent: (1)none
Bytes Tx     : 0                      Bytes Rx     : 0
Group Policy : Remote-Access          Tunnel Group : Remote-Access
Login Time   : 14:19:55 EDT Thu Mar 26 2015
Duration     : 0h:44m:17s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a00c8010095000055144dcb
Security Grp : none

Username     : USERNAME-JOE             Index        : 2385
Assigned IP : 172.31.0.100           Public IP    : x.x.x.195
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4
Hashing      : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx     : 49479                  Bytes Rx     : 46193
Group Policy : Remote-Access          Tunnel Group : Remote-Access
Login Time   : 14:39:41 EDT Thu Mar 26 2015
Duration     : 0h:24m:34s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a00c801009510005514526d
Security Grp : none

ANY IDEAS????

ToddBarats · ‎04-01-2015

Add a <ServerList> section to the AnyConnect profile as shown in the example below. If your AnyConnect profile already contains a server list section, replace the <HostAddress> IP address or non-qualified host name of your ASA with the fully qualified domain name as shown in the example.

<ServerList>
<HostEntry>
<HostName>ASA-01
</HostName>
<HostAddress>asa-01.cisco.com
</HostAddress>
</HostEntry>
</ServerList>

ToddBarats · ‎04-01-2015

When you formatted your PC, you removed your "user profile" setting stored within AnyConnect (an .xml setting). From that standpoint, you have 12 seconds to login, otherwise you get the "Connection attempt failed" message.

When I added a host name to the user profile's xml file, it resolved my "Connection attempt has failed due to network or PC issue" message.

Referenced Information:

Why is the AnyConnect client connection attempt disconnecting after 12 seconds when I have increased the timeout?

An issue with the AnyConnect client causes it to ignore the timeout setting and use the 12 second default when the fully qualified host domain name (FQDN) of the Cisco ASA is not present in the AnyConnect client profile. This may cause the AnyConnect client to disconnect during the two-factor authentication attempt (Cisco forum link).

To fix this, add a <ServerList> section to the AnyConnect profile as shown in the example below. If your AnyConnect profile already contains a server list section, replace the <HostAddress> IP address or non-qualified host name of your ASA with the fully qualified domain name as shown in the example.

<ServerList>
<HostEntry>
<HostName>ASA-01
</HostName>
<HostAddress>asa-01.cisco.com
</HostAddress>
</HostEntry>
</ServerList>

See the AnyConnect Server List Settings documentation and instructions for using the ASDM AnyConnect Client Profile Editor at the Cisco site for more information

While the Cisco forum link above references AnyConnect 2.x versions, the issue persists in version 3.x.

https://www.duosecurity.com/docs/cisco-faq#why-is-the-60-second-timeout-for-the-aaa-radius-server-being-ignored?