Cisco VPN Client Connects but no traffic will Pass

Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.

KB ID 0000199

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#

[/box]

Option 2 Connect to the ASA Via ASDM Version used here is 6.2.(5)

If you can find this in the ASDM post version 7 – You are better than me!

Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.

I’ve done that and its still not working?

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Petes-ASA>enable
Password: ********
Petes-ASA# show run nat 
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#

[/box]

2. Make sure the correct network(s) are in the correct groups.

[box]

PetesASA# show run object
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA
object network obj-10.253.253.0 <- Remote VPN Subnet
subnet 10.253.253.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Media_PC
host 10.254.254.5
PetesASA#

[/box]

3. Also make sure you don’t have any legacy nat rules breaking things.

On a Firewall Older than Version 8.3

On the firewall issue a “show run nat 0” command > take note of the access-list name.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

[box]

Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#

[/box]

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.

[box]

Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#

[/box]

Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.

[box]

Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#

[/box]

If any of yours are missing then change accordingly.

BUG (08/09/16)

Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.

Related Articles, References, Credits, or External Links

NA

Windows and Cisco (IPSEC) VPN Client

KB ID 0000693 

Problem

I’d been running Windows 8 for a while now. But was the first time I needed to use my Cisco VPN Client software. So I was not happy when this happened.

Note: Using VPN Client version 5.0.07.0440

Secure VPN Connection terminated locally by the Client. Reason 442: Failed to enable Virtual Adapter.

Solution

As it turns out this is a known problem with Windows 8, and there is a work-around.

1. Press Windows Key+R to open the run prompt > regedit {enter}

2. Navigate to;

[box] HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>CVirtA [/box]

Locate the DisplayName > Edit its value > Delete all the text to the LEFT of “Cisco Systems VPN Adapter for 64bit Windows.”

2. So it looks like this.

3. Then it should work as before.

 

Related Articles, References, Credits, or External Links

Download Cisco VPN Client Software

Cisco – Windows x64 Bit VPN Client (IPSEC)

Note: This page was originally written before the release of the Cisco x64 bit Windows 7 Client

KB ID 0000163

Problem

I was widely accepted for some time that Cisco’s support for the IPSEC VPN client will not be extended to x64 bit Windows platforms, That’s simply because they are gearing up towards their own AnyConnect VPN client.

Update 18/02/10 – Cisco have released an x64 Bit VPN Client for Windows 7 (vpnclient-winx64-msi-5.0.07.0240-k9-BETA).

The cost to swap over to SSL/AnyConnect VPN, in terms of licensing and consultancy is VERY high.

NCP have had a x64 bit compatible client on the market for a while to get round that, but its not free (though considerably less than a bunch of SSL VPN licence’s!) However, as is the way with these things, as soon as people are forced to pay for stuff, someone will produce a free piece of software to do the same.

Step forward Shrew Soft, I test a lot of stuff, and its rare that a piece of free ware is as feature rich as the commercial product – but this is 🙂

Solution

1. Firstly I’m assuming you already have the VPN setup, working, and tested, on your Cisco PIX/ASA device, if not CLICK HERE for instructions, or if your scared of command line try THIS or THIS.

2. You need to know the same three primary pieces of information that you need to configure the Cisco VPN Client, those are,

a. The public IP address of the device you are connecting to. b. The “Tunnel Group Name” of the remote access VPN c. The “Shared Secret” of the remote access tunnel group

To get the last two pieces of information issue a “more system:running-config” command on your firewall.

[box]

Petes-ASA# more system:running-config

{keep pressing the space bar to scroll though the config}

—unimportant-config-removed——-

tunnel-group Remote-VPN type remote-access tunnel-group Remote-VPN general-attributes address-pool IPSEC-VPN-DHCP-POOL authentication-server-group PNL-KERBEROS default-group-policy Remote-VPN tunnel-group Remote-VPN ipsec-attributes pre-shared-key this_is_the_pre_shared_key

---unimportant-config-removed-------

[/box]

So in the example above the Tunnel Group Name is “Remote-VPN” and the shared secret is “this_is_the_pre_shared_key”.

3. Download and install the software from Shrew Soft (in this example I’m using 2.1.5-release)

4. Configure as per the video below.

Related Articles, References, Credits, or External Links

Working with the Cisco VPN Client. (IPSEC)

Cisco ASA 5500 Client VPN Access Via Kerberos (From CLI)

KB ID 0000049

Problem

You would like to enable remote access for your clients using the Cisco VPN Client software.

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto isakmp
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

[/box]

1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands below. (so my DC is at 10.254.254.5 and the the domain is petenetlive.com). Note you could use LOCAL or RADIUS for authentication as well, but as the title states we are using Kerberos 🙂

[box]

PetesASA(config)#
PetesASA(config)# aaa-server PNL-KERBEROS protocol kerberos
PetesASA(config)# aaa-server PNL-KERBEROS (inside) host 10.254.254.5
PetesASA(config)# kerberos-realm PETENETLIVE.COM
PetesASA(config)# 

[/box]

2. Set up a range of IP addresses, for the remote clients to use, Note: DONT use the same IP range as your internal network (That’s a common error!) In this example I’m going to only have a range of 10 IP addresses.

[box]

PetesASA(config)#
PetesASA(config)# ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
PetesASA(config)#

[/box]

3. Now I’m going to create two access control lists, one for “Split Tunneling” (So when my remote clients connect, they can still browse the internet from their remote location.) And the second one will be to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to the remote clients (10.253.253.0) that we set up in step 2″.

[box]

PetesASA(config)#
PetesASA(config)# access-list Split-Tunnel standard permit 10.254.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC
PetesASA(config)#

[/box]

3. Now we need to create a “Group Policy” this will specify that we are going to use split-tunneling, what type of VPN it is (IPSEC), the domain name and DNS server for the policy.

[box]

PetesASA(config)#
PetesASA(config)# group-policy IPSEC-VPN-POLICY internal
PetesASA(config)# group-policy IPSEC-VPN-POLICY attributes
PetesASA(config-group-policy)# vpn-tunnel-protocol IP Sec
PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PetesASA(config-group-policy)# dns-server value 10.254.254.5
PetesASA(config-group-policy)# default-domain value PETENETLIVE.COM
PetesASA(config)#

[/box]

4. Next we create a tunnel group, and tell that group to use the policy we created above, we also specify the Kerberos AAA we created , the IP Pool, and lastly we set up a shared key.

NOTE: This sets up two of the three pieces of information that you need to enter into the VPN Client software, the tunnel group goes in the “Name” section, and the pre-shared-key goes in the “Password” section HERE.

[box]

PetesASA(config)#
PetesASA(config-group-policy)# tunnel-group IPSEC-VPN-GROUP type remote-access
PetesASA(config)# tunnel-group IPSEC-VPN-GROUP general-attributes
PetesASA(config-tunnel-general)# default-group-policy IPSEC-VPN-POLICY
PetesASA(config-tunnel-general)# authentication-server-group PNL-KERBEROS
PetesASA(config-tunnel-general)# address-pool IPSEC-VPN-DHCP-POOL
PetesASA(config-tunnel-general)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 12345678901234567890asdfg
PetesASA(config)#

[/box]

5. Now we add “Transform sets” these are sets of encryption and hashing algorithms that the firewall will try and use to encrypt traffic with.

[box]

PetesASA(config)#
PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
PetesASA(config)# crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
PetesASA(config)#

[/box]

6. Lastly we need to create a “Dynamic Cryptomap”, then get that cryptomap to use the transforms we have just created.

Note: I’ve also enabled NAT-Traversal here as well – sometimes the client software will connect successfully,and pass no traffic, if that happens 99% of the time its a NAT problem, caused by either mis-configured NAT on the ASA, or a device somewhere in the VPN tunnels path, that’s performing NAT that breaks the traffic flow, NAT-Traversal fixes this, so lets turn it on anyway to be on the safe side 🙂

[box]

PetesASA(config)#
PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
PetesASA(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
PetesASA(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
PetesASA(config)#
PetesASA(config)# crypto isakmp nat-traversal 20
PetesASA(config)#

[/box]

7. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

8. Now install and configure the VPN client on your remote client, you need to supply the client with the public IP address of the ASA, the tunnel group name, and the pre-shared-key (The last two sere set up in step 4).

Related Articles, References, Credits, or External Links

NA

Cisco ASA5500 Client IPSEC VPN Access

(This method uses the ASA to hold the user database) to use RADIUS CLICK HERE to use Kerberos CLICK HERE

KB ID 0000070

Problem

Note: IPSEC VPN is still possible, but getting Windows clients is a little sketchy, and you will have to mess about with them to get them to work on modern versions of Windows. (Mac OSX and iPhone/iPad can connect with their built in VPN software though).

Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console.

It also uses the Cisco VPN client – This is no longer available form Cisco see the following article.

Download Cisco VPN Client Software

Solution

Step1 Configure the ASA5500

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Remote Access”. > Next.

3. Select Cisco VPN Client. > Next.

4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. “RemoteVPN”. > Next.

5. Select “Authenticate using the local user database”. > Next.

6. Now create a user, for this exercise I’ve created a user called user1 with a password of password1

7. Click Add. > Next.

8. Now we need to create some IP addresses that the remote clients will use when connected. > Click New

9. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP’s – In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK.

10 Click Next.

11 Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next.

12. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next

13. Again leave it on the default of 3DES and SHA. > Next.

14. You can choose what IP addresses you want the remote VPN clients to have access to, first change the dropdown to “Inside”, here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.

NOTE If you do not tick the box to enable “Split Tunneling” then the client cannot browse the internet etc while connected via VPN.

15. Review the information at the end of the wizard. > Finish

16. Now you need to save the changes you have just made, From the ASDM Select File > “Save running configuration to flash”

Step 2 Configure the Client VPN Software on the remote client.

Also See THIS VIDEO

1. I’ll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New.

2. Under connection entry give the connection a name e.g. “Remote VPN to Office” > Under “Host” enter the Public IP of the ASA (NOTE I’ve blurred this one out to protect my IP address). > Under “Name” enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab.

3 Accept the defaults but tick “Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA” > Save.

4. Select the Connection you have just created. > Connect.

5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK.

6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say “VPN Client – Connected”.

Create Additional Users on the ASA

1. Open the ASDM and navigate to Configuration > VPN > General > Users > Add.

2. Give the user a name > Enter and confirm a password > Set the Privilege Level to 0 > Then Select the VPN Policy Tab

3. > Under Group Policy untick “Inherit” > Select RemoteVPN (the policy you set in Step1 Number 4) > OK.

4. You will now see the user listed (Don’t forget to save the settings, (File > “Save Running Configuration to Flash”).

Setup ASA 5500 IPSEC Remote VPN From Command Line

[box]

ip local pool IPSEC-VPN-POOL 10.254.250.1-10.254.250.100 mask 255.255.255.0
!
access-list ACL-SPLIT-TUNNEL standard permit 10.254.254 255.255.255.0
!      
object network Obj-Remote-IPSEC-VPN
 subnet 10.254.250.0 255.255.255.128
!
object network Obj-Local-LAN
 subnet 10.254.254.0 255.255.255.0
!
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
  von-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL-SPLIT-TUNNEL
  dns-server value 8.8.8.8
  default-domain value petenetlive.com
  vpn-simultaneous-logins 5
!
tunnel-group IPSEC-Remote-VPN type remote-access
tunnel-group IPSEC-Remote-VPN general-attributes
 default-group-policy IPSEC-Remote-VPN
 address-pool IPSEC-VPN-POOL
 tunnel-group IPSEC-Remote-VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable  outside
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface  outside
!
nat (inside,outside) 1 source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
!
crypto isakmp nat-traversal 20
!
username TestUser password Password123 privilege 0
username TestUser attributes
vpn-group-policy IPSEC-Remote-VPN

[/box]

Below, is the commands required for an ASA running code OLDER than version 8.3

[box]

access-list splitvpn standard permit 10.254.254.0 255.255.255.0
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool VPNPool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list nonat
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitvpn
split-dns value petenetlive.com
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy remotevpn
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey

[/box]

Related Articles, References, Credits, or External Links

Original article written 21/01/10 updated 07/06/11

Windows 8 and Cisco (IPSEC) VPN Client

Windows 10 – Running the Cisco VPN Client Software

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses

 

Cisco AnyConnect – Error 1722. There is a problem with this Windows Installer package.

KB ID 0000985 

Problem

Error 1722 is a pretty ‘generic’ windows installer package error. When attempting to install the AnyConnect client software this happened;

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action VACon_Install, location: C:Program FilesCiscoCisco AnyConnect Secure Mobility ClientVACon.exe, command: -install “C:Program FilesCiscoCisco AnyConnect Secure Mobility Clientvpnva.inf” VPNVA

On closer inspection of the log file at C:Windowsinfsetupapi.dev.log yielded the following;

NdisCoinst: NetLuidIndex does not exist
NdisCoinst: NcipAllocateNetLuidIndex failed with error 0x5aa
[NdisCoinst: Exit NcipHandleInstallPreProcessing]
CoInstaller 1: failed(0x000005aa)!
{DIF_INSTALLDEVICE - exit(0x000005aa)} 09:30:00.668
Error(000005aa) installing device!

Error obtaining device ID!
Cleaning up failed installation (00000006)
Failed to set Config Flags property: 0x00000020
Default installer: failed!

 

 

Class installer: failed(0xe000020b)!

Solution

This is usually caused by either a corrupt network connection entry, or too many interfaces entries in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetwork registry key.

Thankfully Microsoft have identified this as a problem and have a tool for fixing it, download the ifcleanup tool. (There is an x86 and an x64 bit version in that zip file run the one appropriate for the affected system).

How to Tell if Windows is 32 or 64 bit

Open a command window (run as administrator) and run the ifcleanup executable.

2. Then retry to install the AnyConnect client.

Related Articles, References, Credits, or External Links

NA

iPhone / iPad – Using the Cisco AnyConnect Client

KB ID 0000474 

Problem

You have an Apple device and you would like to create a remote VPN connection to a Cisco device running AnyConnect.

Note: This is not a walkthrough on how to configure AnyConnect, for that go here.

Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile – ASA 5510” license. If not you will receive this error.

Solution

1. Firstly you need to download and install the Cisco AnyConnect client from iTunes.

2. Once installed launch the AnyConnect client software.

3. As this is the first time we have launched it we need to configure a connection, select “Add VPN Connection”.

4. Give the connection a name, and enter either public IP of your Cisco Device (Or its public name) > Save.

5. Slide the button from Off to On.

6. If you are using a “Self signed” certificate on the Cisco device you will see this warning, simply click continue.

7. Depending on how your authentication is setup, supply your username and password > Connect.

8. All being well, the client should say connected. (If you get a licensing error see here).

9. You are now connected to your corporate network, all the while you are connected you will see the VPN icon at the top of the screen.

 

Related Articles, References, Credits, or External Links

Android – Using the Cisco AnyConnect Client

Cisco AnyConnect Error (Apple)

Apple iPhone / iPad – Enable Cookies

 

 

Android – Using the Cisco AnyConnect Client

 

KB ID 0000539 

Problem

You have an Android device* and you would like to create a remote VPN connection to a Cisco device running AnyConnect.

Note: This is not a walkthrough on how to configure AnyConnect, for that go here.

Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile” license. If you do not have one you will receive this error.

*Note: At time of writing the AnyConnect client is only available for Samsung, HTC, Lenovo, and Android phones that have been rooted.

Solution

1. First head over to the Android Market, locate and then install the AnyConnect Client on your device.

2. Once installed launch the AnyConnect client.

3. Add New VPN Connection.

4. Tap Description.

5. Give the connection a recognisable name.

6. Set the server address, to either the public IP of your Cisco device, or if you have a public DNS name that points to it e.g. vpn.yourdomain.com you can enter that. (Providing the device can resolve that address using DNS).

7. You should not need to enter Certificate details, unless your IT department have secured the AnyConnect profile with certificates like this. In most cases you would supply a username and password to connect, so this is not relevant. If you are unsure speak to the person/department that looks after your Cisco device.

8. To save the connection click “Done”.

8. To start the connection, simply tap it.

Note: To delete/edit a connection profile tap and hold it.

9. Type in your credentials > OK.

10. When connected you will get a “Green Tick” and the logo at the top of the screen will show a closed padlock. This padlock logo will remain all the time you are connected.

11. To disconnect, simply tap the green tick, and the client software will terminate the connection.

Related Articles, References, Credits, or External Links

Thanks to David Simpson for trusting me with his phone for half an hour.

Android AnyConnect Error

iPhone / iPad – Using the Cisco AnyConnect Client

 

Windows 10 – Running the Cisco VPN Client Software

KB ID 0001097 

Problem

OK, firstly why are you still using the IPSEC VPN client? It’s not only gone ‘End-of-life’, it went end of support in July 2014. {That’s my Cisco Partner bit done}. So you have an old IPSEC Remote VPN solution and can’t afford an upgrade to AnyConnect? Now your shiny Windows 10 machines are complaining when you try and install the VPN client software.

Error 27850. Unable to manage networking component. Operating system corruption may be preventing installation.

Solution

1. Make sure you have removed all traces of the Cisco VPN client software before proceeding.

2. Run Windows Fixup for DNE > Then Reboot.

3. Install the SonicWALL VPN Client (I’ll explain why in a minute).

4. This upgrades the DNE (Deterministic Network Enhancer). Note: You can also run the Citrix DNE Update which will do the same thing.

5. Now install the Cisco VPN client (Note: 5.0.07.0440) is the last one that was released.

Install the latest version: Download Cisco VPN Client Software

6. Note: If you get an error to say This software will not run on Windows 10, go to the folder the setup files were extracted to right click the setup file > select troubleshooting comparability > follow the instructions.

Connection Error Secure VPN Connection terminated locally by the Client. Reason 442: Failed to enable Virtual Adapter

7. If you see this error, that’s been a problem for a long time, I’ve already blogged about it below

Windows 8 and Cisco (IPSEC) VPN Client

8. Essentially open the registry editor and navigate to;

[box]HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CVirtA[/box]

Locate the DisplayName > Edit its value > Delete all the text to the LEFT of “Cisco Systems VPN Adapter for 64bit Windows.”

11. So it looks like this.

12. We are up and working.

13. You can now safely uninstall the SonicWALL VPN client.

Related Articles, References, Credits, or External Links

Cisco ASA – Remote IPSEC VPN With the NCP Entry Client