Contents
Introduction
My standard AD user account's password far exceeds 15 characters, including an upper, a lower, a special, and a number - I have no issues with AnyConnect and a Cisco endpoint. This worked with an LDAP login, and then when it was moved to a RADIUS-type login to leverage a two-factor provider. Keep the 'static' configuration on the ASA. On the core switch, add a route for 10.13.3.0/24 (your Anyconnect ip pool) with the ASA's inside ip address 192.168.10.3 as next-hop.
This document briefly describes the possible error messages that appear during the installation of AnyConnect VPN client on Apple MAC machines and their corresponding resolutions.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
Cisco ASA Security Appliance that runs software version 8.x
Cisco IOS® Router that runs Cisco IOS Software Release 12.4(20)T
Cisco AnyConnect Client software version 2.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Error Messages
This section shows a list of error messages along with the solutions.
Package Corrupt Error Message
When AnyConnect 2.3 is launched from an Apple MAC machine, the Anyconnect Package corrupt or unavailable error message appears and eventually, the connection attempt fails.
Solution
This can be a problem with the absence of the MAC-related AnyConnect package on the flash of the router. Upload the suitable AnyConnect package for MAC in order to resolve this issue. Upload the corresponding AnyConnect package, which depends upon the MAC architecture. For MACs on the Intel processor, you need the i386 macos image and for MACs that run the Power PC processor (PPC) you need the powerpc macos image. These are example packages for your reference:
anyconnect-macosx-i386-2.5.3055-k9.pkg
anyconnect-macosx-powerpc-2.5.3055-k9.pkg
Split DNS Issues
When split DNS is enabled on an AnyConnect setup, it is found that all the DNS queries are sent in clear but not tunneled. This is a problem with only the Apple MAC machines and works fine with Windows machines.
Solution
This behavior is observed and filed in Cisco bug ID CSCtf03894 (registered customers only) . In order to resolve this issue, you can upgrade to the AnyConnect release 3.0.4235, which has the Split DNS Functionality Enhancement. As a workaround, you can also use the built-in IPSec VPN client supported by Apple, which does not have this issue.
SVC Error Message
The launch of AnyConnect from a Macbook Pro running OSX Leopard is not successful. The VPN gateway is ASA running 8.0.4. The connection fails and the SVC Message: 16/ERROR: Initialization failure (mem allocfailed, etc.) error message appears.
Solution
This can be a problem with the way the MAC machine attempts to connect to the ASA. First verify if any IPv6 adaptors are enabled on the MAC machine and check if MAC tries to contact ASA over the IPv6 network. If so, it fails as the IPv6 is not supported with AnyConnect. In order to resolve this, disable the IPv6 related services on the MAC machine and try to connect with an IPv4 address.
Web-based Installation Error Message when AnyConnect is Launched on MAC
There are intermittent issues with you launch the AnyConnect version 2.5 on the MAC with OSX 10.5.6. The web-based installation was unsuccessful error message appears. At that time, you are unable to download and install AnyConnect, and the browser used is Firefox. If you reboot the MAC machine, this fixes the issue temporarily, but intermittently, the issue happens again.
Solution
Verify if your VPN gateways are connected in Load-balancer mode. If it is connected, then there could be some DNS cache-related issues that cause improper DNS redirects. In order to resolve this issue, always try to map the DNS URL to connect to one specific VPN gateway only.
MAC OSX 10.6.3 is Unable to get to Internet
See More Results
When you use the AnyConnect on a MAC machine, you can access the Internal Corporate network but you are unable to browse to the Internet. It neither works by FQDN nor by IP address. There is a proxy server in use for Internet traffic.
Solution
The issue can be due to the length of the PMTU. Verify the existing MTU size on the VPN gateway, for example, ASA and modify it to a lesser value. In this sample output, the mtu size is reduced to 1204 from existing 1400.
AnyConnect on MAC fails to launch to Cisco IOS Router
The attempt to launch AnyConnect in standalone mode to a Cisco IOS® Router running Cisco IOS Software Release 12.4(20)T is unsuccessful. The anyconnect internal error (state: not connected) error message appears.
Solution
Cisco IOS Software Release 12.4(20)T supports AnyConnect on MAC in standalone mode without any problem. In order to resolve this, try to use the complete URL when you connect to the Cisco IOS head-end device. This is a sample URL:
If this issue persists, contact Cisco TAC (registered customers only) for further troubleshooting.
Note: You need to have valid Cisco user credentials to contact Cisco TAC.
Wireless CSSC for an Apple MAC
Currently, the NAM module on the AnyConnect 3.0 product replaces the Cisco Secure Services Client (CSSC). Refer to Network Access Manager (Replacement for CSSC) for more information. There is no current plan to enable NAM to support MAC OSX platform.
Unable to Upgrade Firefox while AnyConnect is Installed on MAC
This error message appears when you upgrade Firefox on Apple machine version 10.6:
On machines that use softtokens, this error message appears:
It is observed that these MAC machines have AnyConnect version 2.5 installed. The current version of Firefox is 3.6.13.
Solution
This behavior has been tested and filed in Cisco bug ID CSCtn93915 (registered customers only) . As a workaround, you can try any of these described options.
Uninstall AnyConnect, upgrade Firefox and then install AnyConnect again.
Uninstall the current version of firefox then install the new version. All other upgrades after this should work fine.
Web-based Installation of AnyConnect Hangs
The authentication phase works fine but the VPN system hangs at the Using Sun Java for installation phase.
Solution
The issue could be with the Java and Web applet settings on the machine. Sometimes, Java gets stuck when you use the web launch with MAC machine. Refer to Cisco bug ID CSCtq86368 (registered customers only) for more information. In order to resolve this issue, follow the below steps.
Uninstall AnyConnect.
Open Java preferences.
Change to run applets in their own process.
Drag the 32 bit Java on top.
If this does not help, upgrade the AnyConnect client to the latest available release.
Unable to Launch AnyConnect on MAC
You are unable to launch AnyConnect on the MAC machine due to certain incompatible software. What are other options to use this MAC machine as a remote access VPN client?
Solution
Refer to What options do I have for providing remote access to Mac users? for more information. Refer to IPSec VPN client for Apple MAC for more information and complete details.
Unable to Download the MAC AnyConnect Package
There are issues when you download the AnyConnect for MAC software from Cisco.com.
Solution
Open the Cisco AnyConnect VPN Client home page and click on Download Software (registered customers only) on the right hand side of the web page. Choose the required software package and download with valid Cisco user credentials.
Related Information
Objective
The objective of this document is to show you basic troubleshooting steps on some common errors on the Cisco AnyConnect Secure Mobility Client. When installing the Cisco AnyConnect Secure Mobility Client, errors may occur and troubleshooting may be needed for a successful setup.
Note that the errors discussed in this document is not an exhaustive list and varies with the configuration of the device used.
For additional information on AnyConnect licensing on the RV340 series routers, check out the article AnyConnect Licensing for the RV340 Series Routers.
Software Version
AnyConnect v4.x (Link to download)
Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors
Note: Before attempting to troubleshoot, it is recommended to gather some important information first about your system that might be needed during the troubleshooting process. To learn how, click here.
1. Problem: Network Access Manager fails to recognize your wired adapter.
Solution: Try unplugging your network cable and reinserting it. If this does not work, you may have a link issue. The Network Access Manager may not be able to determine the correct link state of your adapter. Check the Connection Properties of your Network Interface Card (NIC) driver. You may have a 'Wait for Link' option in the Advanced Panel. When the setting is On, the wired NIC driver initialization code waits for auto negotiation to complete and then determines if a link is present.
2. Problem: When AnyConnect attempts to establish a connection, it authenticates successfully and builds the Secure Socket Layer (SSL)session, but then the AnyConnect client crashes in the vpndownloader if using Label-Switched Path (LSP) or NOD32 Antivirus.
Solution: Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32 AV.
3. Problem: If you are using an AT&T Dialer, the client operating system sometimes experiences a blue screen, which causes the creation of a mini dump file.
Solution: Upgrade to the latest 7.6.2 AT&T Global Network Client.
4. Problem: When using McAfee Firewall 5, a User Datagram Protocol (UDP)Datagram Transport Layer Security (DTLS) connection cannot be established.
Solution: In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging and uncheck the Block incoming fragments automatically check box in McAfee Firewall.
5. Problem: The connection fails due to lack of credentials.
Solution: The third-party load balancer has no insight into the load on the Adaptive Security Appliance (ASA) devices. Because the load balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices, using the internal ASA load balancing instead is recommended.
6. Problem: The AnyConnect client fails to download and produces the following error message:
Solution: Upload the patch update to version 1.2.1.38 to resolve all dll issues.
7. Problem: If you are using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify the IP forwarding table.
Solution: Disable the Bonjour Printing Service by typing net stop “bonjour service” at the command prompt. Cavatina guitar lesson. A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web site.
8. Problem: An error indicates that the version of TUN or network tunnel is already installed on this system and is incompatible with the AnyConnect client.
Solution: Uninstall the Viscosity OpenVPN Client.
9. Problem: If a Label-Switched Path (LSP) module is present on the client, a Winsock catalog conflict may occur.
Solution: Uninstall the LSP module.
10. Problem: If you are connecting with a Digital Subscriber Line (DSL) router, DTLS traffic may fail even if successfully negotiated.
Solution: Connect to a Linksys router with factory settings. This setting allows a stable DTLS session and no interruption in pings. Add a rule to allow DTLS return traffic.
VPN - Uninstall Cisco AnyConnect Client On Windows ..
11. Problem: When using AnyConnect on some Virtual Machine Network Service devices, performance issues have resulted.
Solution: Uncheck the binding for all IM devices within the AnyConnect virtual adapter. The application dsagent.exe resides in C:WindowsSystemdgagent. Although it does not appear in the process list, you can see it by opening sockets with TCPview (sysinternals). When you terminate this process, normal operation of AnyConnect returns.
12. Problem: You receive an “Unable to Proceed, Cannot Connect to the VPN Service” message. The VPN service for AnyConnect is not running.
Solution: Determine if another application conflicted with the service by going to the Windows Administration Tools then make sure that the Cisco AnyConnect VPN Agent is not running. If it is running and the error message still appears, another VPN application on the workstation may need to be disabled or even uninstalled. After taking that action, reboot, and repeat this step.
Problem Connecting To Network Drives Over VPN - Cisco Community
13. Problem: When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right after CSTP state = CONNECTED. The following message appears:
Solution: Uninstall Kaspersky and refer to their forums for additional updates.
14. Problem: If you are using Routing and Remote Access Service (RRAS), the following termination error is returned to the event log when AnyConnect attempts to establish a connection to the host device:
Solution: Disable the RRAS service.
15. Problem: If you are using a EVDO wireless card and Venturi driver while a client disconnect occurred, the event log reports the following:
Solutions:
- Check the Application, System, and AnyConnect event logs for a relating disconnect event and determine if a NIC card reset was applied at the same time.
- Ensure that the Venturi driver is up to date. Disable Use Rules Engine in the 6.7 version of the AT&T Communications Manager.
If you encounter other errors, contact the support center for your device.
Cisco Anyconnect Will Not Connect
For further information and community discussion on AnyConnect licensing updates, click here.
For AnyConnect Licensing FAQs, click here.