AnyConnect – The VPN Connection Failed (Domain Name Resolution)
KB ID 0001236 Problem This is a pretty generic error to be honest. AnyConnect Secure Mobility Client VPN The VPN connection failed due to unsuccessful domain name resolution. Solution Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers. Secondly (this is what usually trips me up) did you copy...
AnyConnect – ‘Your environment does not meet the criteria’
KB ID 0001232 Problem For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got. Cisco AnyConnect Logon denied: Your environment does not meet the access criteria defined by your administrator. Solution A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for...
Cisco – Cannot Connect to the ASA FirePOWER Module
KB ID 0001182 Problem There’s an alarming amount of people who have contacted me about this error; Cannot connect the the ASA FirePOWER module. Cannot connect the the ASA FirePOWER module.. Check that it is correctly configured and on the network. It’s also possible that the management address is being translated by NAT. Please verify the IP address/Hostname and port. Note: If you have just updated or re-imaged the SFR...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)
KB ID 0001156 Problem Carrying on from PART 1 Solution Add > Create Before. Edit the Policy Giv the policy set a name and description > Create a new condition. Set Description to Device Type. Equals > All Device Types (The Device Group You Created Above). Add attribute value. Set Description to RADIUS. NAS-Port-Type-[61]. Equals > Virtual. Edit the Authentication Policy. Change the identity source to the the identity...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)
KB ID 0001155 Problem To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership. I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only...
Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups
KB ID 0001152 Problem When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I...
Cisco AnyConnect – Adding Multiple VPN Devices to the Client
KB ID 0001011 Problem If you connect to a lot of different firewalls, then constantly having to change the address you are going to can be a pain. Particularly if some clients don’t have a host name for their device, and you can’t remember everyone’s IP addresses. Solution I do this slightly different to most other people, I create a connection file for every endpoint I want to go to, because a) I can transfer them...
AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’
KB ID 0000406 Problem While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error. Or on MAC OSX Error: Cisco AnyConnect VPN Client The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again. Note: You may also see this error on a Mac OSX, or a Windows CE machine....
Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea
KB ID 0001055 Problem After a large AnyConnect 4 roll-out, I had the following conversation with a client; Client: Can we change the way the clients authenticate? Me: Yes, no problem what do you need? Client: Well instead of user based certificate authentication, we want to use computer certificates only. Me: Really why? Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and...
Cisco AnyConnect Error “The VPN client driver has encountered an error”
KB ID 0000347 Problem I rolled out AnyConnect for a client this week, and saw this error on one of the clients. Error Reads: The VPN client driver has received an error. Solution A quick search of web forums etc, sent me all over the place, the most promising link told me to do the following, Repair This issue is due to Cisco bug ID CSCsm54689 (registered customers only) . In order to resolve this issue, make sure that Routing and...