AnyConnect VPN Client Troubleshooting Guide – Common Problems
– 👌
an introduction
This document describes a troubleshooting scenario that applies to applications that do not run through the Cisco AnyConnect VPN Client.
Basic requirements
requirements
There are no specific requirements for this document.
Ingredients used
The information in this document is based on Cisco Adaptive Security Appliance (ASA) running version 8.x.
The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.
Troubleshooting process
This typical troubleshooting scenario applies to applications that do not run through the Cisco AnyConnect VPN Client for end users using computers running Microsoft Windows. These sections address problems and provide solutions:
Installation issues and virtual adapter
Complete these steps:
- Get the device log file:
If you see errors in a file setupapi The log file, you can turn on the verbosity to 0x2000FFFF.
- Get the MSI installer log file:
If this is an initial web publishing installation, this log will be placed in each user’s temporary directory.
If this is an automatic upgrade, then this log will be in the temporary directory of the system:
windows temperature
File name in this format: anyconnect-win-xxxxxx-k9-install-yyyyyyyyyyyyy.log. Get the latest file for the client version you want to install. x.xxxx changes depending on the version, such as 2.0.0343, and yyyyyyyyyyyyy is the date and time of installation.
- Get the PC system information file:
- From the Command Prompt / DOS box, type this:
- Get the system information dump file from the command prompt:
Windows XP and Windows Vista:
System info c:sysinfo.txt
Refer to AnyConnect: Corrupted Driver Database Issue to correct the driver issue.
Disconnected or unable to establish initial connection
If you have problems connecting with the AnyConnect client, such as disconnecting or not being able to establish an initial connection, get these files:
- Configuration file from ASA to determine if anything in the configuration is causing the connection to fail:
From the ASA console, type Type net xxxx: ASA-Config.txt where xxxx It is the IP address of the TFTP server on the network.
or
From the ASA console, type View configuration run. Let the configuration complete on the screen, then cut and paste it into a text editor and save.
- ASA event logs:
- To enable ASA logging for authentication, WebVPN, SSL, and SSL VPN Client (SVC) events, issue these CLI commands:configuration station
Enable recording
Recording timestamp
Authentication class registration debug module
webvpn class registration debug module
Register debug class ssl console
Login class svc debug module - Create an AnyConnect session and ensure that the failure can be repeated. Capture the recording output from the console to a text editor and save it.
- In order to disable the recording, the case Enable any recording.
- To enable ASA logging for authentication, WebVPN, SSL, and SSL VPN Client (SVC) events, issue these CLI commands:configuration station
- Cisco AnyConnect VPN Client log from the client computer’s Windows Event Viewer:
- Choose Start > Run.
- Enter: eventvwr.msc / s
- Right click on a file Cisco AnyConnect VPN Client log , and select Save log file as AnyConnect.evt.
If the user cannot connect to the AnyConnect VPN client, the issue may be related to the Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client computer. The user can see the file AnyConnect profile settings require one local user, but multiple local users are currently logged into your computer. VPN connection will not be established error message Error on the client computer. To solve this problem, disconnect any static RDP sessions and disable fast user switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, but there is currently no setting that actually allows a user to establish a VPN connection while multiple users are logged in at the same time on the same machine. An improvement request CSCsx15061 was introduced to address this feature.
When the user cannot connect AnyConnect VPN Client to ASA, the problem may be caused by incompatibility between AnyConnect client version and ASA software image version. In this case, the user receives this error message: The installer was unable to start the Cisco VPN client, no client-less access is available.
To solve this problem, upgrade the AnyConnect client version to be compatible with the ASA software image.
When logging in for the first time to AnyConnect, the login script does not work. If you disconnect and log in again, the login script will run fine. This is the expected behavior.
When connecting the AnyConnect VPN client to ASA, you may receive this error: The user is not authorized to access the AnyConnect client, contact the administrator.
This error appears when an AnyConnect image is missing from ASA. Once the image is uploaded to ASA, AnyConnect can connect without any problems to ASA.
This error can be resolved by disabling Datagram Transport Layer Security (DTLS). go to Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles and uncheck Activate DTLS check box. This disables DTLS.
The dartbundle files show this error message when the user is disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE: Secure Gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel is ruptured due to a failure of peer dead discovery (DPD). This error is resolved if you modify DPD keepalives and issue these commands:
webvpn
30
80 pcs
dpd svc 80 . separator gate
the SVC Keepalive And svc dpd interval Commands are replaced with anyconnect keepalive And no dpd connection time interval The commands are running in ASA version 8.4(1) and later as shown here:
webvpn
Anyconnect SSL Keepalive 15
Any dpd client-interval 5
Gateway no connection dpd-splitter 5
Traffic problems
When problems are detected passing traffic to the private network using an AnyConnect session via ASA, complete the following data collection steps:
- get output Show svc filter name vpn-sessiondb details <اسم المستخدم> ASA command from the console. If the output appears Filter name: XXXXX, then sum the result Show Access List XXXXX. Verify that XXXXX access list is not blocking the intended traffic flow.
- Export AnyConnect stats from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
- Check the ASA configuration file for nat formulations. If Network Address Translation (NAT) is enabled, data returning to the client as a result of NAT should be excluded. For example, to exclude NAT (nat 0) IP addresses from the AnyConnect pool, use this on the CLI: access list in _nat0_out ip permit extension i.e. 10.136.246.0 255.255.255.0
Local pool IP IPPool1 10.136.246.1-10.136.246.254 Mask 255.252.0.0
nat (inside) 0 access list in_nat0_out - Determine if the tunneled default gateway needs to be enabled for setup. The traditional virtual gateway is the gateway of last resort for unencrypted traffic.
Example:
! — The directive out 0 0 is an invalid statement.
Road outside 0 0 10.145.50.1
Road within 0 0 10.0.4.2 SubwayFor example, if the VPN client needs to access a resource that is not in the routing table of the VPN gateway, the packet will be routed through the standard default gateway. The VPN gateway does not need the full internal routing table to solve this problem. the Subway Keywords can be used in this case.
- Check if AnyConnect traffic has been dropped by ASA’s inspection policy. You can exclude the specific application that the AnyConnct client is using if you implement the Cisco ASA Standard Policy Framework. For example, you can exclude thin protocol with these commands. global_policy
ASA (config-pmap) # class_default check
ASA(config-pmap-c) # No skinny check
AnyConnect crash problems
Complete these data collection steps:
- Ensure that the Microsoft Dr Watson utility is enabled. To do this, choose Start > Run, and run away Drwtsn32.exe. Configure this and click OK: Number of Instructions: 25
Number of save errors: 25
Fault Discharge Type: Mini
Symbol table dump: checked
Dump all thread contexts: check
Append to existing log file: Checked
Visual notification: Checked
Create crash dump file: CheckedWhen the crash occurs, collect a file .register And .dmp files from C: Documents and Settings All Users Application Data Microsoft Dr Watson. If these files appear to be in use, use ntbackup.exe.
- Get the Cisco AnyConnect VPN Client log from the Windows Event Viewer for the client computer:
- Choose Start > Run.
- Enters:eventvwr.msc / sec
- Right click on a file Cisco AnyConnect VPN Client log , and select Save Log File As AnyConnect.evt.
Fragmentation / Traffic Problems
Some applications, such as Microsoft Outlook, do not work. However, the tunnel is able to pass other traffic such as small sounds.
This can provide clues to a network fragmentation problem. Consumer routers are particularly weak at packet fragmentation and reassembly.
Try a scaling set of sounds to determine if they fail at a certain volume. For example, ping -l 500, ping -l 1000, ping -l 1500, ping -l 2000.
It is recommended that you configure a special group for users with fragmentation, and set the SVC Maximum Transition Unit (MTU) for this group to 1200. This allows you to address users who are experiencing this problem, but does not affect the broader user base.
Problem
TCP connections crash once connected to AnyConnect.
solution
To check if a user has a fragmentation issue, set the AnyConnect clients MTU to ASA.
ASA (config) # Group Policy Attributes
webvpn
svc mtu 1200
Uninstall automatically
Problem
AnyConnect VPN Client uninstalls itself once the connection is terminated. Client logs show Keep Install is set to Disabled.
solution
AnyConnect uninstalls itself even though the . file keep installing The option is selected in Adaptive Security Device Manager (ASDM). To solve this problem, configure install svc installer Driving under group policy.
FQDN block filling problem
Problem: The AnyConnect client is pre-populated with the hostname instead of the group’s fully qualified domain name (FQDN).
When you have a load balancing group set up for SSL VPN and the client tries to connect to the group, the request is forwarded to the ASA node and the client logs in successfully. After some time, when the client tries to connect to the block again, the block FQDN is not seen in the file call entries. Instead, the entry for the ASA node to which the client was redirected is seen.
solution
This happens because the AnyConnect client keeps the name of the host it was last connected to. This behavior was observed and an error was presented. For complete details about the error, refer to Cisco Error ID CSCsz39019. A suggested workaround is to upgrade Cisco AnyConnect to version 2.5.
Configure the backup server list
The backup server list is configured if the master server specified by the user cannot be reached. This is defined in backup server Part in AnyConnect profile. Complete these steps:
- Download the AnyConnect Profile Editor (registered customers only). The file name is AnyConnectProfileEditor2_4_1.jar.
- Create an XML file using the AnyConnect Profile Editor.
- Go to the Server List tab.
- click Add.
- Type the main…
[ad_1]
Don’t forget to share this post with friends !