1. Cisco Anyconnect Could Not Connect To Server
2. Cisco Anyconnect Is Not Connecting Windows 10
3. Cisco Anyconnect Not Connecting To Wifi Windows 10
4. Cisco AnyConnect VPN Client
5. Solved: No Internet After Connecting With Anyconnect VPN ...
6. Can't Connect To Cisco Anyconnect
7. Cisco Anyconnect Cannot Connect

Cisco AnyConnect used to work on my laptop. Now when it starts, the dialog pops up for a moment, but the VPN location dropdown and Connect button are disabled. Then the dialog goes away and no connection is made. Internal support said my profile is probably the problem and that I should re-image the machine, which is not a viable option. Have a newer Lenovo Thinkpad with Cisco Anyconnect client with the symptom as stated above in Topic title.Have 40 - 45 other Lenovo and Dell laptops working fine.Tried different. Cisco Anyconnect Mobility VPN Client will not connect with any user credentials - Spiceworks.

Contents

Introduction

This document briefly describes the possible error messages that appear during the installation of AnyConnect VPN client on Apple MAC machines and their corresponding resolutions.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco ASA Security Appliance that runs software version 8.x

• Cisco IOS^® Router that runs Cisco IOS Software Release 12.4(20)T

• Cisco AnyConnect Client software version 2.x

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Error Messages

This section shows a list of error messages along with the solutions.

Package Corrupt Error Message

When AnyConnect 2.3 is launched from an Apple MAC machine, the Anyconnect Package corrupt or unavailable error message appears and eventually, the connection attempt fails.

Solution

This can be a problem with the absence of the MAC-related AnyConnect package on the flash of the router. Upload the suitable AnyConnect package for MAC in order to resolve this issue. Upload the corresponding AnyConnect package, which depends upon the MAC architecture. For MACs on the Intel processor, you need the i386 macos image and for MACs that run the Power PC processor (PPC) you need the powerpc macos image. These are example packages for your reference:

• anyconnect-macosx-i386-2.5.3055-k9.pkg

• anyconnect-macosx-powerpc-2.5.3055-k9.pkg

Split DNS Issues

When split DNS is enabled on an AnyConnect setup, it is found that all the DNS queries are sent in clear but not tunneled. This is a problem with only the Apple MAC machines and works fine with Windows machines.

Solution

This behavior is observed and filed in Cisco bug ID CSCtf03894 (registered customers only) . In order to resolve this issue, you can upgrade to the AnyConnect release 3.0.4235, which has the Split DNS Functionality Enhancement. As a workaround, you can also use the built-in IPSec VPN client supported by Apple, which does not have this issue.

SVC Error Message

The launch of AnyConnect from a Macbook Pro running OSX Leopard is not successful. The VPN gateway is ASA running 8.0.4. The connection fails and the SVC Message: 16/ERROR: Initialization failure (mem allocfailed, etc.) error message appears.

Solution

This can be a problem with the way the MAC machine attempts to connect to the ASA. First verify if any IPv6 adaptors are enabled on the MAC machine and check if MAC tries to contact ASA over the IPv6 network. If so, it fails as the IPv6 is not supported with AnyConnect. In order to resolve this, disable the IPv6 related services on the MAC machine and try to connect with an IPv4 address.

Web-based Installation Error Message when AnyConnect is Launched on MAC

There are intermittent issues with you launch the AnyConnect version 2.5 on the MAC with OSX 10.5.6. The web-based installation was unsuccessful error message appears. At that time, you are unable to download and install AnyConnect, and the browser used is Firefox. If you reboot the MAC machine, this fixes the issue temporarily, but intermittently, the issue happens again.

Solution

Verify if your VPN gateways are connected in Load-balancer mode. If it is connected, then there could be some DNS cache-related issues that cause improper DNS redirects. In order to resolve this issue, always try to map the DNS URL to connect to one specific VPN gateway only.

MAC OSX 10.6.3 is Unable to get to Internet

When you use the AnyConnect on a MAC machine, you can access the Internal Corporate network but you are unable to browse to the Internet. It neither works by FQDN nor by IP address. There is a proxy server in use for Internet traffic.

Solution

The issue can be due to the length of the PMTU. Verify the existing MTU size on the VPN gateway, for example, ASA and modify it to a lesser value. In this sample output, the mtu size is reduced to 1204 from existing 1400.

AnyConnect on MAC fails to launch to Cisco IOS Router

The attempt to launch AnyConnect in standalone mode to a Cisco IOS^® Router running Cisco IOS Software Release 12.4(20)T is unsuccessful. The anyconnect internal error (state: not connected) error message appears.

Solution

Cisco IOS Software Release 12.4(20)T supports AnyConnect on MAC in standalone mode without any problem. In order to resolve this, try to use the complete URL when you connect to the Cisco IOS head-end device. This is a sample URL:

If this issue persists, contact Cisco TAC (registered customers only) for further troubleshooting.

Note: You need to have valid Cisco user credentials to contact Cisco TAC.

Wireless CSSC for an Apple MAC

Currently, the NAM module on the AnyConnect 3.0 product replaces the Cisco Secure Services Client (CSSC). Refer to Network Access Manager (Replacement for CSSC) for more information. There is no current plan to enable NAM to support MAC OSX platform.

Unable to Upgrade Firefox while AnyConnect is Installed on MAC

This error message appears when you upgrade Firefox on Apple machine version 10.6:

On machines that use softtokens, this error message appears:

It is observed that these MAC machines have AnyConnect version 2.5 installed. The current version of Firefox is 3.6.13.

Solution

This behavior has been tested and filed in Cisco bug ID CSCtn93915 (registered customers only) . As a workaround, you can try any of these described options.

• Uninstall AnyConnect, upgrade Firefox and then install AnyConnect again.

• Uninstall the current version of firefox then install the new version. All other upgrades after this should work fine.

Web-based Installation of AnyConnect Hangs

The authentication phase works fine but the VPN system hangs at the Using Sun Java for installation phase.

Solution

The issue could be with the Java and Web applet settings on the machine. Sometimes, Java gets stuck when you use the web launch with MAC machine. Refer to Cisco bug ID CSCtq86368 (registered customers only) for more information. In order to resolve this issue, follow the below steps.

1. Uninstall AnyConnect.

2. Open Java preferences.

3. Change to run applets in their own process.

4. Drag the 32 bit Java on top.

   If this does not help, upgrade the AnyConnect client to the latest available release.

Unable to Launch AnyConnect on MAC

You are unable to launch AnyConnect on the MAC machine due to certain incompatible software. What are other options to use this MAC machine as a remote access VPN client?

Solution

Refer to What options do I have for providing remote access to Mac users? for more information. Refer to IPSec VPN client for Apple MAC for more information and complete details.

Unable to Download the MAC AnyConnect Package

There are issues when you download the AnyConnect for MAC software from Cisco.com.

Solution

Open the Cisco AnyConnect VPN Client home page and click on Download Software (registered customers only) on the right hand side of the web page. Choose the required software package and download with valid Cisco user credentials.

Related Information

Introduction

This document describes how to troubleshoot some of the most common communication issues of the Cisco AnyConnect Secure Mobility Client on Firepower Threat Defense (FTD) when it uses either Secure Socket Layer (SSL) or Internet Key Exchange version 2 (IKEv2).

Contributed by Angel Ortiz and Fernando Jimenez, Cisco TAC Engineers.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco AnyConnect Secure Mobility Client.
• Cisco FTD.
• Cisco Firepower Management Center (FMC).

Components Used

Cisco Anyconnect Could Not Connect To Server

The information in this document is based on these software and hardware versions:

• FTD managed by FMC 6.4.0.
• AnyConnect 4.8.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Recommended troubleshoot process

This guide explains how to troubleshoot some common communication issues that AnyConnect clients have when the FTD is used as Remote Access Virtual Private Network (VPN) gateway. These sections address and provide solutions to problems below:

• AnyConnect clients cannot access internal resources.
• AnyConnect clients do not have internet access.
• AnyConnect clients cannot communicate between each other.
• AnyConnect clients cannot establish phone calls.
• AnyConnect clients can establish phone calls. However, there is no audio on the calls.

AnyConnect clients cannot access internal resources

Complete these steps:

Step 1. Verify Split tunnel configuration.

• Navigate to the Connection Profile that AnyConnect clients are connected to: Devices > VPN > Remote Access > Connection Profile > Select the Profile.
• Navigate to the Group-Policy assigned to that Profile: Edit Group Policy > General.
• Check the Split Tunneling configuration, as shown in the image.
  

• If it's configured as Tunnel networks specified below, verify the Access Control List (ACL) configuration:

Navigate to Objects > Object Management > Access List > Edit the Access List for Split tunneling.

• Ensure that the networks that you try to reach from the AnyConnect VPN client are listed in that Access List, as shown in the image.
  

Step 2.Verify Network Address Translation (NAT) exemption configuration.

Remember that we must configure a NAT exemption rule to avoid traffic to be translated to the interface IP address, usually configured for internet access (with Port Address Translation (PAT)).

• Navigate to the NAT configuration: Devices > NAT.
• Ensure that the NAT exemption rule is configured for the correct source (internal) and destination (AnyConnect VPN Pool) networks. Also check that the correct source and destination interfaces have been selected, as shown in the image.

Note: When NAT exemption rules are configured, check the no-proxy-arp and perform route-lookup options as a best practice.

Step 3. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the selected internal networks, as shown in the image.

AnyConnect clients do not have internet access

There are two possible scenarios for this issue.

1. Traffic destined for the internet must not go through the VPN tunnel.

Ensure that the Group-Policy is configured for Split tunneling as Tunnel networks specifiedbelow and NOT as Allow all traffic over tunnel, as shown in the image.

2. Traffic destined for the Internet must go through the VPN tunnel.

In this case, the most common Group-Policy configuration for Split tunneling would be to select Allow all traffic over tunnel, as shown in the image.

Step 1. Verify NAT exemption configuration for internal network reachability.

Remember that we must still configure a NAT exemption rule to have access to the internal network. Please review Step 2 of the AnyConnect clients cannot access internal resource section.

Step 2. Verify hairpinning configuration for dynamic translations.

Cisco Anyconnect Is Not Connecting Windows 10

In order for AnyConnect clients to have internet access through the VPN tunnel, we need to ensure that the hairpinning NAT configuration is correct for traffic to be translated to the interface´s IP address.

• Navigate to the NAT configuration: Devices > NAT.
• Ensure that the Dynamic NAT rule is configured for the correct interface (Internet Service Provider (ISP) link) as source and destination (hairpinning). Also check that the network used for the AnyConnect VPN address pool is selected in Original source and the Destination Interface IP option is selected for Translated source, as shown in the image.
  

Step 3. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the external resources, as shown in the image.

AnyConnect clients cannot communicate between each other

There are two possible scenarios for this issue:

1. AnyConnect clients with Allow all traffic over tunnel configuration in place.
2. AnyConnect clients with Tunnel networks specified below configuration in place.

1. AnyConnect clients with Allow all traffic over tunnel configuration in place.

Cisco Anyconnect Not Connecting To Wifi Windows 10

When Allow all traffic over tunnel is configured for AnyConnect means that all traffic, internal and external, should be forwarded to the AnyConnect headend, this becomes a problem when you have NAT for Public Internet access, since traffic comes from an AnyConnect client destined to another AnyConnect client is translated to the interface IP address and therefore communication fails.

Step 1. Verify NAT exemption configuration.

In order to overcome this problem a manual NAT exemption rule must be configured to allow bidirectional communication within the AnyConnect clients.

• Navigate to the NAT configuration: Devices > NAT.
• Ensure that the NAT exemption rule is configured for the correct source (AnyConnect VPN Pool) and destination. (AnyConnect VPN Pool) networks. Also check that the correct hairpin configuration is in place, as shown in the image.
  

Step 2. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect Clients is allowed, as shown in the image.

Cisco AnyConnect VPN Client

2. Anyconnect clients with Tunnel networks specified below configuration in place.

With Tunnel networks specified below configured for the AnyConnect clients only specific traffic is forwarded to through the VPN tunnel. However, we need to ensure that the headend has the proper configuration to allow communication within the AnyConnect clients.

Step 1. Verify NAT exemption configuration.

Please check Step 1, in the Allow all traffic over tunnel section.

Step 2. Verify Split tunneling configuration.

For AnyConnect clients to communicate between them we need to add the VPN pool addresses into the Split-Tunnel ACL.

• Please follow Step 1 of the AnyConnect clients cannot access internal resources section.
• Ensure that the AnyConnect VPN Pool network is listed in the Split tunneling Access List, as shown in the image.
  

Note: If there is more than one IP Pool for AnyConnect clients and communication between the different pools is needed, ensure to add all of the pools in the split tunneling ACL, also add a NAT exemption rule for the needed IP Pools.

Step 3. Verify Access Control Policy.

Ensure that traffic from the AnyConnect clients is allowed as shown in the image.

AnyConnect clients cannot establish phone calls

There are some scenarios where AnyConnect clients need to establish phone calls and video conferences over VPN.

AnyConnect clients can connect to the AnyConnect headend without any problem. They can reach internal and external resources, however phone calls cannot be established.

For this cases we need to consider the follow points:

• Network topology for voice.
• Protocols involved. I.e. Session Initiation Protocol (SIP), Rapid Spanning Tree Protocol (RSTP), etc.
• How the VPN phones connect to the Cisco Unified Communications Manager (CUCM).

By default, FTD and ASA have applications inspection enabled by default in their global policy-map.

In most cases scenarios the VPN phones are not able to establish a reliable communication with the CUCM because the AnyConnect headend has an application inspection enabled that modifies the signal and voice traffic.

For more information about the voice and video application where you can apply application inspection see the follow document:

Solved: No Internet After Connecting With Anyconnect VPN ...

In order to confirm if an application traffic is dropped or modified by the global policy-map we can use the show service-policy command as shown below.

In this case we can see how SIP inspection drops the traffic.

Moreover, SIP inspection can also translate IP addresses inside the payload, not in the IP header, causes different issues, hence it is recommended to disable it when we want to use voice services over AnyConnect VPN.

Can't Connect To Cisco Anyconnect

In order to disable it we need to complete the next steps:

Step 1. Enter the privileged EXEC mode.

For more information on how to access this mode see the next document:

Step 2. Verify the global policy-map.

Run the next command and verify if SIP inspection is enabled.

Step 3. Disable SIP inspection.

If SIP inspection is enabled, turn it off running command below from clish prompt:

Step 4. Verify the Global Policy-map again.

Ensure that SIP inspection is disabled from the global policy-map:

AnyConnect clients can establish phone calls, however there is no audio on the calls

As mentioned in the previous section, a very common need for AnyConnect clients is to establish phone calls when connected to the VPN. In some cases the call can be established, however clients may experience lack of audio on it. This applies to the next scenarios:

• No audio on the call between an AnyConnect client and an external number.
• No audio on the call between an AnyConnect client and another AnyConnect client.

In order to get this fixed, we can follow these steps:

Step 1. Verify Split tunneling configuration.

• Navigate to the Connection Profile use to connect to: Devices > VPN > Remote Access > Connection Profile > Select the Profile.
• Navigate to the Group-Policy assigned to that Profile: Edit Group Policy > General.
• Check the Split Tunneling configuration, as shown in the image.

• If configured as Tunnel networks specified below, verify the Access List configuration: Objects > Object Management > Access List > Edit the Access List for Split tunneling.

• Ensure that the Voice Servers and the AnyConnect IP Pool networks are listed in the Split tunneling Access List, as shown in the image.
  

Cisco Anyconnect Cannot Connect

Step 2. Verify NAT exemption configuration.

NAT exemption rules must be configured to exempt traffic from the AnyConnect VPN network to the Voice Servers network and also to allow bidirectional communication within the AnyConnect clients.

• Navigate to the NAT configuration: Devices > NAT.

• ensure that the NAT exemption rule is configured for the correct source (Voice Servers) and destination (AnyConnect VPN Pool) networks, and the hairpin NAT rule to allow AnyConnect client to AnyConnect client communication is in place. Moreover, check that the correct inbound and outbound interfaces configuration is in place for each rule, per your network design, as shown in the image.
  

Step 3. Verify that SIP inspection is disabled.

Please review the previous section AnyConnect clients cannot establish phone calls to know how to disable SIP inspection.

Step 4. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the Voice servers and involved networks, as shown in the image.

Related Information

• This video provides the configuration example for the different issues discussed in this document.

• For additional assistance, please contact Technical Assistance center (TAC). A valid support contract is required: Cisco Worldwide Support Contacts.

• You can also visit the Cisco VPN Community here.