01-20-2010 06:32 AM
Hi everybody!
Some of our users need to use the Cisco Anyconnect SSL VPN Client to connect to network of a business partner. This works without problems on most of the machines, however on some machines, the client is not able to connect to the VPN.
On those machines, user get two error messages saying "The VPN client is unable to establish a connection" and "Unable to establish VPN".
All Clients run Windows Vista Enterprise (x86 and x64) and use Cisco Anyconnect VPNClient Version 2.4.0202.
According to the logs on the client machines, i think that there is a problem regarding the source ip address, the client is using to connect to the VPN Server (because this is something that differs between the logs of a working and the logs of a not-working client)
If the client is able to connect, the eventlog entry looks like this:
Function: CSslTunnelTransport::postSocketConnectProcessing
File: .\SslTunnelTransport.cpp
Line: 1360
Opened SSL socket from 172.16.0.121 to [Server IP]
If the client is not able to connect, the eventlog entry looks like this:
Function: CSslTunnelTransport::postSocketConnectProcessing
File: .\SslTunnelTransport.cpp
Line: 1360
Opened SSL socket from 127.0.0.1 to [Server IP]
Could the use of the loopback address be the problem or has someone experienced something similar?
I can rule-out local and perimeter firewalls and any other network security device that is in use. In addition, the clients are deployed with a standardized image, so there is no difference regarding installed software.
Thanks for any help!
01-20-2010 09:05 AM
I've found that the AnyConnect client is a little flakey and an upgrade usually fixes most issues. Can you upgrade the client on one machine to the latest version and test?
01-22-2010 05:49 AM
I would certainly think that use of the loopback would be problematic in attempting to establish a VPN connection. I am not sure why some clients would do this. I wonder if the output of ipconfig and of route print (or equivalents from Vista) would provide a clue about the problem.
And the advice from Collin might be helpful. It sometimes does solve problems to to to a more recent version of code.
HTH
Rick
01-25-2010 02:36 AM
Thank you both for your answers.
Propably it's a software issue, thanks for the hint.
The routing table shouldn't be the problem. At least ipconfig / route output looked very normal to me.
But i will give both options a try and post the results.
Thanks again!
01-26-2010 02:45 AM
The new version unfortunately didn't solve the problem. The same error messages occured as before.
I also double checked routing table entries on the clients and the devices in between.
Do you have another clue?
01-27-2010 09:09 AM
Christoph
Can your verify that the users who are having the problem have correct IP addresses assigned/configured?
At the time when the user has the problem can you verify that they have connectivity to the remote concentrator address? If they open a browser and https to the remote name/address, what do they get in the browser? (if they have proper connectivity they should get a login prompt from the remote concentrator)
HTH
Rick
01-28-2010 07:35 AM
Yes they have correct IP addresses assigned and they have access to the concentrator.
They can even download and install the client vom the concentrator but when it comes to establish a connection, the error messages described earlier appear.
03-22-2010 11:50 AM
Afternoon,
A question for the OP, was this issue resolved? I have a handful of clients at one company who run XP Pro and they are having this problem. I can't replicate the problem here with an XP machine. Their accounts and connectivity to the ASA are fine. They can browse to the webvpn page no problem and log in - just they can't connect using the AnyConnect software. We've tried various versions, including 2.4.1012
cheers,
Alan
03-22-2010 12:25 PM
Hello,
Unfortunately the problem has not been resolved. I have not found a solution to the problem and we created a workaround for the users.
However i would really appreciate to know the cause of this problem since it caused me much trouble ;-)
I'm sorry that i cant help you more with this.
Regards,
Christoph
03-29-2010 01:32 AM
The Windows Vista PC that were having problem connecting via AnyConnect, were they an upgrade from Windows XP? If they are, and they have AnyConnect installed prior, it needs to be uninstall prior to upgrading to Windows Vista as per the AnyConnect release notes:
Also, you might want to double check that the Vista is either with SP2 or Vista SP 1 with KB952876.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: